CCPA RESOURCES CENTER › THE COMPLETE CCPA GUIDE

Chapter 2: What Is the CCPA?

The California Consumer Privacy Act (CCPA) is a state law that gives California residents more control over the collection and sale of their personal data, similar to the European Union’s General Data Protection Regulation (GDPR). It operates primarily by requiring businesses to inform consumers as to what personal information is being collected and respond to consumer requests for specific actions. The law went into effect on January 1, 2020, and enforcement by the California Attorney General began on July 1, 2020.

The CCPA creates four distinct data privacy rights:

  • The right to know what personal information is being collected and how it is used
  • The right to opt out of the sale of their personal information
  • The right to delete personal information that has been collected
  • The right to non-discrimination for exercising rights under the CCPA

Effective January 1, 2023, the CPRA adds two new categories of privacy rights. These are:

  • The right to correct inaccurate information
  • The right to limit use and disclosure of sensitive personal information

In addition to recognizing these new rights, the CCPA also requires businesses to implement reasonable security procedures to prevent data breaches. If businesses fail to do so and consumers’ nonencrypted and nonredacted personal information is subject to unauthorized access, consumers can recover up to $750 in statutory damages even without showing actual damages. Class-action lawsuits are very likely in such an event. Read more about private rights of action under the CCPA.

Who Has Rights Under the CCPA?

The CCPA protects “consumers,” defined very broadly as any California resident. This includes (1) anyone who is in the state of California (unless only there temporarily) and (2) anyone who lives in California, even while they are outside the state.

What Businesses Does the CCPA Apply To?

Designed to protect Californians, the CCPA applies to businesses in California and businesses that are located outside of the state but still offer goods or services in California. Any for-profit business is bound by the California law if it (1) does business in California and (2) meets at least one of the following criteria:

  • Has gross annual revenues in excess of $25 million
  • Buys, sells, shares or receives the personal information of 50,000 or more consumers, households, or devices annually
  • Derives 50% or more of its annual revenues from selling consumers’ personal information.

As to the last threshold requirement, “selling” personal information is broadly defined in the CCPA, as discussed below. Importantly, the use of interest-based advertising is considered a sale, so any revenue connected to these types of ads is “derived” from selling consumers’ personal information and should be included in this calculation.

Related Articles

Upcoming Changes to the Law

Increase to 100,000 Consumers

Effective January 1, 2023, the 50,000-record threshold is changed to:

Businesses that buy, sell, or share the personal information of 100,000 consumers or households.

This relaxes the requirement in a few ways. It eliminates “receiving” personal information, bumps the overall number to 100,000, and no longer counts “devices.” For example, if a business collects email addresses but does not sell or share them, that is strictly receiving personal information and no longer counts towards the 100,000 consumer threshold. Similarly, if a business collects and shares information from a person’s computer, tablet, and phone, this is only counted once under the new law. (Under the current law, it would be counted three times—once for each device.)

Key CCPA Concepts

What Is "Personal Information"?

Knowing what counts as “personal information” under the CCPA is fundamental to understanding how the data privacy law works and what businesses must do to be compliant.

The CCPA’s definition of personal information is very broad, to the point that many businesses may be surprised at how much personal information they are collecting. The statute defines it as:

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

If this definition seems a bit vague, it was intentionally written to be open ended in order to cover the ever-growing list of types of information being collected by businesses. Thankfully, the CCPA also provides many examples of consumer data that are considered personal information.

Examples of Personal Information

  • Identifiers, including names, online identifiers, social security numbers, email addresses, driver’s license numbers, IP addresses, and other similar identifiers
  • Internet activity, including search history, browsing history, and advertising preferences
  • Biometric data, including fingerprints, voiceprints, DNA, and sleep, health, or exercise data that contains identifying information
  • Geolocation data
  • Employment-related information
  • Characteristics of protected classifications under California or federal law, such as race, gender, or disability
  • Inferences drawn from personal information to create a profile regarding a consumer’s preferences, behaviors, attitudes, etc.

The inclusion of IP addresses as personal information is significant for a couple of reasons. First, they are very easy to overlook; businesses often use tools that automatically collect and share IP addresses without ever thinking of it. Second, this is one instance where the CCPA goes farther than the GDPR, which does not consider IP addresses to be personal information. Businesses that already have a GDPR compliance system in place will need to make some adjustments to meet the CCPA’s requirements.

What Is Not Personal Information?

With personal information being defined so broadly, it’s important to know what kind of data the CCPA specifically calls out as not personal information.

