Adding to the complex patchwork of federal laws, some states have developed their own statutory frameworks for data protection. Every state has passed some form of data breach response legislation, and many states have consumer protection laws of various types. In addition, California has created a comprehensive data protection regime through the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020.
The CCPA governs any company doing business in California that meets certain minimum thresholds, including companies with websites accessible there. The law provides consumers with three main “rights.” First, consumers have a “right to know” information that businesses have collected or sold about them, requiring businesses to inform consumers about the personal data being collected. Second, the CCPA provides consumers with a “right to opt-out” of the sale of their personal information. Third, the CCPA gives consumers the right, in certain cases, to request that a business delete any information collected about the consumer (i.e., “right to delete”). The CCPA will be enforced via civil penalties in enforcement actions brought by the California Attorney General.