Mainstream news outlets have written extensively about the GDPR, so most people interested in online privacy are at least somewhat familiar with it. But what about the CCPA? What are the CCPA regulations, and who needs to comply with them?

What Is the CCPA?

The CCPA is a state statute, which means it only applies in the state of California, and not in the United States as a whole. It was passed by the California State Legislature and signed into law by then-Governor Jerry Brown in 2018. Several amendments were passed in 2018 and 2019, and the statute became effective at the beginning of 2020. Later that same year, the statute was additionally amended and expanded.

The CCPA primarily aims to protect consumers’ privacy, and sets strict rules that businesses have to follow. The statute applies only to California residents. As for businesses, the CCPA applies to any business that has a gross annual revenue of over $25 million, or has access to personal information belonging to more than 50,000 California residents, or derives more than half of its revenue from selling their personal information. It is important to note that it does not apply to non-profits and government agencies.

What Rights Are Granted Under the CCPA?

So, what privacy rights do California residents have under the CCPA? Thanks to this statute, anyone who lives in the Golden State has the right to know what information a business collects about them and how that information is being used. Moreover, all California residents have the right to non-discrimination, the right to delete the information that has been collected from them, and the right to opt-out of the sale of their personal information.

There are some caveats. A California resident does not have the right to sue a business for most CCPA violations. Businesses can only be sued if they suffer a data breach resulting in a California resident’s data being stolen. Even in this case, the resident has to prove that the business failed to protect their information. And in that scenario, certain restrictions still apply.

The Right to Know and the Right to Opt-Out

Under the CCPA, all California residents have the right to know what personal information businesses collect and share. This includes specifics in terms of how and through which methods the data is collected. Businesses, on the other hand, are required to provide this information to California residents free of charge.

Additionally, California residents have the right to submit a request to know, and businesses have an obligation to designate a minimum of two methods for a resident to submit their request. This can include website forms, email addresses, phone numbers, and so on. However, businesses have the right to reject this request under certain circumstances.

Likewise, thanks to the CCPA, all California residents have the right to “opt-out”, meaning they have the right to request that businesses stop selling their personal information. Though there are some exceptions, businesses are barred from selling a California resident’s personal information if they receive the request.

Businesses have certain obligations as well. They need to have a “Do Not Sell My Personal Information” link on their website, so that California residents can submit an opt-out request. And they need to offer at least two more methods for Californians to send their requests.

CCPA: A Step In the Right Direction

The CCPA is far from perfect, but it is definitely a step in the right direction. If a similar law were passed federally, American citizens would have relatively strong privacy rights, compared to the rest of the world.

And though you may not be able to fully protect your privacy until such a law is passed in the US or wherever you are, there are still ways to make your personal data essentially worthless to tech companies.