California
California Consumer Privacy Act (CCPA)
Passed | June 28, 2018 |
Effective Date | January 1, 2020 |
Who it applies to |
|
Penalties | $2,500 per violation, and up to $7,500 per intentional violation or violation involving children |
What’s notable about it:
California was the first comprehensive privacy law in the US. Before the CCPA, U.S. privacy laws only targeted specific industries like health, finance, and education.
With a unique right to “limit the use and disclosure of sensitive personal information” and complex rules on “disclosing personal information for business purposes,” the CCPA looks very different from other state privacy laws. CCPA gives consumers the right to opt out of the monetization of their data. If personal data is shared for contextual advertising, it counts as a sale: consumers have the right to opt out of the “selling” or “sharing” of their data. This covers disclosing personal information to a third party for almost any reason—including advertising, analytics, and other commercial uses.
We’ve already seen enforcement by California’s Attorney General, who is now joined by the state’s own privacy regulator, the California Privacy Protection Agency (CPPA), which has an annual budget of $10M to hire staff, enforce the law, and drive awareness. CCPA also grants residents a limited right to take a company to court over data privacy violations (also known as a “private right of action”). And, in December 2023, it signaled its intent to broadly regulate AI, implementing significant consumer rights to opt out of and access information about businesses’ use of such technology.