The California Consumer Privacy Act (or the CCPA)) is a regulatory framework in the State of California which creates new consumer rights and sets certain requirements for companies that collect, sell, or buy Personal Information (or PI) about people who reside in California. Those new requirements focus on:

  • Privacy Policy & Disclosure
  • Access to and portability of PI
  • PI destruction / deletion
  • Opt-out program
  • Non-discrimination

The CCPA, was enacted in 2018 and took effect on January 1, 2020. Enforcement action by the Attorney General cannot bring an enforcement action under the CCPA begins on July 1, 2020.

On October 10, 2019, Attorney General Xavier Becerra released draft regulations under the CCPA for public comment. Updated Notice of Modifications to Text of Proposed Regulations was published on 2/10/2020, with Notice of the Second Modifications to the Text of the Proposed Regulations published on 3/11/2020. The enforcement of CCPA begins on July 2, 2020. Some terms of the regulation are still subject to change. More information can be found on California Attorney General Page.

To learn more about us and connect, please visit HERE.

2 WHOs and 2 WHATs

The CCPA applies to “consumers,” which is broadly defined as any natural person who is a California resident. CCPA covers the type of data, namely Personal Information.

The right of request the disclosure of what categories and specific pieces of personal information the business has collected, used for business purposes, shared or sold, both as to the categories and specific pieces of personal information; [1798.100.(a)] [1798.110]

The right to request deletion personal information held by businesses and by extension, a business’s service provider; [1798.105]

The right to request opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information.

  • Opt-in [1798.120]
    • in the case of children at least 13 years of age and less than 16 years of age must provide opt in consent,
    • in the case of consumers who are less than 13 years of age, with affirmative consent of a parent or guardian.

The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA. [1798.125]

The information provided to Consumer pursuant to a Request for Disclosure

  • may be delivered by mail or electronically, and
  • if provided electronically, the information shall be in a portable and,
  • to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance.

Consumers can bring a private right of action to recover statutory damages in the event of data breach and failure to cure.

CCPA applies to certain types of entity that engage in certain activities and meet certain thresholds: [1798.140. (c)(1)]

A) An entity which:

  • is a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is:
  • organized or operates,
  • for the profit or financial benefit of its shareholders or other owners, and
  • does business in the state of California.

AND

B) Engages in these activities:

  • collects consumers’ personal information (or it’s collected on its behalf), and
  • determines, alone, or jointly with others, the purposes and means of the processing of California consumers’ personal information

AND

(C) Satisfies one or more of thresholds below: [1798.140. (c)(1) (A), (B), or (C)]

  • have at least $25 million in annual gross revenues, or; [1798.140. (c)(1)(A)]
  • buy, sell, share and/or receive the personal information of at least 50,000 California consumers, households or devices, per year, or; [1798.140. (c)(1)(B)]
  • derive at least 50% of your annual revenue from selling California consumers’ personal information. [1798.140. (c)(1)(C)].

An entity which Controls or is controlled by an entity that meets the above definition and thresholds and shares common branding with that entity is also subject to CCPA. [1798.140. (c)(2)]

The covered businesses have certain affirmative obligations:

Where

  • at, or
  • before the “point of collection”
  • in the online privacy policy or policies if the business has an online privacy policy or policies (may be recommended to have separate policies)

What

  • the categories of personal information to be collected and
  • the purposes for which the categories of personal information shall be used
  • the consumer’s rights to request the deletion of their personal information
  • the consumer’s right to opt-out” of the sale of their personal information (if business sells the personal information to 3rd parties)
    • along with a separate link to the “Do Not Sell My Personal Information” Internet Web page
  • notice of financial any incentive or price or service difference that may be offered by the business
  • any California-specific description of consumers’ privacy rights

Language

  • easy to read and understandable to consumers
    • use plain, straightforward language and avoid technical or legal jargon
    • use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.
    • Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.
    • Be reasonably accessible to consumers with disabilities.

How

  • via a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,”
  • to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.
  • shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.

