The California Consumer Privacy Act (CCPA) is a state law that gives California residents more control over the collection and sale of their personal data, similar to the European Union’s General Data Protection Regulation (GDPR). It operates primarily by requiring businesses to inform consumers as to what personal information is being collected and respond to consumer requests for specific actions. The law went into effect on January 1, 2020, and enforcement by the California Attorney General began on July 1, 2020.
The CCPA creates four distinct data privacy rights:
Effective January 1, 2023, the CPRA adds two new categories of privacy rights. These are:
In addition to recognizing these new rights, the CCPA also requires businesses to implement reasonable security procedures to prevent data breaches. If businesses fail to do so and consumers’ nonencrypted and nonredacted personal information is subject to unauthorized access, consumers can recover up to $750 in statutory damages even without showing actual damages. Class-action lawsuits are very likely in such an event. Read more about private rights of action under the CCPA.
The CCPA protects “consumers,” defined very broadly as any California resident. This includes (1) anyone who is in the state of California (unless only there temporarily) and (2) anyone who lives in California, even while they are outside the state.
Designed to protect Californians, the CCPA applies to businesses in California and businesses that are located outside of the state but still offer goods or services in California. Any for-profit business is bound by the California law if it (1) does business in California and (2) meets at least one of the following criteria:
Effective January 1, 2023, the 50,000-record threshold is changed to:
Businesses that buy, sell, or share the personal information of 100,000 consumers or households.
This relaxes the requirement in a few ways. It eliminates “receiving” personal information, bumps the overall number to 100,000, and no longer counts “devices.” For example, if a business collects email addresses but does not sell or share them, that is strictly receiving personal information and no longer counts towards the 100,000 consumer threshold. Similarly, if a business collects and shares information from a person’s computer, tablet, and phone, this is only counted once under the new law. (Under the current law, it would be counted three times—once for each device.)
Knowing what counts as “personal information” under the CCPA is fundamental to understanding how the data privacy law works and what businesses must do to be compliant.
The CCPA’s definition of personal information is very broad, to the point that many businesses may be surprised at how much personal information they are collecting. The statute defines it as:
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
If this definition seems a bit vague, it was intentionally written to be open ended in order to cover the ever-growing list of types of information being collected by businesses. Thankfully, the CCPA also provides many examples of consumer data that are considered personal information.
The inclusion of IP addresses as personal information is significant for a couple of reasons. First, they are very easy to overlook; businesses often use tools that automatically collect and share IP addresses without ever thinking of it. Second, this is one instance where the CCPA goes farther than the GDPR, which does not consider IP addresses to be personal information. Businesses that already have a GDPR compliance system in place will need to make some adjustments to meet the CCPA’s requirements.
With personal information being defined so broadly, it’s important to know what kind of data the CCPA specifically calls out as not personal information.
Effective January 1, 2023, the exception for publicly available information is broadened to include information from other sources besides government records. This exception now includes:
The first addition is aimed at covering First Amendment protected speech. As to the second addition, one major implication seems to be that business will no longer need to disclose the collection of personal information from social media profiles and other widely available media.
Many of businesses’ most important obligations under the CCPA revolve around the “sale” of consumers’ personal information, begging the question: What is a sale? The law defines sale broadly, covering many everyday transactions that businesses often don’t even think about. By the terms of the CCPA, a sale is:
Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
Disclosing personal information with a third party for monetary consideration is the most obvious definition of a sale. If a business exchanges consumers’ email addresses for money, few would argue that this is not a sale. It’s the last phrase—“or other valuable consideration”—that is of key importance. This covers a variety of information transactions for which businesses do not receive any money.
Critically, disclosing consumers’ personal information for valuable consideration can mean doing so in exchange for services, including the use of interest-based advertising. For example, if a business uses Google ads to retarget consumers, it has to send their personal information to Google. Google keeps the consumers’ information for its own purposes and gives businesses access to its retargeting technologies in return. This counts as valuable consideration, and thus the transaction is likely considered a sale.
When a transfer of information is considered a sale, the most important consequence is that it is covered by consumers’ right to opt-out, covered in more detail below.
The CCPA provides a few key categories of transactions that are not considered a sale of personal information. Disclosing consumer data to a third party is not a sale when:
For businesses covered by the CCPA, the exemption for service providers will take on critical importance in their compliance strategy.
