Loading AI tools
California data privacy law From Wikipedia, the free encyclopedia
The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The bill was passed by the California State Legislature and signed into law by the Governor of California, Jerry Brown, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code.[2] Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.[3][4]
California Consumer Privacy Act | |
---|---|
California State Legislature | |
Full name | California Consumer Privacy Act of 2018[1] |
Introduced | January 3, 2018 |
Signed into law | June 28, 2018 |
Governor | Jerry Brown |
Code | California Civil Code |
Section | 1798.100 |
Resolution | AB-375 (2017–2018 Session) |
Website | Assembly Bill No. 375 |
Status: Current legislation |
Amendments to the CCPA, in the form of Senate Bill 1121, were passed on September 13, 2018.[5][6] Additional substantive amendments were signed into law on October 11, 2019.[7] The CCPA became effective on January 1, 2020.[8] In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act, which amends and expands the CCPA.[9]
The intentions of the Act are to provide California residents with the right to:
The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, does business in California, and satisfies at least one of the following thresholds:
Organizations are required to "implement and maintain reasonable security procedures and practices" in protecting consumer data.[13]
The businesses that the CCPA refers to do not need to be physically present in California. As long as the business is active in the state and meets the requirements, they are considered to be under the CCPA. This includes transactions done on the Internet. In comparison to other privacy laws like the GDPR, the CCPA lacks clarity about its geographic range.[14]
The following sanctions and remedies can be imposed:
The CCPA differs from the Virginia Consumer Data Protection Act in that the former provides a private right of action, whereas the latter is enforced by the Attorney General's office.[21]
CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, license plate number, passport number, or other similar identifiers.[2]
An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.[22]
It does not consider Publicly Available Information as personal.[23]
Key differences between CCPA and the European Union's General Data Protection Regulation (GDPR) include the scope and territorial reach of each, definitions related to protected information, levels of specificity, and an opt-out right for sales of personal information.[24] CCPA differs in definition of personal information from GDPR as in some cases the CCPA only considers data that was provided by a consumer. The GDPR does not make that distinction and covers all personal data regardless of source. In the event of sensitive personal information, this does not apply if the information was manifestly made public by the data subject themselves, following the exception under Art.9(2),e). As such, the definition in GDPR is much broader than defined in the CCPA.[25][26][27]
Personal data can also include online or social media profile information. Personal data is not limited to a number or a physical document but can also be online identities, accounts, and other personal information.
The California Consumer Privacy Act of 2018 was originally proposed as a ballot proposition by a privacy group known as Californians for Consumer Privacy.[28] The California DOJ approved the initiative's official language on December 18, 2017, allowing the group to begin collecting signatures.[29] In June 2018, the proponents gathered enough signatures to qualify the CCPA initiative for the November 2018 election.[30] In California, the state legislature cannot repeal or amend a ballot proposition once it is passed by voters.[31] In response to the CCPA ballot proposition, state legislators negotiated with Californians for Consumer Privacy to pass a less restrictive version of the CCPA in exchange for the withdrawal of the ballot proposition.[32]
The CCPA was passed by the state legislature and signed by Gov. Brown on June 28, 2018; it became effective on January 1, 2020.[33][34] The act's effect was dependent upon the withdrawal of initiative 17–0039, the Consumer Right to Privacy Act.[35] Five amendments were enacted and signed by Gov. Newsom on October 11, 2019.[36] Notice of DOJ's proposed regulations was also published October 11 in the Z Register; As of January 10, 2020[update] the OAL had not yet filed the final regulations with the Secretary of State, as required for the regulations to become effective.[36][37]
The California Privacy Rights Act of 2020 proposed several changes to the CCPA.[38] The Act, also known as 2020 California Proposition 24, expands existing data privacy laws by allowing consumers greater control of their personal data and establishing the California Privacy Protection Agency.[39] It passed, with a majority of voters approving the measure.[40]
A big area of the CCPA exemption is the personal health information (PHI) that is gathered.[41] Rather than the data being treated with the CCPA guidelines in mind, it is expected for PHI to adhere to the Health Insurance Portability and Accountability Act, otherwise known as HIPAA.[41] If the business collecting the data is related to clinical trials, then it must adhere to the "Common Rule".[42]
As for the information that is gathered by financial institutions, the institutions follow the California Financial Information Privacy act or the Gramm-Leach-Bliley Act depending on the situation.[41][43]
Seamless Wikipedia browsing. On steroids.
Every time you click a link to Wikipedia, Wiktionary or Wikiquote in your browser's search results, it will show the modern Wikiwand interface.
Wikiwand extension is a five stars, simple, with minimum permission required to keep your browsing private, safe and transparent.