Do-Not-Disclose List.

Companies are never permitted to disclose certain type of data in response to an Access request, including:

  • social security numbers,
  • financial account numbers,
  • account passwords,
  • “unique biometric data generated from measurements,” and
  • “technical analysis of human characteristics.”
[1798.100.(b) and others]

What

  • categories and specific pieces of personal information the business has collected
  • sources of categories of sources from which the personal information is collected
  • business or commercial purpose for collecting or selling personal information
  • categories of third parties with whom the business shares personal information

When

  • upon receipt of a verifiable consumer request
  • promptly take steps to disclose and deliver
  • at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.

How

  • free of charge to the consumer
  • delivered by mail or electronically

Format

  • if provided electronically, the information shall be in a portable
  • and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance

Exceptions

  • Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.
  • Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
[1798.110]

What

  • the consumer’s personal information from its records and
  • direct any service providers to delete the consumer’s personal information from their records

Condition

  • upon receipt of a verifiable consumer request

Exemption

If necessary to:

  • Fulfill contractual obligations
    • complete the transaction,
    • fulfill the terms of a written warranty or product recall
    • provide a good or service requested by the consumer
  • Debug to identify and repair errors that impair existing intended functionality
  • Exercise free speech
  • Comply with the California Electronic Communications Privacy Act
  • Engage in public or peer-reviewed scientific, historical, or statistical research
  • To enable solely internal uses that are reasonably aligned with the expectations of the consumer
  • Comply with a legal obligation
  • Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided
[1798.105.(d)]

Who

  • A business that sells consumers’ personal information to 3rd parties shall provide notice to consumers

What

  • Provide notice that
    • consumer personal information may be sold and
    • consumers have the “right to opt-out” of the sale of their personal information
  • Is prohibited from
    • selling the consumer’s personal information
    • Per se prohibition on sale if the business has actual knowledge that the consumer is less than 16 years of age, unless has affirmative Opt-In from:
      • the consumer, if between 13 and 16 years of age, or
      • the consumer’s parent or guardian, if consumer younger than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information.
  • Direct its 3rd parties of same obligation

When

  • after its receipt of the consumer’s direction

For consumer exercising their rights, by

  • Denying goods or services to the consumer.
  • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
  • Providing a different level or quality of goods or services to the consumer.
  • Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

Not prohibited from

  • charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data.

Permitted to

  • offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.
    • but must notify consumer
    • only if the consumer gives the business prior opt-in consent
      • consent must clearly describes the material terms of the financial incentive program
      • consent must be revocable by the consumer at any time.
      • financial incentive are not unjust, unreasonable, coercive, or usurious in nature.
  • offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.
[1798.125]

Methods

  • two or more designated methods for submitting requests for information
    • at a minimum at a minimum, a toll-free telephone number
    • if operating exclusively online only required to provide an email address for submitting requests for information required to be disclosed
    • If the business maintains an internet website, make the internet website available to consumers to submit requests for

Website

  • If maintaining a website, it is available to consumers to submit requests for information required to be disclosed.

Free of charge

  • Disclose and deliver the required information to a consumer

Time frame for response

  • For delivery of requested information to consumer
    • within 45 days of receiving a verifiable consumer request
  • For confirming request is verifiable
    • Promptly take steps to determine whether the request is a verifiable consumer request
    • The verification process does not extend the 45 days delivery time-frame, unless
      • when reasonably necessary, can be extended once by 45 days, provided the consumer is provided notice of the extension within the first 45-day period.

Period of coverage

  • The disclosure shall cover the 12-month period preceding the business’ receipt of the verifiable consumer request.

Method of disclosure

  • in writing and
  • delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or
  • by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business,

Format of disclosure

  • in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.
  • The business may require reasonable authentication of the consumer t
    • shall not require the consumer to create an account with the business in order to make a verifiable consumer request.
    • If the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.

Train

  • Ensure training of all individuals responsible for handling consumer inquiries of rights and obligations.

