California Consumer Privacy Act

California Consumer Privacy Act Basics

The California Consumer Privacy Act (CCPA) is a state law that provides California residents rights when dealing with businesses that collect and sell their personal information.

History

2018

California Consumer Privacy Act Signed Into Law and Amended

The California Consumer Privacy Act (CCPA) began as a ballot initiative sponsored by Californians for Consumer Privacy. After obtaining 629,000 signatures—more than the requisite 365,000 signatures to qualify for the ballot—Californians for Consumer Privacy negotiated a legislative deal and withdrew the initiative. The negotiated legislative compromise, Assembly Bill 375, was signed into law in June.

As an attempt to clarify legislative intent and address technical drafting errors in AB 375, the first round of amendments to the CCPA were passed in September 2018 in Senate Bill 1121. These amendments included

  • clarification about the age range that requires opt-in consent from a business (to cover only children under 16)
  • changes to the definition of personal information
  • a narrowing of the ability for an individual to recover damages in a private right of action
  • a delay in enforcement of the CCPA from January 2020 to July 2020

2019

California Consumer Privacy Act was Amended

Assembly Bill 25 (AB 25)

AB 25 was passed to exempt from the CCPA (until January 1, 2021) any personal information collected by employers from job applicants, employees or contractors.

Assembly Bill 874 (AB 874)

AB 874 changed the definition of personal information and publicly available information to specifically exclude de-identified and aggregate information.

Assembly Bill 1146 (AB 1146)

AB 1146 added an exception to the right to opt out of the sale or sharing of personal information when that information is being retained or shared between a motor vehicle dealer and the vehicle’s manufacturer, if that retention or sharing is for the purpose of carrying out a vehicle warranty or recall.

It also provided an exception to the right to delete when the information that the business possesses must be retained in order to fulfil the terms of a written warranty or product recall.

Assembly Bill 1355 (AB 1355)

AB 1355 clarified that a business is permitted to treat consumers who exercise their rights differently when the differential treatment is reasonably related to the value provided to the business by the person’s data. It also introduced an exception to the majority of the CCPA for any activity involving the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a person’s credit—including by consumer reporting agencies—when that business is covered by the Fair Credit Reporting Act.

Assembly Bill 1564 (AB 1564)

AB 1564 modified the requirement that a business include two or more methods of contact for individuals to submit their access, deletion and opt-out requests including a toll-free telephone number (at a minimum). It also allowed businesses that operate exclusively online and have a direct relationship with a consumer to forego a toll-free telephone number.

2020

California Consumer Privacy Act in Effect

The CCPA became operative law on January 1, and enforcement began on July 1. Following a public comment period, implementing regulations for the CCPA went into effect on August 14, 2020. 

 

California Privacy Rights Act—Proposition 24—Passed on the Ballot

On November 3, 2020, California voters passed Proposition 24, a ballot initiative amending the CCPA. The California Privacy Rights Act established a dedicated California Privacy Protection Agency and expanded the private right of action available when a business fails to use reasonable security and improperly exposes information.

2021

California Privacy Protection Agency Board Members Appointed and Rulemaking Process Began

On March 17, 2021, Governor Gavin Newsom, Attorney General Xavier Becerra, Senate President pro Tempore Toni G. Atkins, and Assembly Speaker Anthony Rendon announced the names of the five board members of the California Privacy Protection Agency:

  • Lydia de la Torre
  • Vinhcent Le
  • Angela Sierra
  • John Christopher Thompson
  • Jennifer Urban

The board hired Ashkan Soltani as the agency’s first executive director in October. On September 22, the agency began the rulemaking process.