Effective January 1, 2023, the sale of personal information is expanded to include “sharing” personal information. Sharing is defined as:
Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
Some businesses have taken the position that the disclosure of consumer data for purposes of “cross-context behavioral advertising” (i.e., interest-based advertising or retargeting) does not qualify as a sale under the original CCPA. These new changes to the law are meant to resolve any ambiguity: This type of transaction, now called sharing, is treated the same as a sale of personal information. For most businesses, the main consequence is that the “Do Not Sell My Personal Information” links on their web pages will need to be changed to “Do Not Sell or Share My Personal Information.”
“Service providers” are mentioned throughout the CCPA and are one of the data privacy law’s most important exemptions. Businesses that are in the process of becoming CCPA compliant will need to understand what a service provider is and how they affect the consumers’ privacy rights.
The CCPA gives consumers control over the sale of their personal information by businesses to “third parties” (basically anyone else). However, the law makes a major exception for the disclosure of consumer information to service providers, who are not treated as third parties. This type of activity is not a sale and thus not subject to the same CCPA requirements.
This difference between third parties and service providers in the CCPA is best illustrated by an example:
Company A is fully CCPA compliant. As part of its business, Company A collects email addresses from consumers and sells them to Company B. It also sends out a weekly newsletter, and in order to do so it shares its email list with Company C, an email marketing vendor. This is all fine and perfectly legal under the CCPA, because Company A has posted all the required privacy notices and opt-out links.
When a consumer clicks on the “Do Not Sell My Personal Information” link on Company A’s homepage and requests to opt out of the sale of their personal information, Company A must honor that request. It has to stop selling that particular consumer’s data to Company B, BUT it can continue sharing the consumer’s email address with Company C because Company C is a service provider and needs the email address in order to do its job.
Overall, it’s a common-sense exemption that recognizes the realities of modern business, but there are a few nuances and requirements that companies should be aware of.
The CCPA defines a service provider as a:
It is the contract requirement that is often the most important. It means businesses have to ensure that their vendor contracts are CCPA compliant in order for those vendors to qualify as service providers. These contracts must explicitly state that the service provider will not retain, use, or disclose consumer data except as needed to provide their services. If the contract does not meet CCPA requirements, any sharing of information might be considered a sale.
Effective January 1, 2023, there are a few changes to the definition of a service provider.
The CPRA also adds a new type of outside party, the “contractor.” A contractor qualifies for the same exemptions as a service provider, i.e., they are not affected by opt-out requests, but are defined a little differently. As opposed to a service provider who “processes information” for a business, a contractor is “a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business.” One impact of this addition is that businesses’ contracts with contractors must meet similar requirements as those of service providers.
The CCPA gives consumers the right to know what personal information businesses are collecting and how that information is being used. For businesses, this means they have two legal responsibilities toward consumers: They must inform consumers in advance regarding data collection and respond to a consumer’s request to know what has been collected.
To meet the first of these requirements, businesses must post a CCPA-compliant privacy notice at or before the point of collection. This is known as a “notice at collection.” It tells consumers what categories of personal information are being collected and for what purposes.
Example: An online retailer is offering a discount promo code, but requires consumers to enter their email address in order to receive it. This is a data collection point. At or before this point, the retailer must include a link to a privacy notice that lets consumers know what personal data is being collected (i.e., email addresses) and for what purposes (i.e., sending marketing content, etc.).
Second, consumers can submit a request to know what personal information a business has collected from them. For the 12-month period preceding the request, businesses must disclose the following information:
They must provide this information free of charge, but only after verifying that the consumer is who they say they are. Businesses are required to respond to an individual’s requests to know no more than twice in a 12-month period.
The CPRA includes the term “right to access personal information.” This is just a change in terminology. It does not grant any new rights, but refers to a consumer’s right to know what specific pieces of personal information a business has collected.
If a business sells personal information about a consumer to a third party, the CCPA gives that consumer the right to request that the business stop selling their information. This is called the right to opt out. Any business that sells consumers’ personal information must include a conspicuous “Do Not Sell My Personal Information” link on their homepage that informs consumers how to submit a request to opt out.
After a consumer has opted out, businesses must wait at least 12 months before asking them to opt in again.
The CCPA also addresses the sale of the personal information from minors under the age of 16. If a consumer is between the ages of 13 and 16, businesses must get their affirmative consent to sell their personal information. For children under the age of 13, the child’s parent or guardian must give their affirmative consent. These rules apply when the business has actual knowledge of the consumer’s age or willfully disregards it.