Respect

  • respect the consumer’s decision to opt-out for at least 12 month,
  • before requesting that the consumer authorize the sale of the consumer’s personal information.

Exemptions, Penalties, Procedures

Non-profits, and smaller companies that don’t meet the revenue thresholds, and/or those that don’t traffic in large amounts of personal information from California residents, and don’t share a brand with an affiliate that’s covered by the CCPA are exempted.

Data Brokers, i.e., Companies that collect data (purchase, lease, or otherwise acquire data) from sources other than the affected consumer only receive an exemption from CCPA notice obligations if they:

  • “register as a data broker” under California’s data broker statute in the Registry, and
  • their California data broker registration informs consumers about how to submit Opt-Out requests.

Service providers, i.e., an entity that process personal information on behalf of a covered entity for a business purpose pursuant to a written contract, (equivalent of “processor” under GDPR), also have obligations under CCPA.

  • shall not sell data on behalf of a business they serve when a consumer has opted-out of the sale of their personal information with the business.
  • are limited to using customer data to perform the services specified in the written contract with the business that provided the data.
  • can use customer-provided personal information for “internal use … to build or improve the quality of its services.”
    • The internal R&D with customer information does not include “building or modifying household or consumer profiles,” or “cleaning or augmenting data acquired from another source.”

B2B companies meeting the above requirements, are subject to CCPA even if they do not directly interact with consumers.

Failure to Comply with CCPA May Result in:

Organizations face regulatory and reputation risk with customers, government bodies, and the public.

Consumers can bring a private right of action to recover statutory damages in the event of data breach and failure to cure.

Any consumer may institute a civil action:

  • to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater;
  • injunctive or declaratory relief;
  • any other relief the court deems proper.

Requirements for Breach

  • if their nonencrypted and nonredacted personal information
  • is subject to an unauthorized access and exfiltration, theft, or disclosure
  • as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information

Factors in Assessing Statutory Damages

  • the nature and seriousness of the misconduct,
  • the number of violations,
  • the persistence of the misconduct,
  • the length of time over which the misconduct occurred,
  • the willfulness of the defendant’s misconduct, and
  • the defendant’s assets, liabilities, and net worth.

Requirements Prior to Bringing Suit by Consumer

  • a consumer provides a business 30 days’ written notice
  • identifying the specific provisions of this title the consumer alleges have been or are being violated.

Effect of Cure by Business

  • no action for individual statutory damages or class-wide statutory damages may be initiated against the business, if:
    • within 30 days of breach (assuming cure is available),
    • business actually cures the noticed violation, and
    • provides the consumer an express written statement that the violations have been cured, and
    • that no further violations shall occur.
  • effect of continued violation
    • consumer may initiate an action against the business to enforce the written statement and
    • may pursue statutory damages for each breach of the express written statement,
    • as well as any other violation of the title that postdates the written statement.

No Notice Required for Actual Pecuniary Damages

  • No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title.

A business collecting employment-related information shall comply with the notice provisions with regard to the following:

  • The notice at collection of employment-related information does not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”.
  • The notice at collection of employment-related information is not required to provide a link to the business’s privacy policy.

This section will become inoperative on January 1, 2021, unless the CCPA is amended otherwise.

Key Steps

To be CCPA compliant, businesses should follow a 3 stage process and utilize technology. What’s below is an exemplary process and may vary from organization to organization.

How does your business model relate to consumer personal information?

  • Do you sell to 3rd parties?
  • Do you offer financial incentives?

It all begins with knowing where you are.

  • Conduct an assessment of your privacy policies.
  • Build privacy governance program.

In order to identify which data relates to what individual, implement technologies that automatically map the collected data to the individuals, to ensure complete automation and compliance.

Create and build the key competencies.

The self-service model of accommodating consumer requests and methods (e.g., verification) will save time and complexity.

Prepare and post the relevant policies and place means to check and update, as necessary.

Design and implement methods for implementation, conformance, and change in procedures.

Prepare, review, update vendor (service provider) agreements. Place auditing procedures as necessary.