Scope

Who

The California Consumer Privacy Act (CCPA) applies to businesses that collect the personal data of California residents and satisfy (alone, as a parent company or as a subsidiary) one or more of the following:1

  • annual gross revenues exceed $25 million dollars
  • annually buys, sells, or shares personal information of 100,000 or more consumers or households
  • derives 50 percent or more of its annual revenue from selling personal information

The CCPA also applies, to a lesser extent, to contractors and service providers.

service provider is a person or business that receives personal information from a business in order to fulfill a contractual obligation or perform a service for the business.2

A contractor is a person who receives personal information from a business pursuant to a written contract with the business.3

Although a service provider or contractor does not have to comply with a person’s requests in the same way as a business, it still must cooperate with its contracting business in responding to those requests.4 

The CCPA imposes numerous restrictions and obligations on the contracts between businesses and service providers or contractors—requiring service providers or contractors to be contractually prohibited from retaining, using or sharing personal information for any other purpose other than fulfilling their contractual obligations.5

What

Personal Information6

The CCPA provides individuals rights of access, deletion, and control when interacting with businesses that collect and sell (or share) their personal information—information that

  • identifies
  • relates to
  • describes
  • is capable of being associated with
  • could reasonably be linked (directly or indirectly)

with a particular individual or household.

Examples of personal information include

  • personal identifiers
  • commercial information
  • biometric information
  • internet or other electronic network activity information
  • geolocation data
  • audio, electronic, visual, thermal, olfactory, or similar information
  • professional or employment-related information
  • education information (as defined in the federal Family Educational Rights and Privacy Act)
  • inferences drawn from any of the above information for purposes of creating a profile about someone—reflecting their
    • preferences
    • characteristics
    • psychological trends
    • predispositions
    • behavior
    • attitudes
    • intelligence
    • abilities
    • aptitudes
  • sensitive personal information

Sensitive Personal Information7

Sensitive Personal Information is afforded heightened protections under the CCPA and refers to personal information that reveals one's

  • Social Security number
  • driver’s license
  • state identification card
  • passport number
  • account log-in credentials, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account
  • precise geolocation
  • racial or ethnic origin
  • religious or philosophical beliefs
  • union membership
  • mail, email and text message contents unless the business is the intended recipient of the communication
  • genetic data.

Sensitive personal information further encompasses

  • the processing of biometric information for the purposes of uniquely identifying an individual
  • personal information collected and analyzed concerning an individual’s health
  • personal information collected and analyzed concerning someone’s sex life or sexual orientation

Exemptions

Law Enforcement

Businesses are not required to comply with the CCPA

  • when it would restrict the business’s ability to comply with federal, state, or local laws, or to comply with a civil, criminal, or regulatory investigation8
  • to cooperate with law enforcement concerning activity the business reasonably believes may violate federal, state, or local law, or to provide emergency access to an individual’s personal information if a person is at risk of serious physical injury or death9

Employment Data

The CCPA does not apply to personal information collected by an employer from job applicants, employees or contractors.10

Vehicle Data for Repair, Warranty or Recall

The CCPA provides an exemption from the right to opt out and the right to delete with respect to vehicle or ownership information retained by a motor vehicle dealership in order to effectuate a repair, warranty or recall.11

Deidentified and Aggregate Data

The CCPA also includes an exemption for businesses use, collection, sharing and disclosing of deidentified or aggregate personal information.12

Deidentified refers to information that cannot reasonably be linked to infer information about a particular person. For data to be considered deidentified, businesses must take certain steps to ensure that information cannot be linked back to the individual—including publicly committing to not re-identifying the information and contractually obligating any recipients of deidentified information to do the same.13

Aggregate means information that relates to a group or category of people, from which individual identities have been removed.14 The CCPA requires that aggregate personal information not be reasonably linkable to any individual, household or device.