  • Personal information does not include publicly available information, that is, information lawfully made available from federal, state, or local government records. However, information is not “publicly available” if it is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records.
  • The CCPA does not restrict businesses’ collection, use, sale, or disclosure of consumer information that is deidentified or in the aggregate. For example, if a business collects usage statistics for its website but pools all the users’ information together, that activity is not affected by the CCPA because there is no way to attribute the information to any particular consumer.
  • Information sold to or from credit reporting agencies, e.g., credit bureaus
  • Medical information collected, shared, or disclosed pursuant to the Health Insurance Portability and Accountability Act (HIPAA)
  • Personal information collected, shared or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (CFIPA)
  • Personal information collected, shared, or disclosed pursuant to the Driver’s Privacy Protection Act

Upcoming Changes to the Law

Publicly Available Information

Effective January 1, 2023, the exception for publicly available information is broadened to include information from other sources besides government records. This exception now includes:

  • Lawfully obtained, truthful information that is a matter of public concern
  • Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience

The first addition is aimed at covering First Amendment protected speech. As to the second addition, one major implication seems to be that business will no longer need to disclose the collection of personal information from social media profiles and other widely available media.

What Is a "Sale"?

Many of businesses’ most important obligations under the CCPA revolve around the “sale” of consumers’ personal information, begging the question: What is a sale? The law defines sale broadly, covering many everyday transactions that businesses often don’t even think about. By the terms of the CCPA, a sale is:

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

Disclosing personal information with a third party for monetary consideration is the most obvious definition of a sale. If a business exchanges consumers’ email addresses for money, few would argue that this is not a sale. It’s the last phrase—“or other valuable consideration”—that is of key importance. This covers a variety of information transactions for which businesses do not receive any money.

Critically, disclosing consumers’ personal information for valuable consideration can mean doing so in exchange for services, including the use of interest-based advertising. For example, if a business uses Google ads to retarget consumers, it has to send their personal information to Google. Google keeps the consumers’ information for its own purposes and gives businesses access to its retargeting technologies in return. This counts as valuable consideration, and thus the transaction is likely considered a sale.

When a transfer of information is considered a sale, the most important consequence is that it is covered by consumers’ right to opt-out, covered in more detail below.

What Is Not a Sale?

The CCPA provides a few key categories of transactions that are not considered a sale of personal information. Disclosing consumer data to a third party is not a sale when:

  • A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information
  • The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose

For businesses covered by the CCPA, the exemption for service providers will take on critical importance in their compliance strategy.

Upcoming Changes to the Law

"Sharing" Personal Information

Effective January 1, 2023, the sale of personal information is expanded to include “sharing” personal information. Sharing is defined as:

Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

Some businesses have taken the position that the disclosure of consumer data for purposes of “cross-context behavioral advertising” (i.e., interest-based advertising or retargeting) does not qualify as a sale under the original CCPA. These new changes to the law are meant to resolve any ambiguity: This type of transaction, now called sharing, is treated the same as a sale of personal information. For most businesses, the main consequence is that the “Do Not Sell My Personal Information” links on their web pages will need to be changed to “Do Not Sell or Share My Personal Information.”

What Is a "Service Provider"?

“Service providers” are mentioned throughout the CCPA and are one of the data privacy law’s most important exemptions. Businesses that are in the process of becoming CCPA compliant will need to understand what a service provider is and how they affect the consumers’ privacy rights.

The CCPA gives consumers control over the sale of their personal information by businesses to “third parties” (basically anyone else). However, the law makes a major exception for the disclosure of consumer information to service providers, who are not treated as third parties. This type of activity is not a sale and thus not subject to the same CCPA requirements.

This difference between third parties and service providers in the CCPA is best illustrated by an example:

Company A is fully CCPA compliant. As part of its business, Company A collects email addresses from consumers and sells them to Company B. It also sends out a weekly newsletter, and in order to do so it shares its email list with Company C, an email marketing vendor. This is all fine and perfectly legal under the CCPA, because Company A has posted all the required privacy notices and opt-out links.

When a consumer clicks on the “Do Not Sell My Personal Information” link on Company A’s homepage and requests to opt out of the sale of their personal information, Company A must honor that request. It has to stop selling that particular consumer’s data to Company B, BUT it can continue sharing the consumer’s email address with Company C because Company C is a service provider and needs the email address in order to do its job.

Overall, it’s a common-sense exemption that recognizes the realities of modern business, but there are a few nuances and requirements that companies should be aware of.

