From the start of this year, the US has a new high water mark for privacy regulation. The California Consumer Privacy Act (CCPA) has come in to effect, and it can apply to entities located outside that state.
In summary, if you are a for profit entity with revenue of more than US$25 million which does business in California and collects the personal information of consumers in that state, you will need to comply with the new law. “Doing business” does not require a physical presence in the state.
The CCPA concept of “personal information” is broader than the definition in the Australian Privacy Principles, extending to information that “is capable of being associated with, or could reasonably be linked” with a person residing in California. The concept also applies to purchasing histories and tendencies, browsing histories and search histories.
If the CCPA applies to your business, you must disclose the following when you collect personal information:
- the categories of information collected and the purposes for which the information will be used
- whether your business sells personal information and the categories of parties to which it is sold
- that the consumer can request disclosure of the pieces of personal information the business has collected
- that the consumer can request deletion of their personal information
- that the consumer will not be discriminated against for exercising their rights under the law.
Plus, you must offer an “opt out” from the sale of the consumer’s information.