California Consumer Privacy Act (CCPA) – an overview

Updated on Dec 12, 2022

The United States does not yet have a single federal data protection law. To date, several states have passed their own laws or updated existing ones, and in many others bills have been introduced, are in progress, or have failed.

A number of other laws have also been on the books for years, targeting specific types of information or human demographics, like health [Health Insurance Portability and Accountability Act (HIPAA)] or children’s safety [Children’s Online Privacy Protection Act (COPPA]. This does not make it easy to keep track of all or achieve compliance for all relevant regulations that address personal data.

The first, and to date, most influential state-level consumer privacy law passed in the United States, is the California Consumer Privacy Act (CCPA). While it takes some influence from the European Union’s General Data Protection Regulation (GDPR), the CCPA has in turn influenced privacy bills drafted by other states, including Virginia, which passed the Consumer Data Protection Act (VCDPA).

The CCPA was passed in 2018 and came into effect on January 1st, 2020. It applies exclusively to consumers residing in California and regulates the protection of their personal data.

Definitions of who qualifies as a resident are still being determined, in part by lawsuits resulting from the CCPA coming into effect. For example, would that include students who only attend college in California for part of the year?

It does not matter if companies that must comply with the CCPA are headquartered or have an office in California. It only matters if they are doing business with residents there, which can include anything from making sales to visitors on their websites.

The CCPA provides the following rights to consumers:

• to learn whether and what data is collected about them
• to know if their information is being sold to or shared with other individuals or companies
• to view the data collected about them at any time
• to prohibit the sale of their personal data, and
• to request deletion of the personal data collected from them

The CCPA uses an opt-out model, which means that companies do not have to obtain consumers’ consent before their personal data is collected. This applies to adults over age 16. They just have to obtain consent to sell the data, or use it in some other specific ways.

The GDPR, on the other hand, uses an opt-in model, so companies cannot collect, share, or sell any personal data from consumers without first obtaining their explicit and informed consent.

To comply with the CCPA, in addition to enabling consumers to exercise all the rights listed above, companies must include a clearly visible link on their website with the text “Do Not Sell My Personal Information” to ensure that consumers can easily reject the sale of any of their personal data that has been collected.

What consumers’ information is called, and how it’s defined, varies among different regulations. Personal data and personal information typically refer to the same types of things. Under the law consumers’ information is also categorized according to its sensitivity, which is a good thing, as it means that data requires special handling and extra security.

Under the CCPA, the exact definition of personal information is:

“Information that identifies, relates to, describes, can reasonably be associated with, or could reasonably be associated directly or indirectly with a particular consumer or household.”

Common examples would include a name, email address, or Social Security Number.

As noted, the CCPA applies to companies that do business with consumers who are residents of California. CCPA compliance also applies to third parties that collect, process or otherwise use or purchase consumers’ personal information from those businesses.

Even if a company is only a service provider that processes data from California consumers on behalf of another company, the CCPA’s requirements must be followed. In order to comply, companies have to have data privacy agreements with all third parties that can access or process consumer data.

Companies that meet the following thresholds are required to comply with the CCPA’s requirements:

• annual gross revenues exceeding $25 million USD, or
• receive, buy, or sell personal information of 50,000 or more consumers, households, or devices, or
• earn more than half of their annual revenue from the sale of consumers’ personal information

California’s economy is among the world’s largest, and it is home to some of the world’s biggest and most influential tech companies. As a result, the CCPA’s reach extends far beyond state borders. Not only California consumers, but customers from all over the world can benefit from the CCPA’s grant of consumer rights and protections.

Companies that are required to comply with the CCPA must proactively take the appropriate steps to ensure consumers’ personal data is collected, stored, processed, or sold in accordance with the law. The grace period pre-CCPA enforcement has passed, so ignorance or laziness in pursuing compliance is no longer an excuse.

First and foremost companies have the obligation to inform consumers that data is being collected and what rights and options they have. As noted, under an opt-out model, companies can collect at least some personal information without requiring consent.

If a consumer exercises their rights under the CCPA, they can request the following information be disclosed:

• categories of data collected
• the specific data collected
• sources of that data
• purpose of data collection
• third-party businesses/partners to which the data has been forwarded

Consumers have the right to request data that was collected up to 12 months prior to the date on which they submitted their request to the company. Businesses typically have 45 days from the date on which the consumer’s request was submitted to disclose and provide the requested information, though there are some circumstances under which they can seek an extension. Data requests from consumers must be fulfilled free of charge.

It isn’t yet fully clear if consumers can request data from further back than 12 months, or if companies can deny requests beyond the law’s explicit parameters. For companies with poor data management practices, difficulties in fulfilling consumer requests could result from shortcomings in date-stamping and other categorization and storage issues.

Also importantly, included in the CCPA is the prohibition for companies to discriminate against or otherwise cause disadvantage to consumers for exercising their rights under the law.

If a company meets one of the CCPA thresholds and has an online property, it is required to ensure the website has been updated and secured to ensure data privacy and security.

The website must inform visitors or customers about the categories and purposes of the personal data collected, via a “notice of collection”. The notice must also include the business’ privacy policy, which will describe users’ privacy rights and how to exercise them, as well as the business’ privacy practices in more detail.

As noted earlier, a link to enable users to opt out of the sale of their personal data to third parties also needs to be one of these clearly accessible resources. Where minors are concerned (people who are at least 13 and under 16 years of age), companies must also get explicit consent from the consumer or a parent/guardian before their personal information can be shared or sold.

All of these requirements can be addressed via a consent management platform.

The CCPA has many similarities to the GDPR, the EU’s data protection regulation that has been in place since 2018. Both rules are based on the market location principle, or extraterritoriality, where not only companies and service providers local to California are affected, but all companies doing business in California (or the EU) are subject to the respective legislation.

Both regulations pursue the same goals with regards to data subject rights, i.e. information management, protection, deletion, and access to opt out. However, the GDPR is much more detailed and contains considerably more guidance on implementation and achieving compliance in data protection. For example, it addresses both business-to-consumer (B2C) and business-to-business (B2B) operations, and the appointment of a data protection officer is mandatory.

Unique to the CCPA, however, is the classification of household and device data as personal data. This is because it can, in principle, be used to establish a consumer’s identity. The GDPR definition of personal data does not include this.

The California Consumer Privacy Act (CCPA) was the first data protection law in the United States. While other states have passed, or are working on privacy bills, data privacy in California will be further bolstered by the California Privacy Rights Act (CPRA), in effect from January 1st, 2023. It will both enhance and amend parts of the CCPA. For example, it adds additional requirements and protections around collection and handling of sensitive personal information, and establishes the California Privacy Protection Agency (CPPA) for oversight.

As the CCPA has already been influential on other states’ privacy laws, like in Virginia, so it is likely that it and the CPRA will continue to have influence over privacy law at the state level in the United States, and likely at the federal level.

Have any questions, or in need of a Consent Management solution? Talk to one of our experts.