California Consumer Privacy Act (CCPA)

The CCPA applies to for-profit businesses operating in California (like limited liability companies, corporations, sole proprietorships, or other legal entities) that meet this criteria:

• Make over $25 million in yearly gross revenue.
• Annually obtain, share, sell, or receive the personal information of over 50,000 California residents.
• Earn 50% or more of their annual revenue from selling consumers’ personal information.

Nonprofit organizations and government agencies are not required to follow the CCPA. In general, the CCPA has several exceptions to its rules, including:

• Legal or conflicts of laws matters, such as adhering to other laws, defending legal claims, or cooperating with law enforcement.
• Compliance with other specific privacy or data protection laws, such as HIPAA.
• Common business needs, such as selling personal information during a merger or acquisition.
• Jurisdictional concerns, for example, when all business activities occur entirely outside California or when a single transaction doesn’t retain personal information.

The main distinction between the CCPA and the California Privacy Rights Act (CPRA) lies in their scope. The CPRA broadens this right to cover the data businesses share and extends the period during which consumers can make such requests.

According to the CCPA, consumers can ask businesses for details about their personally identifiable information (PII) and the categories of PII collected and sold. While CCPA applies to organizations gathering personal information from over 50,000 consumers, CPRA extends to organizations collecting data from more than 100,000 consumers.

The CCPA shares similarities with the GDPR, but the main distinction lies in the approach to consent versus opting out. GDPR requires a legal basis (like consent) for data collection, while CCPA focuses on enabling users to opt out of personal information collection. GDPR protects any individual within the EU, whereas CCPA safeguards California residents.

The CCPA gives consumers various rights, such as:

• Being able to ask businesses to delete their personal information.
• Having control over the sale of their personal information.
• Being protected from discrimination for using their CCPA rights.
• Knowing how businesses collect, use, and share their personal information, including cases like getting personalized privacy notices or finding out the specific pieces of personal information the business has about them.