State-based privacy: What happens in California… might not stay in California
On 28 June 2018, California introduced the California Consumer Privacy Act (CCPA), which formed the first state-based privacy legislation within the United States. Ever the trendsetter, the years following have seen a further five American States follow in California’s footsteps by introducing comprehensive state-wide privacy and cybersecurity legislation. Most recently, Connecticut Governor Ned Lamont signed into law the Connecticut Data Privacy Act.
purpose and impact
The privacy legislation aims to secure additional privacy rights for consumers, as well as reinforce those already in existence. Importantly though, this privacy legislation is not identical between States. Accordingly, businesses must take care to familiarise themselves with the specific legislation in each state in which they do business in the USA. Not doing so could lead to unintended consequences and financial penalties.
the CCPA
In regard to the CCPA, the legislation provides consumers with:
- The right to know the personal information a business collects from them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
In addition, the CCPA mandates that businesses provide consumers with information via a ‘notice at collection’. This notice must:
- list all categories of personal information collected;
- state the purposes for which the information to be collected is used; and
- provide consumers with a link to the relevant business’ privacy policy.
Finally, the CCPA also requires that businesses clearly provide consumers with the ability to opt-out of the sale of their personal information.
wait, there’s more?!
Whilst other states play catch up, California has already taken steps to further amend the CCPA through the introduction of the California Privacy Rights Act (CPRA), which comes into effect on the 1st of January 2023.
The CPRA provides consumers with yet further rights, whilst additionally expanding those introduced under the CCPA. Most notably, however, the CPRA will create a new privacy enforcement agency – the California Privacy Protection Agency. This agency will be responsible for upholding the new laws and overseeing enforcement and penalties.
does the CCPA apply to australian businesses?
The CCPA applies to any business that:
- Conducts business in the State of California;
- Collects the personal information of California residents;
- Determines how and for what purpose the personal information is collected; and
- Satisfies any of the following thresholds:
- Revenue threshold: the business has an annual gross revenue in excess of US $25 million;
- Consumer threshold: the business obtains the personal information of at least 50,000 California residents’, households, or devices per annum; or
- Selling threshold: the business derives 50 percent (50%) or more of its annual revenue from the sale of California residents’ personal information.
need to know more?
If you are conducting business within the United States, this is a timely reminder to ensure you are aware of the potential need to comply with state-based privacy legislation. To know more, please feel free to reach out at any time to a member of our IP and Trade team.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
stay up to date with our news & insights
State-based privacy: What happens in California… might not stay in California
On 28 June 2018, California introduced the California Consumer Privacy Act (CCPA), which formed the first state-based privacy legislation within the United States. Ever the trendsetter, the years following have seen a further five American States follow in California’s footsteps by introducing comprehensive state-wide privacy and cybersecurity legislation. Most recently, Connecticut Governor Ned Lamont signed into law the Connecticut Data Privacy Act.
purpose and impact
The privacy legislation aims to secure additional privacy rights for consumers, as well as reinforce those already in existence. Importantly though, this privacy legislation is not identical between States. Accordingly, businesses must take care to familiarise themselves with the specific legislation in each state in which they do business in the USA. Not doing so could lead to unintended consequences and financial penalties.
the CCPA
In regard to the CCPA, the legislation provides consumers with:
- The right to know the personal information a business collects from them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
In addition, the CCPA mandates that businesses provide consumers with information via a ‘notice at collection’. This notice must:
- list all categories of personal information collected;
- state the purposes for which the information to be collected is used; and
- provide consumers with a link to the relevant business’ privacy policy.
Finally, the CCPA also requires that businesses clearly provide consumers with the ability to opt-out of the sale of their personal information.
wait, there’s more?!
Whilst other states play catch up, California has already taken steps to further amend the CCPA through the introduction of the California Privacy Rights Act (CPRA), which comes into effect on the 1st of January 2023.
The CPRA provides consumers with yet further rights, whilst additionally expanding those introduced under the CCPA. Most notably, however, the CPRA will create a new privacy enforcement agency – the California Privacy Protection Agency. This agency will be responsible for upholding the new laws and overseeing enforcement and penalties.
does the CCPA apply to australian businesses?
The CCPA applies to any business that:
- Conducts business in the State of California;
- Collects the personal information of California residents;
- Determines how and for what purpose the personal information is collected; and
- Satisfies any of the following thresholds:
- Revenue threshold: the business has an annual gross revenue in excess of US $25 million;
- Consumer threshold: the business obtains the personal information of at least 50,000 California residents’, households, or devices per annum; or
- Selling threshold: the business derives 50 percent (50%) or more of its annual revenue from the sale of California residents’ personal information.
need to know more?
If you are conducting business within the United States, this is a timely reminder to ensure you are aware of the potential need to comply with state-based privacy legislation. To know more, please feel free to reach out at any time to a member of our IP and Trade team.