Understanding the California Consumer Privacy Act (CCPA)
California became the first U.S. state with a comprehensive consumer privacy law when California Consumer Privacy Act (CCPA) became effective on January 1, 2020.
The CCPA grants California residents new rights regarding their personal information and imposes various data protection duties on certain entities conducting business in California. Given its expansiveness and broad reach, the CCPA is likely to significantly impact entities both in California and around the world that collect and process California residents' personal information.
What does the CCPA protect?
The CCPA provides personal information rights and protections for consumers, defined as natural persons who are California residents. Defining consumers as any California resident leads to much broader coverage for the CCPA than the term "consumer" usually implies. In addition to customers of household goods and services, the CCPA's definition of consumers likely includes California-based:
- Employees, independent contractors, and other workforce members.
- Contacts from business customers or vendors.
However, amendments to the CCPA grant businesses temporary relief for certain workforce and business-to-business related personal information from most CCPA requirements until January 1, 2021.
The CCPA defines personal information more broadly than California's other laws. It includes any information that either directly or indirectly:
- Identifies, relates to, or describes a particular consumer or household.
- Is reasonably capable of being associated with, or could reasonably be linked to, a particular consumer or household.
Importantly, the CCPA protects data even if it does not relate to a single individual because it covers households and devices, and it protects information connected to any unique identifier instead of a person's name.
Who must comply with the CCPA?
The CCPA's obligations apply to a business, which it defines as a for-profit entity (including a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity) that:
- Collects a consumer's personal information (directly or on its behalf) and determines the purposes and means of processing (alone or jointly with others).
- Does business in California and meets one of the following thresholds:
- annual gross revenue that exceeds $25 million (adjusted for inflation);
- annually buys, receives, shares, or sells the personal information of more than 50,000 consumers, households, or devices for commercial purposes (alone or in combination); or
- derives 50% or more of annual revenues from selling consumers' personal information.
The CCPA provides numerous exceptions to its application based on:
- Jurisdictional concerns, such as when:
- every aspect of commercial conduct takes place wholly outside of California;
- completing a single, one-time transaction that does not retain collected personal information; or
- another sector-specific privacy or data protection law covers the conduct, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Fair Credit Reporting Act (FCRA), or the Gramm-Leach-Bliley Act (GLBA).
- Common business operation needs, such as to allow the sale of personal information as part of a larger merger or acquisition transaction.
- Legal or conflicts of laws issues, such as to comply with other laws, defend legal claims, or cooperate with law enforcement.
Consumer rights under the CCPA
The CCPA grants consumers several rights, including:
- The right to know about how the business collects, uses, and shares their personal information, including on request:
- individualized privacy notice disclosures from the business; and
- the specific pieces of their personal information the business holds.
- The right to delete personal information the business holds about them, subject to specific exceptions.
- Personal information sale prevention rights. For consumers:
- age 16 or older, the right to opt out of personal information sales; and
- age 15 or younger, the right to opt in to personal information sales.
- The right to non discrimination for exercising their CCPA rights.
Business obligations under the CCPA
The numerous consumer rights granted by the CCPA obligate businesses to take several measures to comply with its requirements. Businesses should review their data inventory, collection, and sharing practices to determine which sections of the CCPA apply to their businesses, particularly if they sell consumer personal information.
To meet its CCPA obligations, a covered business should:
- Protect personal information by implementing reasonable security practices and procedures appropriate to the relevant risks.
- Make all required CCPA notice disclosures, including:
- notices at collection;
- personal information sales opt-out right notices and links; and
- financial incentive notices, if offered.
- Honor consumers' CCPA rights and establish internal procedures to receive, verify, and respond to consumer rights requests.
- Review all price, service, or quality differences relating to the collection, retention, or sale of personal information to ensure non-discrimination.
- Comply with employee training and record-keeping requirements.
- Review service provider and third-party personal information data sharing contracts for alignment with the CCPA's requirements.
The CCPA grants regulatory and enforcement authority to the California Attorney General (AG). Before initiating an action for a CCPA violation, the California AG must give the offending business, service provider, or other person notice of the alleged violation and at least 30 days to cure it. If the business does not—or cannot—cure the violations, the California AG may seek civil penalties up to either:
- $2,500 per violation
- $7,500 per intentional violation
While unclear, these civil penalties likely extend to each affected individual and may result in large aggregate fines.
CCPA private right of action
The CCPA extends California's data breach laws by creating a private right of action for unauthorized access, theft, or disclosure of certain non-encrypted and non-redacted personal information. Importantly, the data breach liability section defines personal information much more narrowly than the general CCPA definition and ties it to part of the California data breach notification statute's definition.
The narrow subset of personal information covered in the private right of action may lead to situations where an entity must provide notice of a data breach but does not face a CCPA private right of action, or vice versa.
The potential damages a consumer may seek in a CCPA private action include:
- Either statutory damages between $100 to $750 per California resident and per incident, or actual damages, whichever is greater.
- Injunctive or declaratory relief.
- Any other relief a court deems proper.
However, statutory damages are only available if, before filing a data breach lawsuit:
- The consumer provides the business with a written notice identifying the specific CCPA violations and a 30-day period to cure those violations, if possible.
- The business does not—or cannot—cure the alleged violation and does not provide the consumer with an express written statement within the 30-day period that:
- it has cured the violation; and
- no further violations will occur.
If the business continues with its alleged violations, the consumer can file a lawsuit requesting statutory damages for the original violation and any new CCPA violation occurring after the notice, including breaching the written statement.
Looking ahead: 2020 ballot initiative to expand the CCPA
A new ballot initiative for a voter-enacted statute called the California Privacy Rights Act of 2020 (CPRA) will appear on the November 3, 2020 ballot as Proposition 24. If passed, the CPRA, among other changes, will expand the CCPA's personal information protection rights and business obligations, particularly around sensitive information like precise geolocation data, provide transparency around automated decision making, and create a dedicated privacy protection agency in California. It also contains a one-way rachet amendment process that allows legislature-initiated amendments that improve consumer privacy but requires a new ballot initiative to reduce privacy protections.