An important exception to the consumer’s right to opt out is where the businesses give personal information to service providers, discussed in greater detail above. Businesses may continue disclosing personal information to a service provider even after a consumer opts out, because this is not considered a sale.
Effective January 1, 2023, the CCPA gives consumers the right to opt out of the sale or sharing of their personal information. The definition of sharing is very specific and covers activity that was already commonly considered to be a type of sale of information. For most businesses that are CCPA compliant, this change should not make much difference. However, the opt-out link on a business’s homepage will need to be changed to “Do Not Sell or Share My Personal Information.”
The CPRA also states that at some point businesses will be able to satisfy their opt-out requirements without including a “Do Not Sell or Share My Personal Information” link on their homepage. To do so, they must allow consumers to opt out “through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism” based on technical specifications and regulations to be published by the Office of the Attorney General.
The right to delete is a major component of the CCPA’s attempt to give consumers more control over their personal information. It seeks to alleviate the “forever” aspect of online data by giving consumers the right to send a deletion request to businesses that have collected their information. It is not an absolute right, however, and businesses may still retain consumers’ personal information in a variety of circumstances.
The CCPA requires businesses to designate at least two methods for consumers to make a request to delete, such as an email address and a toll-free phone number. The request methods should match the way the company normally does business. For example, an online retailer can’t have exclusively offline methods to submit requests. Once a business has received a request to delete, it has 45 days to comply. That deadline can be extended to a total of 90 days if necessary when considering the complexity and number of requests, provided the consumer is notified.
Knowing which consumer information to delete can be tricky for businesses, especially if they do not already have a CCPA compliance system in place. They must delete “any personal information” upon request, but the law provides a number of exceptions. Businesses (and service providers) are not required to delete personal information if it is necessary to:
The complexity of processing a request to delete perfectly illustrates why businesses need to already have a CCPA compliance plan in place. Otherwise, they can easily end up either failing to fully comply with a request or deleting important information that could have been retained.
Effective January 1, 2023, after receiving a request to delete, businesses must notify all third parties to whom they have sold or shared a consumer’s personal information. This is in addition to the original requirement to notify service providers (and now contractors) of the deletion request. Such notification is not required if it would be impossible or involve disproportionate effort.
The original CCPA states that businesses do not have to delete personal information if it is necessary to “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” Effective January 1, 2023, the CPRA removes this exception. The reasoning is that the exception is overly broad and prone to abuse.
The right to non-discrimination helps to ensure that consumers are comfortable exercising their data privacy rights under the CCPA without fear of retaliation. The basic rule is fairly straightforward. Businesses cannot deny goods or services, provide a different level of quality of goods or services, or charge a different price to consumers who exercise their CCPA rights.
As with the other CCPA rights, there are a number of exceptions to the rule.
New to the CCPA is the consumer’s right to correct inaccurate personal information. This was included in the CPRA and goes into effect on January 1, 2023. The law reads:
A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
Effective January 1, 2023, the CCPA includes a new category of consumer data—"sensitive personal information”—and gives consumers the right to limit its use and disclosure by businesses. This addition brings the California law closer in line with the robust privacy protections of the GDPR.
As a narrower category of personal information, sensitive personal information is defined more specifically in the CCPA. It is any information that fits in these four categories.
The overall structure of this right is similar to the right to opt out. Businesses are still allowed to collect sensitive personal information, but consumers have a say in how that information is used and disclosed. Specifically, it gives consumers the right to request that a business:
Limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
If a business collects sensitive personal information but already restricts its use to what is necessary to perform its services (and is reasonably expected by the average consumer), that business does not need to take any action when it receives a consumer request. A business that goes beyond necessary use of sensitive personal information, e.g., selling it to a third party, is required to stop that additional use upon receiving a consumer’s request.
Sensitive personal information collected without the purpose of inferring characteristics about a consumer is not subject to these requirements. Future regulations are expected to provide more clarity on what this means and what qualifies as necessary use.
The CCPA presents businesses with a host of new data privacy terms, rules, and rights which they must learn and apply to their daily operations. When confronted with all these details, the next question business leaders often have is, “What happens if we’re not CCPA compliant?”
The next chapter, “CCPA Enforcement and Penalties,” helps businesses understand the various costs of non-compliance.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.