The California Consumer Protection Act (CCPA) is considered the first comprehensive privacy law for the United States and became such in June 2018.
Like the GDPR, the California Consumer Protection Act imposes a number of obligations on companies to consumers that relate to the retention and management of personal information, including disclosures, rights, explicit refusals to handle certain information, and explicit consent requirements for minors.
Companies that are required to comply with the CCPA must conduct business in California and meet at least one of the following requirements:
- Generate gross revenue in excess of $25 million;
- Make 50% or more of annual revenue from the sale of users’ personal information;
- Buy, sell and share the personal information of more than 50,000 users.
The CCPA provides the following consumer rights:
- right to be informed about how their data will be processed during and after collection;
- right of access to one’s own data;
- right to data portability , or the ability to receive information and data in an easily usable format;
- format i.e., responding companies must respond by regular mail or in electronic format;
- right to erasure of any data collected;
- right to object to the sale of one’s data;
- right to opt-in (prior consent for minors) whereby companies cannot sell data of consumers under the age of 16 unless they have opted in;
- right not to be discriminated against by companies as a result of choosing to avail themselves of the provisions of the law for their protection.
As provided in Italy for companies to comply with the G.D.P.R., compliance with the CCPA involves an undoubtedly articulated path involving not only technical implementations but also a good planning of improvement and corrective activities.
