What is the CCPA?
The California Consumer Privacy Act (CCPA) makes it easier for California consumers to control the personal information that businesses collect about them. Under the CCPA, businesses must comply with consumer requests to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach. The law went into effect on January 1, 2020, and enforcement began July 1, 2020.
What companies are affected?
The CCPA applies to any company that a) does business in California, including for-profit entities that collect the personal data of consumers, and b) meets at least one of the following criteria:
Has $25 million or more in annual revenue
Possesses the personal data of more than 50,000 consumers, households, or devices
Earns more than half of its annual revenue selling the personal data of consumers
The CCPA applies to consumers who reside in California as well as every individual for whom California is their permanent home, even when they live outside of California.
What are the consequences for a company that isn't in compliance?
A company not in compliance with the CPAA faces 2 types of penalties. Either one could have an extinction-level effect on your business.
Fines. Once notified by regulators, a company has 30 days to comply with the law. If the issue isn't resolved in that time frame, a company can be fined up to $7,500 per record.
Lawsuits. For the first time, the bill gives individuals the right to sue. It also allows class action lawsuits for damages.
What types of data are covered?
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver's license number, passport number, and other similar identifiers
Biometric information
Internet or other electronic network activity information
Geolocation data
To view the CCPA in the California Law section of the California Legislative Information website, click here.
To view the CCPA page on the California Attorney General website which provides official background info and resources on the law, click here.
Under the CCPA, consumers have been granted unique rights, including the right to:
Only California residents have rights under the CCPA. In legal terms, a California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily living outside the state.
Personal information is any information that identifies, relates to, or could reasonably be linked with a user or the user's household. Common types of personal information, both collected by businesses and protected under the CCPA, include:
The official CCPA text further outlines types of protected personal information.
Personal information does not include publicly available information from federal, state, or local government records, such as professional licenses and public real estate/property records.
The CCPA applies to for-profit companies that do business in California and meet at least one of the following criteria:
No. The CCPA does not apply to nonprofit organizations or government agencies.
Civil penalties for noncompliance range from $2500 for a nonintentional violation to $7500 for an intentional violation. Business may not be liable, however, if they correct any noncompliance within 30 days of being notified of a possible violation.
The CCPA gives California consumers the right to sue a company if their personal information is accessed as the result of a data breach at that company. Consumers may seek damages or statutory damages between $100 and $750 per individual per incident
Yes, the law applies as long as the company meets one of the 3 thresholds outlined in the CCPA. This is true even if the company is not organized under California law or has no physical presence in California.
Exemptions exist for some companies and types of data collected.
Company exemptions. Amendments to the CCPA exempt companies or healthcare providers subject to HIPAA or California's Confidentiality of Medical Information Act (CMIA) from the CCPA's scope to the extent that they protect patient data in accordance with HIPAA or CMIA.
Data exemptions. The CCPA does not apply to the following types of data:
Under the CCPA, businesses that sell personal information must include a clearly visible “Do Not Sell My Personal Information” link on their website that allows the user to submit an opt-out request. Businesses cannot require users to create an account in order to submit their request.
While businesses are not required to verify that the person submitting an opt-out request is really the consumer for whom the business has personal information, they may need to ask the user for additional information to make sure they stop selling the right person’s personal information. If the business asks for personal information to verify a user's identity, it can only use that information for this verification purpose.
A consumer may request that a business disclose to them any personal information the business has collected, used, shared, or sold about the user, and why they collected, used, shared, or sold that information. Specifically, a user may request that businesses disclose:
Businesses must provide a user with this information for the 12-month period preceding their request. They must provide this information to users free of charge.
Businesses must designate at least two methods for users to submit their request—for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests to know.
Businesses cannot make a user create an account just to submit a request to know, but if the user already has an account with the business it may require the user submit their request through that account.
Users must submit their request to know through one of the business’s designated methods, which may be different from its normal customer service contact information. If the user can’t find a business’s designated methods, it is advised that they review the business's privacy policy, which must include instructions on how a user can submit their request.
Businesses must respond to a user's request within 45 calendar days. This deadline can be extended by another 45 days (90 days total) if the user is notified.
If a user submitted a request to know but has not received any response within the designated timeline, the user is encouraged to check the business’s privacy policy to make sure they submitted their request properly. If the user confirms the request was submitted correctly, they are then advised to follow up the business to ensure the business is subject to the CCPA and to follow up on their request.
A notice at collection is a means by which businesses must disclose to consumers what personal information they collect and how that information will be used, shared, and sold. The notice must list the categories of personal information collected about consumers and the purposes for which each category is used. (For more information, see the right to know FAQ section.) If the business sells the personal information of consumers, then the notice at collection must include a Do Not Sell link. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.
A notice at collection must be provided at or before the point at which the business collects a user's personal information. For example a user might find a link to a company's notice at collection on the homepage of the company's website, as well as on any webpage where a user places an order or enters their personal information. On a mobile app, a user might find a link to the notice in the settings menu, while a retail store might include the notice on a printed form used to collect personal data.
