Data Protection Regulation United States

See Comparison

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is the first state-wide data privacy regulation that governs the processing and sale of personal information of California residents by the organizations. It came into force with effect from 1st of January 2020. It is the first of its kind and the most recent cookie law passed by the State of California in response to the increased role of personal data in business practices and privacy implications.

Scope [Section 1798.140(c)]

Section 1798.140(c) Businesses are obligated to take steps to comply with the consumers’ rights if the businesses collect personal information from California and do business in the state (whether or not they have a physical presence in California) if any of the following three additional thresholds apply: That is, the business:

  1. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000); or
  2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

Personal Information [Section 1798.140 (o)]

1798.140 (o) Personal Information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The definition also includes other key components that may not be currently considered PI by most companies, including Personal identifiers, Commercial information, Biometric information, etc.

Data Subject Rights [Section 1798.100 – 1798.125]

Section 1798.100 – 1798.125 lists the 7 (seven) rights of consumers.

  1. Right to Know what personal information is collected.
  2. Right to Data Portability.
  3. Right to Delete, subject to certain exceptions.
  4. Right to Access personal information.
  5. Right to Know if Personal Information is Sold.
  6. Right to Opt Out of Sale.
  7. Right against discrimination.

Organizations are excepted to fulfill the consumer request within 45 days of identifiable consumer request.

Click here to know more about CCPA.

Introduction of CPRA

CPRA will replace CCPA on January 1, 2023. CPRA expands, modifies, and updates the existing rules to protect consumer privacy. Businesses should begin preparations as soon as possible to secure CPRA compliance, especially considering the set-up of the California Privacy Protection Agency and the removal of the cure period for regulatory actions. Click here, to know more about CPRA.