Finalize and implement internal and external modules.

Monitor incentive plans.

Like any other process, design, build, and implement continuous monitoring and improvement processes.

To meet the obligations imposed by CCPA (right to know, right to request deletion, right to opt-out) businesses must have in place robust means to fulfill Data Subject Access Request (DSAR). For companies with large data, manual fulfillment may soon get out of control.  Early evaluation and implementation of tools will be well-advised.

A secure privacy portal or interface with a cybersecurity focus is critical to collect and fulfill requests in a secure environment.

Impose strong security controls including encryption, device trust settings, and auto-expiration of shared links to help prevent accidental leaks of sensitive data.

Use a central repository to hold data and share internally and externally to minimize where personal information is stored.

A process to verify that the requestor is who they say they are is another critical part of compliance. Without a process to authenticate the requestor, the potential for inadvertently compromising an individual’s data is a real risk.

Companies must keep track of when consent is given, when its retracted, and when the company implements the retraction.

Set retention policies to keep content while there is a regulatory or business obligation. Dispose when not needed to reduce risk and amount of data subject to requests.

Key Terms

The CCPA has a long list of defined terms (Cal. Civ. Code §1798.140).

Aggregate consumer information means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. Aggregate consumer information does not mean one or more individual consumer records that have been de­identified.

Under CCPA a Business, means, a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated: 1798.140. (c)(1)

  • for the profit or financial benefit of its shareholders or other owners that
  • collects consumers’ personal information or on the behalf of which that information is collected and that
  • alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that
  • does business in the State of California, and that
  • satisfies one or more of the thresholds in 1798.140. (c)(1) (A), (B), or (C).

Common branding means:

  • a shared name,
  • service mark, or
  • trademark.(Cal. Civ. Code § 1798.140(c)(2).)

“Control” or “controlled” means:

  • Ownership of or the power to vote more than 50 percent of the outstanding shares of any class of voting security of a business.
  • Control in any manner over the election of a majority of the directors or of individuals exercising similar functions.„„
  • The power to exercise a controlling influence over the management of a company. (Cal. Civ. Code § 1798.140(c)(2).)

“Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

California Presence:

  • Currently, the CCPA extends to for-profit companies established in California (i.e., doing business in California) and entities that “indirectly” qualify as doing business (i.e., parents and subsidiaries of companies established in California).
  • If a business (even if located outside of California) transacts with California residents and meets threshold requirements, it’s also important to consider whether that business collects the personal information of California residents. The scope of the CCPA is secured to the residency of the consumer—its purpose is to protect the rights of residents in California.

CCPA defines Consumer as a natural person (not a legal entity) who is:

  • a California resident, including every individual who is in the state for other than a temporary or transitory purpose,
  • Every individual who is domiciled in the California but is outside the state for a temporary or transitory purpose.

Deidentified means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

  • Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
  • Has implemented business processes that specifically prohibit reidentification of the information.
  • Has implemented business processes to prevent inadvertent release of deidentified information.
  • Makes no attempt to reidentify the information.

“Device” means any physical object that is capable of connecting to the internet, directly or indirectly, or to another device.

Exemptions, when and if available, are not based on the covered business, rather the information. This is a criticcal distinction.

Personal information does not include “publicly available” information. However, the CCPA narrowly defines the “publicly available” term to only mean information lawfully made available from federal, state, or local government records.

The publicly available term does not include:

  • Data used for a purpose not compatible with the public recordkeeping purpose that caused the government entity to maintain or make the data available.
  • Biometric information collected without the person’s knowledge.„„
  • De-identified or aggregate consumer data.(Cal. Civ. Code §1798.140(o)(2).)

The CCPA also does not apply to information that is subject to other federal regulation, including:

  • the Health Insurance Portability and Accountability Act (HIPAA);
  • the Gramm-Leach Bliley Act (GLBA);
  • the Fair Credit Reporting Act (FCRA); or
  • the Drivers’ Privacy Protection Act (DPPA).
  • California Confidentiality of Medical Information Act (CMIA)

The CCPA, however, will apply to entities covered by these laws to the extent they collect and process other personal information about consumers.

