As of January 1, 2023, the California Consumer Privacy Act (“CCPA”) now affects the personal data of not only consumers but also employees and individuals in their capacity as commercial contacts. The amended CCPA now also includes the right of a data subject to correct the data a business holds concerning them and to limit the disclosure and use of certain kinds of “sensitive personal information.” These rights are in addition to the CCPA's rights to disclosure of personal information held about the data subject, to have a business delete the data subject's information, to opt out of third-party sales, to be protected from discrimination based on the exercise of CCPA rights, and the right to sue in the event of a data breach.
Unlike in Europe and Japan, the CCPA does not distinguish between in-country and cross-border data transfers. However, restrictions on transfers, in general, are now tightening under the CCPA. Businesses must have specific agreements in place with third parties to whom they disclose personal information. Data subjects in California now have the right to opt out of sales of their personal information and potentially any disclosure to a third party, regardless of whether it constitutes a sale.
Six other US states, including Colorado, Connecticut, Nevada, Utah, and Virginia, have data privacy laws that have taken effect or will take effect by the end of 2023. Most of these laws apply to consumers rather than to business employees or business-to-business contacts. However, for businesses that sell or market directly to consumers, these other states' laws will become increasingly important as they provide several similar rights to those of the CCPA and GDPR. Over the next year, the collection of personal information from US residents will become increasingly regulated.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
