The takeaways
- After passing its Consumer Privacy Act into law in January, the state of California has begun enforcing it against businesses that collect consumer data online.
- Similar to the European Union’s GDPR law, the CCPA allows online users to opt-out from the gathering, buying and selling of their information, as well as gain other protections.
- The law goes ahead despite calls to delay and clarify its regulatory powers from the Association of National Advertisers.
What happened?
On July 1, California began its enforcement of the California Consumer Privacy Act (CCPA), a new data privacy law granting more control over online data collection and usage to the state’s residents. The law originally went into effect on January 1 and allows online users to opt-out of data collection without facing discrimination for doing so. The enforcement begins before official approval is granted.
The Association of National Advertisers previously petitioned the state to delay the CCPA on grounds of disruption to businesses during the current pandemic, and also cited the legal and constitutional uncertainties surrounding it. Though California has been establishing the CCPA’s parameters since its passing, businesses have been subject to the law since January under a six month grace period granted by the state.
Attorney General Xavier Becerra submitted the CCPA’s proposed final regulations to the California Office of Administrative Law on June 1, 2020, which are currently pending approval. The final regulations are still pending approval by the California Office of Administrative Law. Becerra stated that “our office is committed to enforcing the law starting July 1.”
What are the effects?
The CCPA grants consumers various rights, such as the right to request the specific purposes a business has collected their personal data for, the right to have that information deleted on request, the right to opt-out and the right to non-discrimination. Businesses are also prohibited from selling the personal information of minors under the age of 16 without express permission, or children under 13 without parental consent.
The CCPA applies to businesses that gross revenues of $25 million annually, purchase, collect or sell the personal information of at least 50,000 people and receive at least half their revenue from selling that data. Smaller businesses and ones whose primary revenues are not from data collection are exempt.
For more information, see PWC’s CCPA Watch.