Attorney General Becerra Reminds Consumers of Data Privacy Rights Under the California Consumer Privacy Act
Statute took effect on January 1, 2020 and enforcement begins July 1, 2020
SACRAMENTO – California Attorney General Xavier Becerra today issued an alert reminding consumers of their data privacy rights under the California Consumer Privacy Act (CCPA). The CCPA, which went into effect this year, provides consumers with access to and control over their personal information. The Attorney General plans to begin enforcement of the CCPA starting July 1, 2020. Businesses subject to CCPA were required to begin complying with the law on January 1, 2020. Proposed final regulations under the CCPA were submitted to the California Office of Administrative Law on June 1, 2020 and are currently pending approval.
“Under the CCPA, Californians have the right to access and stop the sale of their personal data if they choose to exercise it,” said Attorney General Becerra. “As families continue to move their lives increasingly online, it is essential for Californians to know their privacy options. Our office is committed to enforcing the law starting July 1.”
Under the CCPA, California Consumers Generally Have the Following Rights:
- Right to Know – Consumers may request that a business tell them what specific personal information they have collected, shared or sold about them, and why it was collected, shared, or sold.
- Right to Delete — Consumers may request that a business delete personal information that the business collected from the consumer, subject to some exceptions.
- Right to Opt-Out — If a business sells their personal information, consumers may request that it stop doing so.
- Rights for Minors — A business cannot sell the personal information of minors under the age of 16 without their permission and, for children under 13, without parental consent.
- Right to Non-Discrimination — A business may not discriminate against consumers who exercise their rights under the CCPA.
How to Exercise your CCPA Rights:
All businesses that have a website must provide an online method to submit a request, such as an email address or online form. Businesses that do not operate exclusively online must also provide a toll-free phone number. Businesses may require that you verify your identity when making a request to access or delete your personal information to match you to their records and/or to prevent fraud.
Consumers can also refer to the California Data Broker Registry, which is posted on the Attorney General’s website at www.oag.ca.gov/data-brokers. The Registry lists businesses that collect and sell the personal information of a consumer to third parties. These data brokers are required to provide information on how consumers can opt-out of the sale or submit requests under the CCPA.
Businesses Subject to CCPA:
Not all businesses are subject to CCPA. A business is subject to CCPA if the business:
- Has gross annual revenue in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Non-profits and governments are not subject to the CCPA. Some businesses and service providers may also be exempt from certain provisions of the CCPA.
Consumers’ Private Right of Action in the Case of a Data Breach:
The CCPA gives consumers a limited right to sue a business for a data breach that was a result of a business’s failure to reasonably secure certain types of personal information. It does not give consumers the right to sue businesses for other violations of the CCPA. To report a violation of the CCPA to the Attorney General, consumers may submit a complaint online at www.oag.ca.gov/report.
For more information about the CCPA, including the text of the statute and the proposed final regulations, visit www.oag.ca.gov/ccpa.
A sharable graphic on how consumers can exercise their CCPA rights is available here.