I Don’t Live in California, Why Am I Receiving These Emails?
A business with a presence in California is required to comply with the CCPA if it has an annual gross revenue of over $25 million, handles personal information of over 500,000 consumers/households/devices, or derives at least half of its annual revenue from selling personal information. This is not a high threshold. One report estimates that all businesses with more than 500 employees and 37.5% of businesses with less than 500 employees will meet the $25 million annual revenue threshold. It is very likely that many businesses with smaller revenue are covered by the other two thresholds.
Once a business is subject to the CCPA, it has to comply with certain standards when it comes to handling consumer personal information, regardless of whether the consumer lives in California or not. So, it is easy to see that the CCPA is not just for Californians.
Companies Had Privacy Policies in the Past. What’s Different This Time?
The name of the statute is somewhat misleading. The concept of privacy usually refers to something not generally known by others. By contrast, in the realm of data privacy laws, what’s being protected is simply personal information. The CCPA broadly defines personal information as information that “identifies, relates to, describes, is capable of being associated with” an individual or a household. The statute then provides a non-exhaustive list of information that constitutes personal information. Notably, some information that does not necessarily contain personal identifiers is also covered under this definition; for instance, browsing history, search history, and geolocation data.
What Does the Statute Mean to Me?
If you are a California citizen, the CCPA gives you certain rights to help you gain more control over your own personal information. Consumers can require further disclosure of the specific personal information businesses have collected about themselves and the categories of personal information collected about themselves in the past 12 months. The law mandates deleting a consumer’s personal information once a business receives a request from this consumer. If the business sells personal information, consumers have the right to opt-out from any future sales.
In general, the California Attorney General is tasked with enforcement of the statute; businesses will be fined for each intentional or unintentional violation. The statute also creates a private right of action for victims of data breach, in which case a business can be ordered to pay either statutory damages of $100 to $750 per consumer per incident, or the actual damages, whichever is greater. This avoids the usual difficulty of proving damages for individual victims.