As of Jan. 1, 2020, the California Consumer Privacy Protection Act (CCPA) is now in force. Passed by the state legislature in 2018, this is a sweeping regulation of how businesses can collect and share “personal information” of California residents. Much like its “older cousin,” the GDPR of Europe, the CCPA has teeth and compliance is critical.

Initially, note that the California Online Privacy Protection Act (separate from the CCPA) has already been law since 2004. It provides a long list of requirements for disclosures in a Privacy Policy. The CCPA has now given Californians additional rights regarding their online privacy and data.

The CCPA applies to for-profit entities “doing business” in the state of California that fit at least one of these criteria:

Earns annual gross revenues exceeding $25 million

Annually buys, receives, sells or shares (for commercial purposes), the personal information of 50,000 or more consumers, households or devices

Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Under the CCPA, a business must make available to consumers two or more designated methods for submitting the requests, including a toll-free telephone number and a website address. The business cannot require the consumer to create an account with the business in order to make the request.