Personal Information or Practices Covered Under Other Law

There are also exemptions in the CCPA for personal information or practices already covered by various federal or California laws including

  • medical information governed by the Confidentiality of Medical Information Act15
  • protected health information collected by covered entities under the Health Insurance Portability and Accountability Act
  • the collection, maintenance, sale and disclosure of personal information impacting someone’s creditworthiness—when that activity is already covered by the Fair Credit Reporting Act16
  • information subject to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act17
  • information covered by the Driver’s Privacy Protection Act18

Certain Education-Related Situations

The CCPA does not require businesses to comply with a request to delete personal information when that request applies to a student's grades, educational scores or educational test results that the business holds on behalf of a local educational agency.19 Nor does it require that business disclose an educational assessment or exam, or someone’s specific responses to an educational assessment, if doing so would jeopardize the validity and reliability of that exam.20

Publicly Available Information

The CCPA does not apply to publicly available information, information that21 
•    is lawfully made available from government records
•    a business has a reasonable basis to believe has been made available to the general public by an individual or widely distributed media
•    is communicated by an individual, if that person made no efforts to restrict the information to a specific audience

Rights

California residents have several rights under the California Consumer Privacy Act (CCPA):

  • Right to Know
  • Right to Delete
  • Right to Opt Out
  • Right to Opt In for Minors
  • Right to Limit the Use and Sharing of Sensitive Personal Information
  • Right to Not Be Discriminated Against for Exercising CCPA Rights

Right to Know22

Individuals have the right to know what personal information is being collected about them, and the right to know whether their personal information has been sold or disclosed to third parties.

Individuals can exercise their Right to Know by making a verified request to the business, requiring the business to disclose the

  • categories of personal information it has collected about that individual23
  • specific pieces of personal information the business collected about them24
  • categories of sources from which personal information is collected25
  • categories of third parties to whom the business discloses personal information26
  • business or commercial purpose for collecting, selling, or sharing personal information27

Additionally, this right is embodied in the various disclosures that businesses must make in their

  • privacy policies
  • websites
  • point of personal information collection (at or before)

Businesses that collect individuals’ personal information must include a notice at or before the point of collection that provides the28

  • categories of personal information (and if collected, sensitive personal information) being collected
  • business purposes for each category
  • length of time the business intends to retain each category of information

In its privacy policy, a business must disclose29

  • a description of the rights available under the CCPA
  • two or more designated methods for submitting CCPA requests30
  • a list of the categories of personal information it has shared or sold in the preceding year
  • separate Do Not Sell or Share My Personal Information and Limit the Use of My Sensitive Personal Information links to enable someone to exercise their privacy rights

Access (Download) Personal Information31

Individuals have a right to request a downloadable copy of the personal information collected by the business.32 Once a verifiable request is made, the business must comply—free of charge—within 45 days.33 The data must be delivered to the individual in a portable, technically-feasible and readily-usable format.34

Personal information that was collected more than 12 months before the individual’s request, and collected on or after January 1, 2022, must be included within the delivery, unless doing so proves impossible or would involve a disproportionate effort.35

Individuals have a right to download their data twice within any 12-month period.36

Correct Inaccurate Information37

Individuals have the right to request that a business that maintains inaccurate personal information about them correct that information.38 When a business receives a verified request to correct inaccurate personal information, it must use commercially-reasonable efforts that consider the nature of the personal information and the purpose of the processing to make that correction.  
 

Right to Delete40

Individuals have the right to request that a business delete any personal information that the business has collected from them.41

Businesses have ten days to confirm receipt of a request to delete information, and are required to respond to a request within 45 days.42 If the business cannot verify the consumer within that 45 day window the business may deny the request.43

Businesses that receive a verifiable request to delete personal information are required to take efforts to ensure that all entities with whom the business has sold or shared the individual’s personal information also comply with the deletion request.44 Service Providers are required to cooperate with a business in responding to a verified request and may have to further communicate that request to their own service providers.45

The right to delete does not require a business to delete personal information if

