The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020. It is the first law insuring personal online privacy being implemented in the U.S. Any "business" with an online presence around the world will have to comply with the California Consumer Privacy Act if it receives personal data from any California residents or has gross revenues over $25 million.
Business is defined in the act as a "sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners … that does business in the State of California." The new law does not appear to apply to nonprofits.
This new law will have far-reaching effects for businesses with websites, not only because one in eight people in the United States are California residents, but also because the Internet really has no boundaries.
Essentially the law says that customers can have some control of the information that is collected about them by the websites they visit. "Businesses will have to treat that information more like it's information that belongs, is owned by and controlled by the consumer," according to California Attorney General, Xavier Becerra (paywall), "rather than data that, because it's in possession of the company, belongs to the company."
According to the International Association of Privacy Professionals (IAPP), a business (as defined above) must meet at least one of the following criteria for the law to apply to it:
Websites of businesses that collect personal data and exchange it for money or other compensation for any California residents must provide a clear and conspicuous "Do Not Sell My Personal Information" link on their homepage. This link must direct users to an interactive web form enabling customers to opt out of the sale of their personal information, get access to all their data collected, have all or some deleted, and request portability — to have their data provided to them. Businesses on the web must comply within 45 days.
Businesses subject to the CCPA and that have websites will need to
The CCPA is generally regarded as a work in progress, with implementation and enforcement rules yet to be fully developed. The new law allows California consumers to sue companies that have data breaches that involve their data. It does not allow consumers to sue companies that sell their data.
The law does not apply to government entities. These can collect data, sell it, and not allow consumers to opt out. They also can't be sued for data breaches.
The CCPA's definition of personal information does not include any data that is already lawfully made publicly available from federal, state, or local government records. A number of additional exceptions are carved out in the act, related to existing restrictions under conflicting or related state and federal laws.
For nonprofits and libraries, the CCPA requirements are probably not, in all practicality, necessary. But several states are expected to follow this trend, and companies like Microsoft have said they will honor the data rights in the California law for customers nationwide.