California Consumer Privacy Act (CCPA)

Written by Elisa Meyer (Legal writer.) and last updated on 04 April 2020.

California Consumer Privacy Act (CCPA)

California's Consumer Privacy Act (CCPA) was passed unanimously in 2018, giving Californians more control over which companies have their personal information, and what they do with it.

The law took effect in January of 2020 and is being hailed as one of the most influential consumer privacy laws in the U.S. to date. As a result, many businesses will need to make changes to their Privacy Policies in order to be compliant.

The California Consumer Privacy Act accomplishes the following protections for consumers:

  • An extensive definition of what qualifies as "personal information"
  • The creation of new data privacy rights for consumers
  • New required disclosures from businesses regarding consumers' information
  • New rules for gathering and selling the information of minors
  • Fines or damages charged to companies who do not take reasonable security precautions to protect consumers' information

Background of the CCPA

Although other privacy laws have been in effect in California and on a federal level, many of them apply only to a specific type of information. Others are outdated or are simply not comprehensive in covering increasingly important factors like mobile data or biometric data.

Technological innovations in recent years have been so incredible that many tools and electronics are collecting data that was never intended to be monitored under privacy laws.

Some of these are:

  • "Wearables" such as FitBits that track your movements, health, and biometric data;
  • "In-home devices" like Amazon's Alexa, silent eavesdroppers to all conversations; and
  • GPS devices that track speed or enable geofencing

The CCPA was needed because it specifically addresses the use of consumers' personal information in a manner that can be applied to these new and emerging technologies.

In many ways, the CCPA is modeled on the General Data Protection Regulation (GDPR), a recent law passed in the European Union addressing similar concerns about personal information and privacy.

New Definitions in the CCPA

New Definitions in the CCPA

As we mentioned, in 2018 there were already a number of existing privacy laws in the United States both in California and at the federal level. These include CalOPPA, HIPAA, and the FTCA.

However, the CCPA was passed because it covers problems many of the other laws do not. This is partly because of the broad definitions that it establishes, allowing the law to be applied to emerging technology.

The most important definitions to understand under the new law are:

  • Business
  • Sale
  • Personal information

Business

Like CalOPPA, the CCPA applies to any business that affects consumers in California. For the purposes of CCPA, a "business" is any legal entity which:

  • Pursues a profit,
  • Operates in California, and
  • Has control over the "purposes and means" of the processing of consumers' personal information

However, while CalOPPA does not require that consumers give consent before their personal data is sold, this consent requirement is a major component of the CCPA.

CalOPPA also doesn't require businesses to offer a link or resource to opt out of having personal information sold while the CCPA does.

The CCPA is also different from CalOPPA in that it is designed to apply to large corporations who use consumers' personal information for profit, not to small or medium-sized businesses.

To ensure this, the law requires a company must meet at least one of the following criteria to be subject to the law:

  • The company's annual gross revenue is $25 million or more
  • The company buys, shares, sells, or otherwise receives personal information from at least 50,000 devices, consumers or households
  • A minimum of 50 percent of the company's annual revenue is made by selling consumers' personal information

Put another way, this law is meant to apply to social media sites, data brokers, and major corporations that have access to personal information (like Amazon or Google).

Sale

The CCPA defines the sale of personal information as:

"the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating ... a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."

The following uses of personal information are NOT considered to be a sale:

  • Use of the information as the consumer intended or disclosed
  • Use of the information to identify consumers "opting out" of their data being shared
  • Sharing of personal information with a service provider as necessary for performance of a business purpose (fine print)
  • Transfer of personal information to a third party as an asset during a merger, acquisition, bankruptcy, or other transaction

Personal Information

The CCPA uses what may be the broadest legal definition of "personal information" in the world. Under Cal. Civ. Code ยง 1798.140(o)(1), personal information is considered to be:

"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Specifically, the Act gives the following examples of information which is considered to be personal or household information:

  • Name (real or alias)
  • Unique personal or online identifier
  • Postal address
  • IP address
  • Email address
  • Account names
  • Social security number
  • Driver's license number
  • Passport number
  • Biometric information

Public information and "aggregate consumer information" are specifically NOT subject to this law. Public information is accessible by public records. Aggregate consumer information is information about consumer preferences or behavior which is not linked to any consumers' identity, such as large-scale statistical information.

Remember, under the CCPA, if it could "reasonably" be linked to a consumer directly or indirectly, it's considered personal information.

What the CCPA Means For Businesses

What the CCPA Means For Businesses

The CCPA puts forth three criteria to protect consumer data:

  • Transparency
  • Control
  • Accountability

Transparency

Under the CCPA, businesses who are subject to the law must include in their Privacy Policy certain information about consumers' personal information and its use. Information a business must disclose includes:

  • What kind of personal information they are collecting
  • How they are going to use it (i.e. sell it)
  • Types of third parties they share the information with
  • Consumers' rights to restrict that information
  • How to restrict the sale of personal information

In some cases, the company must also provide a link for the consumer to use to opt out.