  • the business is unable to verify the identity of the individual submitting the request46
  • the request proves impossible or involves disproportionate effort47
  • it is necessary for the business/service provider to maintain the personal information to complete a transaction for which it was collected48
  • it helps ensure security and integrity of the use of the individual’s personal information49
  • it is used to identify and maintain intended functionality50
  • it is for the exercise of free speech51
  • it is being used in public or peer-reviewed research52
  • it is being retained solely for internal uses that are aligned with reasonable consumer expectations53
  • it is required for compliance with the California Electronic Communications Privacy Act54
  • it is required for compliance with a legal obligation55
  • the business can rely on another exemption

Right to Opt Out56

Individuals have the right, at any time, to direct a business not to sell or share their personal information.57 Businesses must provide a clear and conspicuous link on their website’s homepage (stating Do Not Sell or Share My Personal Information) that enables an individual (or authorized representative) to opt out of the sale or sharing of their personal information.58

Businesses are also required to accept and interpret opt-out preference signals sent by browsers or devices as valid CCPA requests to opt-out.59 This means that, if implemented by the manufacturer or developer, privacy choices communicated through an app or device’s settings can be used to automatically communicate the Right to Opt Out to a business by visiting its website.

Right to Opt In for Minors

When a business has actual knowledge that individuals are under the age of 16, it can only sell or share their personal information if they (ages 13 – 16) or their parent/guardian (under 13) provide affirmative authorization for that specific sale or sharing.60

Right to Limit the Use and Sharing of Sensitive Personal Information61

Individuals have the right to, at any time, tell a business to limit its use of their sensitive personal information to that which is reasonably necessary to perform the underlying services or provide the product that the individual requested.62

Businesses must either

  • provide a clear and conspicuous link on their website’s homepage (stating Limit the Use of My Sensitive Personal Information) that leads to a page that enables an individual (or authorized representative) to limit the use or disclosure of their sensitive personal information63
  • allow individuals to exercise this right through an opt-out preference signal in a frictionless manner.64

A business that receives such a direction is prohibited from selling, sharing, retaining, using or disclosing that sensitive personal information for any purpose other than for the specific purpose of performing the services requested by the individual.65 Additionally, a business must wait for at least 12 months before requesting that the individual allow them to resume that activity.66

Right to Not Be Discriminated Against for Exercising CCPA Rights67

A business may not discriminate against an individual for exercising his or her privacy rights. This means that businesses cannot, in response to someone exercising a CCPA right,68

  • deny goods or services
  • charge different prices/rates for goods or services (including discounts or other benefits or imposing penalties)
  • provide a different level or quality of goods or services
  • suggest that the individual will receive a different price or rate for goods/services or a different level or quality of goods or services
  • retaliate against an employee, applicant for employment or independent contractor

However, the CCPA does not prevent a business from offering a different price or service if that difference is reasonably related to the value provided to the business from the individual’s data.69

Additionally, a business is not prohibited from offering financial incentives including payments to individuals as compensation for the collection, sale or retention of their personal information. A business may enter an individual into a financial incentive program only if the individual70

  • is provided with the material terms of the financial incentive program
  • gives the business prior opt-in consent
  • has the availability to revoke their participation at any time.

If an individual refuses to provide opt-in consent, the business must wait at least 12 months before again requesting that the individual provides opt-in consent.71

Enforcement

California Privacy Protection Agency72

The California Privacy Protection Agency is the first of its kind in the United States—an independent agency focused on administratively enforcing state-specific consumer privacy regulations.73 This agency has authority to both write and enforce California Consumer Privacy Act (CCPA)-implementing regulations.74

The California Privacy Protection Agency is governed by an appointed five-member board including the Chair.75 The Chair and one other member of the board are appointed by the Governor76 with the remaining board members appointed, one each, by the Attorney General, the Senate Rules Committee and the Speaker of the Assembly.77 Each appointed member must be a Californian with expertise in privacy, technology and consumer rights.78

This agency pursues enforcement actions for noncompliance with the CCPA. Businesses can be subject to an administrative fine of no more than $2,500 for each violation, or $7,500 for either each intentional violation or violations involving individuals under 16 years of age.79