Yes, under CCPA businesses must update their privacy policy every 12 months and have a clearly visible link to their policy on their website’s home page?
A privacy notice and a privacy policy are different names for the same type of information. A privacy notice describes an entity’s policies and practices regarding its collection and use of personal data, and sets forth the user’s privacy rights. A privacy notice is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy.
A user may request that a business delete personal information collected from a user and to tell their service providers to do the same. However, there are many exceptions that allow businesses to keep this personal information.
If a business’s designated method of submitting requests to delete is not working, notify the business in writing and consider submitting their request through another designated method if possible.
Businesses must designate at least two methods by which a user may submit their request, such as toll-free number, email address, website form, or hard copy form. Businesses do not have to provide an online form for requesting deletion.
Businesses cannot make a user create an account just to submit a deletion request, but the user already has an account with the business, it may require the user submit their request through that account.
Make sure users submit their deletion request through one of the business’s designated methods, which may be different from its normal customer service contact information. If the user can’t find a business’s designated methods they are advised to review the company's privacy policy, which must include instructions on how the user can submit their request.
If a business’s designated method of submitting requests to delete is not working, consumers are advised to notify the business in writing and consider submitting their request through another designated method if possible.
Businesses must respond to a user's request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify the user.
If a user submitted a request to delete and has not received any response within the designated timeline, consumers are advised to check the business’s privacy policy to make sure the request was submitted properly. Once confirmed, consumers are advised to follow up with the business to confirm the business is subject to the CCPA and to follow up on their request.
Right to nondiscrimination means that businesses cannot deny goods or services, charge a user a different price, or provide a different level or quality of goods or services just because a user exercised their rights under the CCPA.
However, if a user refuses to provide their personal information to a business or asks it to delete or stop selling their personal information, and that personal information or sale is necessary for the business to provide the user with goods or services, the business may not be able to complete that transaction.
Businesses can also offer user promotions, discounts, and other deals in exchange for collecting, keeping, or selling their personal information. But businesses can only do this if the financial incentive offered is reasonably related to the value of the personal information collected. If a user asks a business to delete or stop selling their personal information, the user may not be able to continue participating in the special deals offered exchange for personal information. If a user is not sure how their request may affect their participation in a special offer they are advised to ask the business.
Data brokers are entities that collect information about consumers from many sources, including websites, other businesses, and public records, and then analyze and package the data for sale to other businesses.
Under California law, Civil Code section 1798.99.80, a data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The law exempts from this definition certain businesses regulated by other laws, such as consumer reporting agencies (commonly known as credit bureaus) and certain financial institutions and insurance companies.
The California law on data brokers requires data brokers covered by the law to register with the California's Attorney General and provide certain information on their practices. The Data Broker Registry can be found on the Attorney General’s website at https://oag.ca.gov/data-brokers.
To get instructions on how to opt out of the sale of personal information, consumers can click the "View Full Submission" link in the Data Broker Registry, users may not be able to stop the sale of information. The CCPA’s definition of “personal information” does not include information lawfully made available from government records, which are often sources used by data brokers.
Users can also go to a data broker’s website through the link posted on the Data Broker Registry, and then find the broker’s privacy policy to learn more about its privacy practices and how to exercise their CCPA rights.
The California Privacy Rights Act is also referred to as the CPRA or CCPA 2.0. The CCPA 2.0 is a ballot initiative aimed at regulating big corporations that collect large amounts of data. If passed it till take effect in 2023.
No. In order to be considered a “service provider” for the purposes of the CCPA, an entity must process personal information “on behalf of a business.” In addition, the vendor must be bound by a written contract that prohibits it from:
The CCPA does classify another group of vendors, called “third parties.”
Under the CCPA, third parties are the entities to which businesses sell or disclose personal information. The CCPA defines third parties in the negative—that is, a third party does not:
Users cannot sue businesses for most CCPA violations. A user can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. A user can sue a business if their nonencrypted and nonredacted personal information is stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, a user can sue for the amount of monetary damages the user actually suffered from the breach or “statutory damages” of up to $750 per incident. If a user wants to sue for statutory damages, they must give the business written notice detailing which CCPA sections were violated and give the company 30 days to provide the user with a written statement confirming that it has cured the violations and that no further violations will occur. A user cannot sue for statutory damages for a CCPA violation if the business is able to cure the violation and provide the user with a written statement that it has done so, unless the business continues to violate the CCPA contrary to its statement.
For all other violations of the CCPA, only California's Attorney General can file an action against businesses. The Attorney General does not represent individual California consumers. Instead, using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California. If a user believes a business has violated the CCPA, they may file a consumer complaint with the Office of the Attorney General. If a user chooses to file a complaint with the Attorney General's office, they must explain exactly how the business violated the CCPA and describe when and how the violation occurred. The Attorney General cannot represent the user or give the user legal advice on how to resolve their individual complaint.
Their first name (or first initial) and last name must have been stolen in combination of any of the following personal information of the user:
This personal information must have been stolen in nonencrypted and nonredacted form.