Service Provider Defined

The CCPA defines a service provider as a:

  1. For-profit entity
  2. That processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract
  3. Provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

It is the contract requirement that is often the most important. It means businesses have to ensure that their vendor contracts are CCPA compliant in order for those vendors to qualify as service providers. These contracts must explicitly state that the service provider will not retain, use, or disclose consumer data except as needed to provide their services. If the contract does not meet CCPA requirements, any sharing of information might be considered a sale.

Upcoming Changes to the Law

Definition Changes

Effective January 1, 2023, there are a few changes to the definition of a service provider.

  • A service provider can now be a legal or natural person, not just a legal entity.
  • A business’s contract with a service provider must now prohibit the service provider from selling or sharing consumers’ personal information and from combining it with personal information from other sources. This means that vendor contracts will need to be updated in order to continue qualifying as CCPA service providers.

Contractors

The CPRA also adds a new type of outside party, the “contractor.” A contractor qualifies for the same exemptions as a service provider, i.e., they are not affected by opt-out requests, but are defined a little differently. As opposed to a service provider who “processes information” for a business, a contractor is “a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business.” One impact of this addition is that businesses’ contracts with contractors must meet similar requirements as those of service providers.

Consumer Rights

Right to Know

The CCPA gives consumers the right to know what personal information businesses are collecting and how that information is being used. For businesses, this means they have two legal responsibilities toward consumers: They must inform consumers in advance regarding data collection and respond to a consumer’s request to know what has been collected.

To meet the first of these requirements, businesses must post a CCPA-compliant privacy notice at or before the point of collection. This is known as a “notice at collection.” It tells consumers what categories of personal information are being collected and for what purposes.

Example: An online retailer is offering a discount promo code, but requires consumers to enter their email address in order to receive it. This is a data collection point. At or before this point, the retailer must include a link to a privacy notice that lets consumers know what personal data is being collected (i.e., email addresses) and for what purposes (i.e., sending marketing content, etc.).

Second, consumers can submit a request to know what personal information a business has collected from them. For the 12-month period preceding the request, businesses must disclose the following information:

  • The categories of personal information it has collected about that consumer
  • The categories of sources from which the personal information is collected
  • The business or commercial purpose for collecting or selling personal information
  • The categories of third parties with whom the business shares personal information
  • The specific pieces of personal information it has collected about that consumer

They must provide this information free of charge, but only after verifying that the consumer is who they say they are. Businesses are required to respond to an individual’s requests to know no more than twice in a 12-month period.

Learn more about responding to CCPA requests to know.

Upcoming Changes to the Law

Right to Access

The CPRA includes the term “right to access personal information.” This is just a change in terminology. It does not grant any new rights, but refers to a consumer’s right to know what specific pieces of personal information a business has collected.

Right to Opt Out

If a business sells personal information about a consumer to a third party, the CCPA gives that consumer the right to request that the business stop selling their information. This is called the right to opt out. Any business that sells consumers’ personal information must include a conspicuous “Do Not Sell My Personal Information” link on their homepage that informs consumers how to submit a request to opt out.

After a consumer has opted out, businesses must wait at least 12 months before asking them to opt in again.

The CCPA also addresses the sale of the personal information from minors under the age of 16. If a consumer is between the ages of 13 and 16, businesses must get their affirmative consent to sell their personal information. For children under the age of 13, the child’s parent or guardian must give their affirmative consent. These rules apply when the business has actual knowledge of the consumer’s age or willfully disregards it.

Service Providers

An important exception to the consumer’s right to opt out is where the businesses give personal information to service providers, discussed in greater detail above. Businesses may continue disclosing personal information to a service provider even after a consumer opts out, because this is not considered a sale.

Learn more about responding to CCPA requests to opt out.

Upcoming Changes to the Law

Right to Opt Out of Sharing

Effective January 1, 2023, the CCPA gives consumers the right to opt out of the sale or sharing of their personal information. The definition of sharing is very specific and covers activity that was already commonly considered to be a type of sale of information. For most businesses that are CCPA compliant, this change should not make much difference. However, the opt-out link on a business’s homepage will need to be changed to “Do Not Sell or Share My Personal Information.”

No More "Do Not Sell" Links?

The CPRA also states that at some point businesses will be able to satisfy their opt-out requirements without including a “Do Not Sell or Share My Personal Information” link on their homepage. To do so, they must allow consumers to opt out “through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism” based on technical specifications and regulations to be published by the Office of the Attorney General.

