California Consumer Privacy Act (CCPA) – an overview
Table of contents
At a glance
The United States does not yet have a single federal data protection law. To date, several states have passed their own laws or updated existing ones, and in many others bills have been introduced, are in progress, or have failed.
A number of other laws have also been on the books for years, and which target specific types of information or human demographics, like health – Health Insurance Portability and Accountability Act (HIPAA) – or children’s safety – Children’s Online Privacy Protection Act (COPPA). This does not make it easy to keep track of all or achieve compliance for all relevant regulations regarding personal data.
The first, and to date, most influential state-level consumer privacy law passed in the US, is the California Consumer Privacy Act (CCPA). While it takes some influence from the European Union’s General Data Protection Regulation (GDPR), the CCPA has in turn influenced privacy bills drafted by other states, including Virginia, which has since passed the Consumer Data Protection Act (CDPA).
What is the CCPA?
The CCPA was passed in 2018 and came into effect on January 1st, 2020. Enforcement began on July 1st, 2020. It applies exclusively to consumers who are natural persons and California residents and regulates the protection of their personal data.
The Act defines a “resident”, as (1) every individual who is in California (State) other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State, but is outside the State for a temporary or transitory purpose. All other individuals are non-residents.
Definitions of who qualifies as a resident are still being determined, in part by lawsuits resulting from the CCPA coming into effect. For example, would that include students who only attend college in California for part of the year?
It does not matter if companies that must comply with the CCPA are headquartered or have an office in California. It only matters if they are doing business with residents there, which can include anything from making sales to visitors on their websites.
The CCPA provides the following rights to consumers:
- The right to know about the personal information a business collects about them and how it is used and shared
- The right to know whether and to whom their personal information is sold and/or disclosed.
- The right to delete personal information collected from them (with some exceptions)
- The right to opt out of the sale of their personal information
- The right to non-discrimination for exercising their CCPA rights.
Companies are required to give consumers certain notices explaining their privacy policies. The CCPA applies to many businesses, including data brokers.
The CCPA uses an opt-out model, which means that the CCPA gives consumers the right to direct a company that sells personal information about the consumer to third parties, not to sell their personal information. This applies to adults over age 16. Companies must obtain minor consumers’ consent when selling their data.
The CCPA also introduces a requirement for companies to provide a clear link on their website titled: “Do not sell my personal information”, which must direct the consumers to a web page that enables consumers to opt out if the sale of their personal information. Companies do not have to obtain consumers’ consent before their personal data is collected.
It is also worth noting that a third-party business may not sell a consumer’s personal information, which has been sold to that third-party by another business, unless the consumer has received explicit notice, and the right to opt out was introduced.
The GDPR, on the other hand, uses an opt-in model, so companies cannot collect, share, or sell any personal data from consumers without first obtaining their explicit and informed consent.
To comply with the CCPA, in addition to enabling consumers to exercise all the rights listed above, companies must include a clearly visible link on their website with the text “Do Not Sell My Personal Information” to ensure that consumers can easily reject the sale of any of their personal data that has been collected.
What consumers’ information is called, and how it’s defined, varies among different regulations. Personal data and personal information typically refer to the same types of things. Under the law consumers’ information is also categorized according to its sensitivity, which is a good thing, as it means that data requires special handling and extra security.
Under the CCPA, the exact definition of personal information is:
“Information that identifies, relates to, describes, can reasonably be associated with, or could reasonably be associated directly or indirectly with a particular consumer or household.”
Common examples would include a name, email address, or social security number.
Which companies does the CCPA apply to?
As noted, the CCPA applies to companies that do business with consumers who are California residents. CCPA compliance also applies to third parties that collect, process or otherwise use or purchase consumers’ personal information from those businesses.
Even if a company is only a service provider that processes data from California residents on behalf of another company, the requirements set out in CCPA must be followed. In order to comply, companies must have data privacy agreements with all third parties that can access or process consumer data.
The CCPA applies to companies doing business in California that collect consumers’ personal information (directly or through a third party) and that satisfy at least one of the following requirements:
- The company has at least $25 million annual gross revenue; or
- The company receives, buys, sells, or shares for commercial purposes, alone or in combination, personal information on at least 50,000 California residents, households, or devices; or
- The company derives more than half of its annual revenues from the sale of personal information.
The CCPA does not apply to entities such as government agencies, non-profit businesses, or certain small businesses.
California’s economy is the world’s fifth largest, and it is home to some of the world’s biggest and most influential tech companies. As a result, the CCPA’s reach extends far beyond state borders. Not only California residents, but customers from all over the world, can benefit from the CCPA’s grant of consumer rights and protections.
Companies’ obligations under the CCPA
Companies that are required to comply with the CCPA must proactively take the appropriate steps to ensure consumers’ personal data is collected, stored, processed, or sold in accordance with the law. The grace period pre-CCPA enforcement has passed, so ignorance or laziness in pursuing compliance is no longer an excuse.