In this screenshot from Amazon's Privacy Notice, we can see the types of information the company collects:

Amazon Privacy Notice: Examples of Information Collected clause excerpt

Control

Under the new law, consumers will have more control over their personal information and how it is used. In order to achieve this, several new consumer rights were established: the right to disclosure, deletion, access, opting out, and nondiscrimination.

The Right to Disclose

Under Title 1.81.5, Section 1798.155, a business must disclose to a consumer what personal information they collect or sell, and how it is used in response to consumer's request. This means disclosing:

  • The types of information collected
  • The sources of information collected
  • Types of third parties information is shared with
  • The business purpose of sharing the information,
  • Pieces of information collected specific to that consumer

If a business intends to sell personal information, they must provide notice of this to any consumers over the age of 16, and provide them with an opportunity to opt out.

The Right to Delete

Although there are some exceptions, for the most part, if a business is contacted by a consumer and requests that their personal information be deleted, they must comply.

In the screenshot below, we can see that Facebook's Data Policy directly instructs consumers that they can delete their account in order to delete all of their personal information.

Facebook Data Policy: How can I manage or delete information about me clause

The Right to Access

A consumer has the right to access information about themselves that is collected, stored, or sold by a business subject to the CCPA. The business is required to release this information to the consumer upon the consumer's request.

The Right to Opt Out

A consumer has the right to opt out of having their personal information shared or sold. If a business intends to sell personal information, they are required to offer consumers a chance to opt out of this, often via a link titled "Do Not Sell My Personal Information."

Special Rules for Minors

The CCPA also specifically addresses how companies handle the personal data of minors (those under 18). Instead of opting out, minors must "opt-in" - their personal information cannot be legally sold without appropriate consent.

Consumers between the ages of 13 and 16 may give consent for their own information to be sold.

Consumers below the age of 13 must have a parent or guardian's consent given for their data to be sold, and a business who disregards the consumer's age altogether will be considered to know their age.

The Right to Nondiscrimination

The CCPA makes it clear that a consumer who exercises their rights under the law may not be discriminated against. That means the company cannot deny the consumer goods or services, or subject them to different prices than other consumers.

The law specifically bans any related practices that are unjust, unreasonable, coercive, or usurious in nature.

However, the law doesn't prohibit these companies from offering incentives to entice consumers to permit sharing of their information. These incentives can even be financial in nature.

AT&T's Privacy Policy explains that consumers who use a certain app effectively "opt in" to having their information used to receive great discounts from AT&T and partner products:

ATT Privacy Policy: Personal Information clause

Accountability

Companies subject to the CCPA will have some increased responsibilities, including understanding the broader definitions than have been used in past data privacy laws.

Those companies who are not compliant with the CCPA will be subject to a steep fine. Any business who violates the CCPA may be charged a fine of at least $2,500 - and this goes up to $7,500 for violations which are judged to be intentional.

Take note that these fines are per capita, or per person. That means, if a business intentionally violates the CCPA by inappropriately handling the personal information of 1000 customers, the fine would be $7,500,000.

This can get expensive quickly given that large companies and data brokers who are affected by the CCPA may have billions of customers.

If a business is identified as being in violation of the CCPA, they have 30 days from the time they are notified of the violation to correct it. This rule can be found in Title 1.81.5, Section 1798.155(b):

(b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.

Additionally, the Act gives consumers the right to bring civil claims against companies who do not conform to the law, meaning that they can also sue for personal damages.

Note that the CCPA does not restrict a business' ability to comply with state or federal law, or with any regulatory agencies or investigations. Therefore, releasing personal information to a government agency in order to comply with a state or federal law or investigation is specifically not a violation of the CCPA.

Complying with CCPA

Complying with CCPA

The CCPA is operational as of January 2020. However, many businesses are still struggling to become compliant with the new law.

Businesses who must meet the requirements set forth by the CCPA should ensure that they have the following information in their Privacy Policy:

  • An explanation of what kind of information is collected and processed, and how
  • Why this information is being collected (i.e. if it is sold)
  • Explanations of how consumers may access, delete, or request their personal information stop being collected
  • Disclosure of processes in place for verifying consumers' ages, and for obtaining the consent for consumers who are minors
  • A "Do Not Sell My Personal Information" link within the Privacy Policy, allowing consumers to exercise their right to opt out of information selling
  • An explanation of how consumers' identity is verified with regard to accessing or disclosing information

As the requirements of the California Consumer Privacy Act are implemented, remember that the purpose of the law is to allow consumers to have more control over the transmission of their personal information.

Also remember, the CCPA states that it is to be "liberally construed," so when in doubt, play it safe!