At the California Privacy Protection Agency's discretion, it may provide a business with a time period to cure noncompliance with the CCPA.80

Consumer Privacy Fund

The Consumer Privacy Fund is a fund created by the CCPA within the General Fund whose primary purpose is offsetting the costs incurred by the state courts and Attorney General in connection with enforcing the CCPA.81 The proceeds of any settlement or judgment of an enforcement action are transferred to the Fund.82 After the costs of the state courts and the Attorney General are paid, the remaining funds are used exclusively for the following:

  • 91% of the fund is invested by the California State Treasurer in financial assets with the goal of maximizing long-term yields
  • 9% of the fund is dedicated to funding organizations that promote, protect and educate on consumer privacy, or combat fraudulent consumer data breaches

This fund is not subject to appropriation or transfer by the Legislature for any other purpose.83

California Attorney General’s Office

The California Attorney General has civil enforcement authority and can seek injunctions and civil penalties in court on behalf of the people of the State of California.84 The Attorney General‘s Office may seek up to $2,500 for each violation or up to $7,500 for each intentional violation and each violation involving the personal information of minors.85

The Attorney General may also request that the California Privacy Protection Agency does not move forward with an administrative action so that the Attorney General may proceed with an investigation or civil action.86 If the California Privacy Protection Agency has already issued an administrative action, the Attorney General will be unable to file a civil action for the same violation.87

Private Right of Action for Data Breach

Under a limited private right of action, individuals can independently or collectively sue to recover damages when a business fails to implement and maintain reasonable security procedures causing personal information to be exposed through unauthorized access and exfiltration, theft or disclosure.88

Individuals may recover between $100 and $750 per person, per incident or actual damages (whichever is greater). They may also obtain injunctive or declaratory relief (or any other relief the court deems proper).89

Prior to an individual initiating an action against a business for statutory damages, the individual must first provide the business a 30-day written notice identifying the specific provisions of the CCPA that the individual alleges have been or are being violated.90 If the business can cure and cures the noticed violation* and provides the person an express written statement that the violations have been cured and that no further violations shall occur, no action for individual or class-wide statutory damages may be initiated against the business.91

It is currently unclear what a business must do to cure a data breach.