First and foremost companies have the obligation to inform consumers that data is being collected and what rights and options they have. As noted, under an opt-out model, companies can collect at least some personal information without requiring consent.
Companies will be required to provide the following information – to be updated every 12 months – in their online privacy policies, other relevant company policies, or on their websites:
- A description of consumer rights set forth in the CCPA, including the right to request information regarding the collection and the sale of personal information, the right to require a business to delete consumer’s personal information, and the right to opt out of any sale by the business of the consumer’s personal information;
- A description of one or more designated methods for the submission of consumer requests regarding their personal information;
- A list of categories of consumer’s personal information that the business has been selling in the preceding 12 months;
- A list of the categories of consumer’s personal information that the business has been disclosing in the preceding 12 months, or a statement made by the business that it has not sold consumer’s personal information in the preceding 12 months.
Upon a verifiable request from a consumer, a company must disclose the below information to the consumer who requested:
- The categories of the consumer’s personal information that the business collected;
- The categories of the sources from which the business collected the consumer’s personal information;
- The categories of the consumer’s personal information that the business has sold, and the categories of the third parties to which the business has sold the personal information;
- The categories of the consumer’s personal information that the business disclosed for a business purpose;
- The business or commercial purpose for collecting or selling consumer’s personal information;
- The categories of third parties with whom the business shared the consumer’s personal information;
- The specific personal information the business has collected concerning the requesting consumer.
Consumers have the right to request data that was collected up to 12 months prior to the date on which they submitted their request to the company. Businesses typically have 45 days from the date on which the consumer’s request was submitted to disclose and provide the requested information, though there are some circumstances under which they can seek an extension. Data requests from consumers must be fulfilled free of charge. A company is not obligated, however, to provide information to the same consumer more than twice in a 12-month period.
It isn’t yet fully clear if consumers can request data from further back than 12 months, or if companies can deny requests beyond the law’s explicit parameters. For companies with poor data management practices, difficulties in fulfilling consumer requests could result from shortcomings in date-stamping and other categorization and storage issues.
Also importantly, included in the CCPA is the prohibition for companies to discriminate against or otherwise cause disadvantage to consumers for exercising their rights under the law.
What are the penalties for noncompliance with the CCPA?
If a company is in violation of the CCPA and has been notified of it, it has a 30-day “cure” period to remedy the violation.
For a willful violation – the company did something on purpose that violated the law – a company can be fined $7,500 USD per violation. If the violation is negligent – a company failed to take reasonable steps to achieve compliance – a company can be fined $2,500 USD per violation. If you imagine a data breach that includes millions of consumers’ records, you can see how that could quickly add up to staggering sums. Additionally, affected consumers are entitled to damages ranging from $100 to $750 USD per person for a data breach.
What does the CCPA mean for companies’ websites?
If a company meets one of the CCPA thresholds and has an online property, it is required to ensure the website has been updated and secured to ensure data privacy and security.
As noted earlier, a link to enable users to opt out of the sale of their personal data to third parties also needs to be one of these clearly accessible resources. Where minors are concerned (people who are at least 13 and under 16 years of age), companies must also get explicit consent from the consumer or a parent/guardian before their personal information can be shared or sold.
All of these requirements can be addressed via a consent management platform.
CCPA vs. GDPR
The CCPA has many similarities to the GDPR, the EU’s data protection regulation that has been in place since 2018. Both rules are based on the market location principle, where not only companies and service providers local to California are affected, but all companies doing business in California (or the EU) are subject to the respective legislation.
Both regulations pursue the same goals with regards to data subject rights, i.e. information management, protection, deletion, and access to opt out. However, the GDPR is much more detailed and contains considerably more guidance on implementation and achieving compliance in data protection. For example, it addresses both business-to-consumer (B2C) and business-to-business (B2B) operations, and the appointment of a data protection officer is mandatory.
Unique to the CCPA, however, is the classification of household and device data as personal data. This is because it can, in principle, be used to establish a consumer’s identity. The GDPR definition of personal data does not include this.
CCPA – the future
The California Consumer Privacy Act (CCPA) was the first data protection law in the United States. While other states have passed, or are working on privacy bills, data privacy in California will be further bolstered by the California Privacy Rights Act (CPRA), which will come into effect in 2023. It will both enhance and replace parts of the CCPA. For example, it adds additional requirements and protections around collection and handling of sensitive personal information.
As the CCPA has already been influential in drafting other states’ privacy laws, like in Virginia, Illinois, Washington, Nevada and New York, so it is likely that it and the CPRA will continue to have influence over privacy law at the state level in the United States, and likely at the federal level.
Have any questions, or are you in need of a CCPA-compliant Consent Management solution? Talk to one of our experts.