The California Consumer Privacy Act (CCPA) is a state law that provides California residents rights when dealing with businesses that collect and sell their personal information.
A Brief History
The California Consumer Privacy Act Signed Into Law and Amended
The CCPA began as a ballot initiative sponsored by Californians for Consumer Privacy. After obtaining the requisite signatures to qualify for the ballot, Californians for Consumer Privacy negotiated a legislative deal and withdrew the initiative. The CCPA was signed into law in June as Assembly Bill 375 (AB 375).
As an attempt to clarify legislative intent and fix technical drafting errors in AB 375, the first round of amendments to the CCPA were passed in September 2018 in Senate Bill 1121. These amendments included
- clarification about the age range that requires opt-in consent from a business (to cover only children under 16)
- changes to the definition of personal information
- a narrowing of the ability for a consumer to recover damages in a private right of action
- a delay in enforcement of the CCPA from January 2020 to July 2020
The California Consumer Privacy Act was Amended
While dozens of CCPA-related amendments were introduced in 2019, only five were signed into law.
Assembly Bill 25 (AB 25)
AB 25 clarified that the CCPA does not apply to personal information collected from job applicants, employees or contractors.
Assembly Bill 874 (AB 874)
AB 874 changed the definition of personal information to specifically exclude de-identified and aggregate information. It also modified the definition of publicly available, removing a requirement that publicly-available information be used for a purpose that is compatible with the purpose the data was originally collected or maintained.
Assembly Bill 1146 (AB 1146)
AB 1146 added an exception to the right to opt out of the sale or sharing of personal information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of carrying out a vehicle warranty or recall. It also provided an exception to the right to delete when the information that the business possesses is necessary to maintain in order to fill the terms of a written warranty or product recall.
Assembly Bill 1355 (AB 1355)
AB 1355 clarified that a business is permitted to treat consumers who exercise their rights differently when the differential treatment is reasonably related to the value provided to the business by the consumer’s data. It also introduced an exception to the majority of the CCPA for any activity involving the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by certain parties (including consumer reporting agencies).
Assembly Bill 1564 (AB 1564)
AB 1564 modified the requirement that a business include two or more methods of contact for consumers to submit their access, deletion and opt-out requests including a toll-free telephone number (at a minimum). It also allowed businesses that operate exclusively online and that have a direct relationship with a consumer to forego a toll-free telephone number.
The California Consumer Privacy Act Went Into Effect
On January 1, the CCPA went into effect providing California residents rights when dealing with businesses that collect and sell their personal information.
Who Must Comply
Businesses must comply if they receive personal data from California residents and they (or their parent company/subsidiary) satisfy one or more of these thresholds
- annual gross revenues in excess of $25 million dollars (as adjusted for any increase in the Consumer Price Index in January of every odd-numbered year)
- annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices
- derives 50 percent or more of its annual revenues from selling consumers’ personal information
Personal information is information that
- relates to;
- is capable of being associated with; or
- could reasonably be linked (directly or indirectly)
with a particular consumer or household.
Examples of personal information include
- personal identifiers
- commercial information
- biometric information
- internet or other electronic network activity information
- geolocation data
- audio, electronic, visual, thermal, olfactory, or similar information
- professional or employment-related information
- education information (as defined in the federal Family Educational Rights and Privacy Act)
Publicly available information (including information that is lawfully made available from federal, state or local government records) is not considered personal information.
Under the CCPA, individuals have the right to
- know whether and what personal information has been collected
- request that a business delete any personal information the business has collected
- download their data (to take to a different service)
- opt out of the sale of their personal information
- opt in to information selling (for minors)
- exercise their rights without being discriminated against
Right to Know
Individuals can request that a business disclose the
- categories of personal information it has collected about them
- categories of sources from which the personal information was collected
- business or commercial purpose for collecting or selling personal information
- categories of third parties with whom the business shares personal information
- specific pieces of personal information it has collected about them
Right to Delete
California residents can request that a business delete any personal information it has collected from them. The right to delete does not require a business to delete personal information
- if it is necessary for the business/service provider to maintain it to complete a transaction for which it was collected
- concerning security incidents
- to protect against malicious, deceptive, fraudulent or illegal activity
- to exercise free speech
Right to Download
Individuals have the right to download their data so they can take it to a different service. The business must offer this free of charge and deliver the data in a portable, technically-feasible and readily-useable format.
Right to Opt Out of Information Selling
Businesses must provide a clear link on their website’s homepage (stating Do Not Sell My Personal Information) to a page that enables an individual (or authorized representative) to opt out of the sale of their personal information.
Right to Opt In to Information Selling (for Minors)
When a business knows individuals are under the age of 16, it can only sell their personal information if they (ages 13 – 16) or their parent/guardian (under 13) provide affirmative authorization.
Right to Non-Discrimination
A business cannot discriminate against individuals for exercising their privacy rights. This includes
- denying goods or services
- charging different prices/rates for goods or services (including the use of discounts/other benefits or imposing penalties)
- providing a different level or quality of goods or services
- suggesting that the person will receive a different price/rate for goods or services or a different level/quality of goods or services
The CCPA does not prevent a business from offering a price or service difference, if it is reasonably related to the value of the individual’s data.
The California Attorney General has primary enforcement authority and can enforce noncompliance with the CCPA. Covered businesses can be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or 7,500 for each intentional violation.
The CCPA gives businesses the ability to cure any alleged violation within 30 days after being notified of alleged noncompliance.
The CCPA contains a built-in funding mechanism called the Consumer Privacy Fund. Any civil penalty or settlement proceeds are deposited in the fund and used exclusively to offset any costs incurred by the state courts and the Attorney General in connection with the CCPA.
Additionally, under a limited private right of action, individuals can sue to recover damages if a business fails to implement and maintain reasonable security procedures causing personal information to be subject to unauthorized
- access and exfiltration;
- theft; or
Individuals may recover between $100 and $750 per person per incident or actual damages (whichever is greater). They may also obtain injunctive or declaratory relief (or any other relief the court deems proper).