Notes

  1. Cal. Civ. Code § 1798.140(d)
  2. Cal. Civ. Code § 1798.140(ag)
  3. Cal. Civ. Code § 1798.140(j)(1)
  4. Cal. Civ. Code § 1798.105(c)(3)
  5. Cal. Civ. Code §§ 1798.140(ag)(1), 1798.140(j)(1)
  6. Cal. Civ. Code § 1798.140(v)(1)
  7. Cal. Civ. Code § 1798.140(ae)
  8. Cal. Civ. Code §§ 1798.145(a)(1), 1798.145(a)(2)
  9. Cal. Civ. Code §§ 1798.145(a)(3),1798.145(a)(4)
  10. Cal. Civ. Code § 1798.145(m)
  11. Cal. Civ. Code § 1798.145(g)
  12. Cal. Civ. Code §§ 1798.145(a)(6), 1798.140(v)(3)
  13. Cal. Civ. Code § 1798.140(m)
  14. Cal. Civ. Code § 1798.140(b)
  15. Cal. Civ. Code § 1798.145(c)(1)
  16. Cal. Civ. Code § 1798.145(d)(2)
  17. Cal. Civ. Code § 1798.145(e)
  18. Cal. Civ. Code § 1798.145(f)
  19. Cal. Civ. Code § 1798.145(q)(1)
  20. Cal. Civ. Code § 1798.145(q)(2) 
  21. Cal. Civ. Code §§ 1798.140(v)(2), see also 1798.140(ae)(3)
  22. Cal. Civ. Code § 1798.110
  23. Cal. Civ. Code § 1798.110(a)(1) 
  24. Cal. Civ. Code § 1798.110(a)(5) 
  25. Cal. Civ. Code § 1798.110(a)(2)
  26. Cal. Civ. Code § 1798.110(a)(4) 
  27. Cal. Civ. Code § 1798.110(a)(3)
  28. Cal. Civ. Code § 1798.100(a)
  29. Cal. Civ. Code § 1798.130(a)(5)
  30. Cal. Civ. Code § 1798.130(a)(5)(A)
  31. Cal. Civ. Code § 1798.1798.110
  32. Cal. Civ. Code § 1798.130(a)(2)(A)
  33. Id.
  34. Id.
  35. Cal. Civ. Code § 1798.130(a)(2)(B)
  36. Cal. Civ. Code § 1798.130(b)
  37. Cal. Civ. Code § 1798.106
  38. Cal. Civ. Code § 1798.106(a)
  39. Cal. Civ. Code § 1798.106(c)
  40. Cal. Civ. Code § 1798.105
  41. Cal. Civ. Code § 1798.105(a)
  42. 11 Cal. Code Regs. §7021
  43. 11 Cal. Code Regs. §7021(b)
  44. Cal. Civ. Code § 1798.105(c)
  45. Cal. Civ. Code § 1798.105(c)(3)
  46. 11 Cal. Code Regs. §7022(a)
  47. Cal. Civ. Code § 1798.105(c)
  48. Cal. Civ. Code § 1798.105(d)(1) 
  49. Cal. Civ. Code § 1798.105(d)(2) 
  50. Cal. Civ. Code § 1798.105(d)(3) 
  51. Cal. Civ. Code § 1798.105(d)(4) 
  52. Cal. Civ. Code § 1798.105(d)(6) 
  53. Cal. Civ. Code § 1798.105(d)(7) 
  54. Cal. Civ. Code § 1798.105(d)(5)
  55. Cal. Civ. Code § 1798.105(d)(8) 
  56. Cal. Civ. Code § 1798.120
  57. Cal. Civ. Code § 1798.120(a) 
  58. Cal. Civ. Code § 1798.120(b) 
  59. Cal. Civ. Code § 1798.135(e); see also 11 Cal. Code Regs. § 7026(c)
  60. Cal. Civ. Code § 1798.120(c) 
  61. Cal. Civ. Code § 1798.121
  62. Cal. Civ. Code § 1798.121(a)
  63. Cal. Civ. Code § 1798.135(a)(2)
  64. Cal. Civ. Code § 1798.135(b)(1)
  65. Cal. Civ. Code § 1798.135(f)
  66. Cal. Civ. Code §§ 1798. 135(c)(4),1798.135(c)(5)
  67. Cal. Civ. Code § 1798.125
  68. Cal. Civ. Code § 1798.125(a)(1) 
  69. Cal. Civ. Code §§ 1798. 125(a)(2), 1798.125(b) 
  70. Cal. Civ. Code § 1798.125(b)(3) 
  71. Id.
  72. Cal. Civ. Code § 1798.199.10
  73. Cal. Civ. Code § 1798.199.10(a)
  74. Cal. Civ. Code § 1798.185(d)
  75. Cal. Civ. Code § 1798.199.10(a)
  76. Id.
  77. Id. 
  78. Cal. Civ. Code § 1798.199.15(a)
  79. Cal. Civ. Code § 1798.155(a)
  80. Cal. Civ. Code § 1798.199.45(a)
  81. Cal. Civ. Code § 1798.160(a)
  82. Cal. Civ. Code § 1798.155(b)
  83. Cal. Civ. Code § 1798.160(c)
  84. Cal. Civ. Code § 1798.199.90 
  85. Cal. Civ. Code § 1798.199.90(a) 
  86. Cal. Civ. Code § 1798.199.90(c) 
  87. Cal. Civ. Code § 1798.199.90(d)
  88. Cal. Civ. Code § 1798.150(a)
  89. Cal. Civ. Code § 1798.150(a)(1) 
  90. Cal. Civ. Code § 1798.150(b)
  91. Id.