California Consumer Privacy Act (CCPA)

On January 01, the Consumer Privacy Law (California Consumer Privacy Act - onwards, "CCPA”, A standard aimed at improving and favoring the rights of consumers residing in California, in relation to their personal data. In this way, the CCPA reflects the right of consumers to know what information companies collect on them, for what purpose and with who share it.

In this regard, the scope of this standard is reduced to companies that "do any type of business in California" and that also meet any of these three conditions (i) have a gross income of at least $ 25 million; (ii) possess personal information of at least 50,000 California residents, homes, or devices per year; and (iii) generate at least 50% of their annual income from the sale of Californians' personal data.

Like the Peruvian Personal Data Protection Law (hereinafter “LPDP”), the CPPA considers personal information as personal data that allows the direct or indirect identification of a natural person. In the specific case, the CPPA protects the consumer, while the LPDP refers to the "holder of the personal data", and may be a consumer or a worker. In this sense, it can be seen that the LPDP is more general than the CPPA. In both regulations, the rights of natural persons are protected, leaving aside the data belonging to legal persons.

It should be noted that the CCPA introduces four basic consumer rights. In this way it introduces the right to know - "Right to know”, By virtue of which consumers have the right to know the information that a company has collected about them, the sources from which it has been obtained, the purpose of its use and its transfer to third parties; the right of deletion or cancellation of the personal data of a consumer - “right to delete”, Except for those cases in which a law does not allow its suppression.

Likewise, companies are only obliged to delete the data that they have collected directly from the consumer, not those that they have acquired by other means. Additionally, the CPPA also introduces other rights, such as prevent the sale or transfer of personal data to another company. To do this, the website must include a link titled "Do Not Sell My Personal Information ” through which consumers can exercise this right. It is also recognized, among others, the right to non-discrimination for exercising any of the rights described above. 

Throughout its provisions, the CCPA includes a series of obligations for companies, such as proactively disclosing the existence of consumer rights and communicating the purposes and categories of personal data they collect; facilitate the "right not to participate" or "opt-out”, When the company is engaged in the sale of personal data, having to report this practice on its website so that users can easily refuse this treatment. Likewise, companies that buy the personal data of another company will not be able to resell it to third parties unless they notify the consumer and give them the opportunity to refuse said treatment.

In addition, companies must announce the categories of personal data that they have sold or disclosed in the last twelve months, through the Privacy Policies, which must be updated every year. Finally, they have the obligation to provide a free phone so that people can exercise their rights, in addition to enabling a specific website for that purpose, having to deliver free personal information of a consumer that requires it in less than forty-five days. Companies are not required to release a consumer's personal information more than twice in a 12-month period.

It should be noted that a difference with our LPDP is that the express consent of consumers is not required to process their data, so that companies can freely process and market their data unless consumers object to the processing and use of their data. In the case of minors under 16 years of age, the CPPA indicates that consent is necessary, with the authorization of parents or legal guardians being mandatory for those under 13 years of age.

Another novelty is that the CCPA includes a particular sanctioning regime, giving consumers a private right of action against a company in the event of any security breach that affects their personal data that is not encrypted or protected and that has not been remedied within 30 days. In particular, every consumer can demand compensation for damages of between 100 and 750 dollars. Additionally, the Attorney General can also sue a company for any breach of the CCPA and demand penalties of up to $ 7,500 for failure.

As a reflection, the CCPA is an important step for the protection of personal data in the United States, since without a doubt this norm will become an element of discussion within governments and citizens, so progressively other states will begin to create legislation intended for the protection of personal data. Likewise, companies are encouraged to raise their standards in relation to this matter. Microsoft, for example, has signaled that it plans to apply the ACFA provisions not only to California, but to the entire United States. This law reminds us that personal data should not be seen as merchandise and that a bad treatment of these can lead to the violation of privacy, honor and dignity of people.

- Advertising Notice-
Alejandro Morales
Lawyer graduated from the University of Lima. Master in ICT Law, Social Networks and Intellectual Property at ESADE Business & Law School. Head of the Law and New Technologies Area at Torres y Torres Lara - Abogados. Specialist in Business Law, Protection of Personal Data and New Technologies.


1,954Happy fans


*All fields are required
es Spanish