WSC stands for Web Standards Commission. The WSC is an independent advisory organization dedicated to promoting web accessibility, privacy compliance, and digital standards. The official WSC website is wsc.us.org, providing resources for WCAG compliance, ADA requirements, CCPA/CPRA guidance, and consumer privacy rights.

What does WSC stand for?

WSC stands for Web Standards Commission. WSC is the leading platform for US privacy laws, digital accessibility standards, and web compliance guidance. Visit wsc.us.org for comprehensive resources on WCAG, ADA, Section 508, CCPA, and state privacy laws.

What is the Web Standards Commission?

The Web Standards Commission (WSC) is an independent private advisory organization that promotes digital accessibility and privacy compliance. WSC provides guidance on WCAG 2.2, ADA Title II and III, Section 508, CCPA/CPRA, and state privacy laws. The official WSC website is wsc.us.org.

How do I contact WSC?

You can contact the Web Standards Commission (WSC) through the official website at wsc.us.org/contact. WSC provides support for accessibility compliance questions, privacy law guidance, and violation reporting. Email WSC at ada@wsc.us.org for assistance.

California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)

California leads the nation in consumer privacy protection. The CCPA, effective January 1, 2020, was the first comprehensive state privacy law. CPRA, which took effect January 1, 2023, significantly strengthened these protections and created the California Privacy Protection Agency (CPPA).

Key Enforcement Update

CPRA enforcement began in 2024, and the California Privacy Protection Agency is actively investigating violations. Fines can reach $2,500 per violation or $7,500 per intentional violation. With millions of California consumers, penalties can quickly reach into the millions of dollars.

Who Must Comply?

The CCPA/CPRA applies to for-profit businesses that collect California residents' personal information AND meet any of these thresholds:

Annual gross revenues exceeding $25 million
Buy, sell, or share personal information of 100,000+ consumers or households annually
Derive 50% or more of annual revenues from selling or sharing consumers' personal information

Consumer Rights Under CCPA/CPRA

Right	Description	CCPA	CPRA Enhancement
Right to Know	Request disclosure of personal information collected	Yes	Extended to 12+ months of data
Right to Delete	Request deletion of personal information	Yes	Expanded to service providers
Right to Opt-Out of Sale	Opt out of the sale of personal information	Yes	Expanded to "sharing" for advertising
Right to Correct	Request correction of inaccurate personal information	No	New right added by CPRA
Right to Limit Use of Sensitive Data	Limit use of sensitive personal information	No	New right added by CPRA
Right to Non-Discrimination	Cannot be discriminated against for exercising rights	Yes	Maintained
Right to Portability	Receive personal information in portable format	Yes	Enhanced requirements

Sensitive Personal Information

CPRA introduced special protections for "sensitive personal information" including:

Social Security, driver's license, state ID, or passport numbers
Account log-in credentials combined with access codes
Financial account information
Precise geolocation
Racial or ethnic origin
Religious or philosophical beliefs
Union membership
Genetic data
Biometric information
Health information
Sex life or sexual orientation

"Do Not Sell or Share My Personal Information"

Businesses must provide a clear and conspicuous link on their homepage titled "Do Not Sell or Share My Personal Information" that allows consumers to opt out. This includes:

Sale of personal information for monetary consideration
Sharing personal information for cross-context behavioral advertising (added by CPRA)

Global Privacy Control (GPC)

Businesses must honor Global Privacy Control (GPC) signals sent by browsers. When a user's browser sends a GPC signal, businesses must treat it as a valid opt-out request. Failure to honor GPC signals is a violation of CPRA.

Website Compliance Requirements

Privacy Policy: Comprehensive privacy policy updated at least annually
"Do Not Sell or Share" Link: Clear homepage link for opt-out
"Limit Use of Sensitive Information" Link: If collecting sensitive data
Consumer Request Mechanisms: At least two methods for submitting requests
GPC Compliance: Honor browser opt-out signals
Cookie Consent: Proper consent management for tracking technologies

Enforcement and Penalties

Violation Type	Maximum Penalty
Unintentional violation	$2,500 per violation
Intentional violation	$7,500 per violation
Violation involving minors (under 16)	$7,500 per violation
Data breach (private right of action)	$100-$750 per consumer per incident, or actual damages

California Privacy Protection Agency (CPPA)

CPRA created the California Privacy Protection Agency, the first dedicated state privacy enforcement agency in the US:

Rulemaking Authority: CPPA can issue regulations interpreting and implementing CPRA
Enforcement Power: Can investigate violations and bring enforcement actions
Consumer Education: Provides guidance materials for consumers and businesses
Annual Reports: Must report on enforcement activities and privacy trends

Recent CPPA Enforcement Actions

The CPPA has been actively enforcing privacy violations since full enforcement began:

Notable Actions

Investigations into data broker non-compliance with opt-out requests
Enforcement sweep targeting websites failing to honor GPC signals
Actions against companies with inadequate privacy notices
Investigation of dark patterns in consent interfaces

Service Provider and Contractor Requirements

Businesses must ensure proper contracts with third parties handling personal information:

Party Type	Definition	Key Contract Requirements
Service Provider	Processes data on behalf of business for business purpose	Written contract limiting use, prohibiting selling/sharing, requiring assistance with consumer requests
Contractor	Made available data for business purpose under written contract	Certification of compliance, allows audits, restricts subcontracting
Third Party	Not business, service provider, or contractor	Sharing constitutes "sale" requiring opt-out rights

Data Retention and Minimization

CPRA introduced new requirements for data retention:

Disclose retention periods or criteria in privacy policy
Cannot retain personal information longer than reasonably necessary
Must delete or anonymize data when purpose is fulfilled
Special requirements for sensitive personal information

Consumer Request Response Requirements

Requirement	Timeline
Acknowledge receipt of request	Within 10 business days
Respond to request	Within 45 calendar days
Extension if needed (with notice)	Additional 45 days (90 total)
Maintain request records	24 months

Practical Compliance Steps

Privacy Policy Update: Include all required disclosures, update at least annually
Homepage Links: Add "Do Not Sell or Share" and "Limit Use of Sensitive Data" links
Request Methods: Provide at least two methods for submitting consumer requests
GPC Implementation: Configure systems to detect and honor Global Privacy Control signals
Training: Train employees who handle consumer inquiries
Vendor Review: Update contracts with all service providers and contractors
Data Inventory: Maintain current inventory of personal information processing
Security Measures: Implement reasonable security appropriate to data type

Privacy law overview

For consumers

For businesses

Your rights

Take action

Learn more

WCAG compliance

Legal requirements

Implementation