What is the California Consumer Privacy Act (CCPA)?

California Consumer Privacy Act

Note: As of July 1st, 2020 the California Consumer Privacy Act (CCPA) is now being enforced.

A new decade is upon us, and with it comes a continuation in the rapid evolution of data privacy laws and regulations. Considered to be the “toughest data privacy law in the United States”, the California Consumer Privacy Act (CCPA) will come into effect on January 1st, 2020, only a year and a half after it was passed.  

While amendments to the CCPA are expected to occur after it has passed, companies will still need to be prepared to comply with this new legislation as soon as it comes into effect, with the enforcement of the CCPA starting either six months after the final regulations are published or July 1, 2020, whichever occurs first. With so little time to prepare, we hope that this article gives your business the overview it needs to understand the next steps needed to meet your CCPA compliance needs.

CCPA Overview

What Rights Does the CCPA Grant?

In 1972, California voters amended the California Constitution to include privacy among the inalienable rights of the people. The intention of the CCPA is to continue protecting the right to privacy of Californians by granting them the right to access, delete, and opt-out of the sale of their personal information. 

Knowledge of How Their Data Is Used

Under CCPA, consumers are granted the right to request:

  • Disclosure of the categories and specific pieces of personal information that a business collects about the consumer
  • the categories of sources from which their information is collected
  • Why their information was collected or sold
  • The categories of any 3rd parties given access to their data

Deletion of Personal Data on Request

Under CCPA, consumers are to be granted to right to request the deletion of their personal data. Once the request is verified as legitimate, businesses will be required to comply with the request within 45 days, with a once-per-customer extension of 45-days permitted to businesses that reasonably require an extension and notify the customer within the initial 45-day period.

The Ability to Opt-Out of Personal Data Collection With No Penalty

Under CCPA, consumers will be granted the option to request that the sale of their personal information by a business be disallowed. Should a consumer exercise this right, businesses are not permitted to discriminate against the consumer.
Examples of discrimination disallowed by the bill include charging a different price and providing a different quality of goods or services to consumers that exercise their right to opt-out of the sale of their personal data. The CCPA gives an exception to the alteration of quality/price under circumstances where “the difference is reasonably related to value provided by the consumer’s data.” CCPA would also grant businesses the option to offer financial incentives for the collection of personal information.

“Opt-in” Requirements for Consumers Under 16

For consumers under 16, the CCPA requires that the sale of their personal information be prohibited unless “affirmatively authorized”, meaning that consumers younger than 16 years of age must “opt-in” to the sale of their personal information by providing explicit permission.

What is “Personal Information” Under CCPA?

At its most basic level, the definition of “personal information” under CCPA refers to any information that can be plausibly linked to a specific household or individual consumer, such as but not limited to:

  • Names/nicknames
  • Addresses
  • IP addresses
  • Email addresses
  • Usernames
  • Social Security Numbers (SSN)
  • Phone numbers
  • Employment history
  • Health insurance information
  • Records of products or services purchased
  • Browsing history/search history
  • Education information

Under CCPA, inferences made using collected data is also protected. This is of special consideration for marketers or other industries creating demographic and consumer behavior profiles.

“Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” – Assembly Bill No. 375, Chapter 55, Section 1798.140(K)

It is important to note that according to the CCPA, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. For a detailed list of what is considered personal information under CCPA, refer to section 1798.140 of Assembly Bill No. 375

Will My Business Need To Be CCPA Compliant?

The CCPA can potentially apply to any for-profit business or associated entity in California, whether or not they physically reside in California, so long as that business collects and controls the processing of a consumer’s personal information while also meeting ANY of the below criteria:

  • Collects or sells personal information of California residents
  • Has a gross annual revenue in excess of twenty-five million dollars ($25,000,000) 
  • Annually buys, receives, sells, or shares the personal information of 50,000+ California consumers, households, or devices
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

What Constitutes As “Selling” of Personal Information Under CCPA?

The act of “selling” personal data is not exclusive to monetary transactions. According to the bill, the exchange (“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…”) of personal information in return for “valuable consideration” will also be considered as selling under the CCPA. 

While the definition of “valuable consideration” is not explicitly defined in the bill, the California Legislative Information website has previously defined a “consideration” as “any benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.”

CCPA Penalties

The potential penalties for businesses failing to maintain their CCPA compliance requirements will be significant, with violations of the CCPA incurring fines of up to $7,500 per violation. Under the CCPA, data breaches will also be considered the responsibility of the company, with fines of up to $750 per consumer affected in each breach.

How Do I Become CCPA Compliant?

CCPA Compliance Checklist

  1. Determine whether your business sells personal information of California residents
  2. Ensure that your data infrastructure allows you to readily consolidate and report the personal information you have collected of individuals
  3. Provide a minimum of two (2) methods for California consumers to request access to the personal information held by your business, including a toll-free telephone number
  4. Upon request, comply with any consumer deletion requests within 45-days of receiving a verified request
  5. Update your websites to include readily visible disclaimers that your company sells personal information, and provide a “clear and conspicuous” link titled “Do Not Sell My Personal Information” that will allow users to opt-out
  6. Update your privacy policies to include a section detailing the privacy rights of California residents

The Future of Data Privacy Legislation

With consumer privacy regulations expected to take center-stage in the coming decade, businesses that are not directly affected by the California Consumer Privacy Act should still ensure that they are in the best position possible to adapt to future privacy regulations. Legislation such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Europe’s General Data Protection Regulation (GDPR), and Nevada’s Senate Bill 220, along with various other local privacy and data legislation, are going to continue to influence how businesses are expected to operate. 

If you would like to see the entire unedited assembly bill detailing the CCPA, visit the link below:

Full text of AB375, Title 1.81.5,” The California Consumer Privacy Act of 2018, CCPA” : https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

(Note: This article is current as of December 20, 2019. There are likely to be amendments to address concerns of the bill’s current state. This article is intended for informational purposes only and is not a replacement for consultation with a lawyer)

Dale Strickland
Dale Strickland
Dale Strickland is a Marketing Coordinator for CurrentWare, a global provider of endpoint security and employee monitoring software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.