Woman with face blurred

How does the California Consumer Privacy Act apply to Australian businesses?

On the 1 January 2020, the California Consumer Privacy Act (CCPA) came into effect and subsequently introduced a broad range rights, obligations and enforcement measures relating to the protection of consumers’ information (found here: CCPA).

As this is a Californian law, you may be wondering how this applies to Australian business. The CCPA has an extra-territorial scope that may capture some Australian companies that engage in business in the State of California, irrespective of whether that business has a physical presence in California.

Will your business fall under the scope of the CCPA?

In brief, the CCPA apply to businesses that:

  • collect “personal information” from Californian residents;
  • busines engages in business in California;
  • satisfies one of the following:
  • revenue threshold: has an annual gross revenue in excess of US$25,000,000; or
  • number of consumers: obtains personal information of 50,000 or more of consumers, households or devices annually; or
  • business type: derives 50 percent or more of its annual revenue from selling the personal information of consumers. 

What obligations does this impose?

In brief, some of the obligations imposed include:

  • new consumer rights in relation to personal information.
  • Requirements that businesses to update their privacy policies to reflect the CCPA’s new disclosure requirements.
  • requirement to provide consumers with a notice about the categories of personal information that will be collected from the consumer and the purposes for which the personal information will be used.
  • Giving consumers the right to know what personal information is being collected about them and the purposes for which it is being used, the right to delete personal information, and the right to “opt-out” of the sale of their personal information.
  • Prohibits businesses from selling personal information of consumers who are under the age of 16, unless an exception applies.

Key takeaway

The Attorney General can bring an action against Australian businesses for breaches of the CCPA since the 1 July 2020, Australian businesses captured by the CCPA update existing practices and regulatory frameworks to ensure. If you engage in business in California or even if you ship your products to the USA, it is important that your Privacy Policy is updated to reflect these laws.