The CCPA, and privacy law comparison

  • 8 minutes

The California Consumer Privacy Act of 2018 (CCPA) is a California state privacy law that's the first comprehensive privacy law in the United States. The CCPA went into effect on January 1, 2020, and enforcement by the California Attorney General started on July 1, 2020.

The CCPA provides several privacy rights to Californian consumers, including:

  • The right to know about the personal information a business collects about them and how it's used and shared.
  • The right to delete personal information collected from them, with some exceptions.
  • The right to opt out of the sale of their personal information.
  • The right to nondiscrimination for exercising their CCPA rights.

Businesses subject to the CCPA have several obligations to Californian consumers, which include:

  • Preserving the preceding listed data subject rights.
  • Giving consumers certain notices explaining the business's privacy practices.
  • Providing an opt-out for certain data transfers classified as sales, and using an opt-in requirement for minors.

The CCPA applies only to companies that do business in California and meet at least one of the following conditions:

  • Have a gross annual revenue of more than 25 million U.S. dollars (USD).
  • Derive 50% or more of their annual revenue from selling California residents' personal information.
  • Buy, receive, or sell the personal information of more than 50,000 California consumers annually.

Microsoft and the CCPA

For commercial customers doing business in California, Microsoft is a service provider with respect to its Online Services and Professional Services offering. The Online Services Terms and the Microsoft Professional Services Data Protection Addendum meet the CCPA requirements for Service Providers. As set out in the Online Services Terms, Microsoft complies with all laws and regulations that apply to its provision of Online Services, including the CCPA.

Regulatory law similarities and differences

Both of these regulations mandate transparency and disclosure obligations, and provide individuals with unique rights over how their data is processed.

One significant difference is that the CCPA includes the right for consumers to opt out from the sale of their personal data to third parties. The term sale has a specific meaning under the CCPA. Work with your legal team to understand whether or not your organization might be selling data.

Under the CCPA, personal information is any data relating to an identified or identifiable person. There's no distinction between a person's private, public, or work role. The defined term personal information corresponds with personal data, but the CCPA also includes family and household data.