CCPA defines Personal Information as “Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

This can include:

  • Personal identifiers, such as
    • a real name,
    • alias,
    • postal address,
    • unique personal identifier,
    • IP address,
    • email address,
    • account name,
    • social security number,
    • driver’s license number,
    • passport number, or
    • other similar identifiers.
  • Personal information categories described in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), which in addition to the identifiers described above, also lists a person’s:
    • signature,
    • physical characteristics or description,„
    • state identification card number,„
    • insurance policy number,
    • education,
    • employment or employment history,
    • bank account number,
    • credit card number,
    • debit card number,
    • or any other financial information,
    • medical information or health insurance information.
  • Commercial information, including records of
    • personal property,
    • products or services purchased, obtained, or considered, or
    • other purchasing or consuming histories or tendencies.
  • Characteristics of protected classifications under California or federal law, like race, religion, gender, national origin, or sexual orientation (see State Q&A, Anti-Discrimination Laws: California).
  • Internet or other electronic network activity information, including, but not limited to
    • browsing history,
    • search history, and
    • information regarding a California resident’s interaction with an internet web site, application, or advertisement.
  • Geolocation data.
  • Biometric information.
  • Audio, electronic, visual, thermal, olfactory, or similar information,
  • Professional or employment-related information.
  • Education information, defined as nonpublic personally identifiable information under the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g and 34 C.F.R. Part 99).
  • Inferences drawn from any of these personal information categories to create a profile about a consumer reflecting the consumer’s:„
    • preferences;„
    • characteristics;„
    • psychological trends;„
    • predispositions;„
    • behavior;„
    • attitudes;„
    • intelligence;„
    • abilities; or„
    • aptitudes.
  • Audio, electronic, visual, thermal, olfactory, or similar information.

Personal information does not include consumer information that is deidentified or aggregate consumer information. See Exclusions Tab.

Only one CCPA section providing a private right of action for certain data breaches applies to personal information governed by:„„

  • The Gramm-Leach-Bliley Act (GLBA) or
  • California Financial Information Privacy Act.
  • Driver’s Privacy Protection Act of 1994.

The CCPA’s other provisions do not. (Cal. Civ. Code 1798.145(e)-(f).)

Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that:„„

  • Processes information on behalf of a business.„;
  • Receives personal information
    • directly from a business;„
    • for a business purpose only; and„
    • under a written contract, which
      • prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than for performing the services specified in the contract or as otherwise permitted by this title. (Cal. Civ. Code § 1798.140(v).)
      • Must include a certification that the recipient understands the restrictions and will comply with them. (Cal. Civ. Code § 1798.140(w).

Sell, for purposes of the CCPA, is defined broadly and includes the application of the following acts to a consumer’s personal information by the business to another business or third party for monetary or valuable consideration.”

  • selling,
  • renting,
  • releasing,
  • disclosing,
  • disseminating,
  • making available,
  • transferring, or
  • otherwise communicating orally, in writing, or by electronic or other means.

Third party means a person or entity other than

  • the business collecting personal information from consumers under the CCPA;
  • the Service Provider as defined by CCPA.

The third party definition excludes Service Providers as defined under the CCPA.

Notice and Disclaimer

The content in this article (and site) is merely intended as a non-exhaustive informational resource. The best practice is to find someone who has the expertise necessary to provide you with meaningful legal advice. The information in this article (and site) neither constitute legal advice nor creates an attorney-client relationship. Readers should not act upon this information without seeking professional counsel. This information is provided without any knowledge as to the reader’s industry, identity, or specific circumstances. The application and impact of relevant laws will vary from jurisdiction to jurisdiction. There may also be delays, omissions, or inaccuracies in information contained in this article (and site). Material contained in this article (and site) may be considered advertising under the professional rules of conduct. The hiring of a lawyer is an important decision that should not be based solely on advertisements.