Right to Delete

The right to delete is a major component of the CCPA’s attempt to give consumers more control over their personal information. It seeks to alleviate the “forever” aspect of online data by giving consumers the right to send a deletion request to businesses that have collected their information. It is not an absolute right, however, and businesses may still retain consumers’ personal information in a variety of circumstances.

The CCPA requires businesses to designate at least two methods for consumers to make a request to delete, such as an email address and a toll-free phone number. The request methods should match the way the company normally does business. For example, an online retailer can’t have exclusively offline methods to submit requests. Once a business has received a request to delete, it has 45 days to comply. That deadline can be extended to a total of 90 days if necessary when considering the complexity and number of requests, provided the consumer is notified.

Knowing which consumer information to delete can be tricky for businesses, especially if they do not already have a CCPA compliance system in place. They must delete “any personal information” upon request, but the law provides a number of exceptions. Businesses (and service providers) are not required to delete personal information if it is necessary to:

  • Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity
  • Debug to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law
  • Comply with the California Electronic Communications Privacy Act
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, if the consumer has provided informed consent
  • To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business
  • Comply with a legal obligation
  • Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information

The complexity of processing a request to delete perfectly illustrates why businesses need to already have a CCPA compliance plan in place. Otherwise, they can easily end up either failing to fully comply with a request or deleting important information that could have been retained.

Learn more about responding to CCPA requests to delete.

Upcoming Changes to the Law

Notifying Third Parties

Effective January 1, 2023, after receiving a request to delete, businesses must notify all third parties to whom they have sold or shared a consumer’s personal information. This is in addition to the original requirement to notify service providers (and now contractors) of the deletion request. Such notification is not required if it would be impossible or involve disproportionate effort.

Change to List of Exceptions

The original CCPA states that businesses do not have to delete personal information if it is necessary to “otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” Effective January 1, 2023, the CPRA removes this exception. The reasoning is that the exception is overly broad and prone to abuse.

Right to Non-Discrimination

The right to non-discrimination helps to ensure that consumers are comfortable exercising their data privacy rights under the CCPA without fear of retaliation. The basic rule is fairly straightforward. Businesses cannot deny goods or services, provide a different level of quality of goods or services, or charge a different price to consumers who exercise their CCPA rights.

As with the other CCPA rights, there are a number of exceptions to the rule.

  • Businesses may charge a different price or offer a different quality of goods or services if that difference is reasonably related to the value provided to the business by the consumer’s information.
  • Businesses may offer promotions, discounts, and other financial incentives in exchange for collecting, storing, or selling personal information.
  • If a consumer has requested to delete or opt out of the sale of their personal information, and that information or sale is necessary to provide a good or service, the business’s inability to complete the transaction is not discrimination.

Right to Correct Inaccurate Personal Information

New to the CCPA is the consumer’s right to correct inaccurate personal information. This was included in the CPRA and goes into effect on January 1, 2023. The law reads:

A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

Businesses are also required to inform consumers of this right in their privacy policy. The new right is a straightforward addition to the CCPA. It tries to balance consumer rights with the burden placed on businesses by only requiring businesses to use “commercially reasonable efforts” to correct the inaccurate information.

Right to Limit Use and Disclosure of Sensitive Personal Information

Effective January 1, 2023, the CCPA includes a new category of consumer data—"sensitive personal information”—and gives consumers the right to limit its use and disclosure by businesses. This addition brings the California law closer in line with the robust privacy protections of the GDPR.

What Is Sensitive Personal Information?

As a narrower category of personal information, sensitive personal information is defined more specifically in the CCPA. It is any information that fits in these four categories.

  1. Personal information that reveals
    1. A consumer’s social security, driver’s license, state identification card, or passport number
    2. A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
    3. A consumer’s precise geolocation
    4. A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership
    5. The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
    6. A consumer’s genetic data
  2. The processing of biometric information for the purpose of uniquely identifying a consumer
  3. Personal information collected and analyzed concerning a consumer’s health
  4. Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation

Requirements for Handling Sensitive Personal Information

The overall structure of this right is similar to the right to opt out. Businesses are still allowed to collect sensitive personal information, but consumers have a say in how that information is used and disclosed. Specifically, it gives consumers the right to request that a business:

Limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.

If a business collects sensitive personal information but already restricts its use to what is necessary to perform its services (and is reasonably expected by the average consumer), that business does not need to take any action when it receives a consumer request. A business that goes beyond necessary use of sensitive personal information, e.g., selling it to a third party, is required to stop that additional use upon receiving a consumer’s request.

Businesses that use sensitive personal information for additional purposes are required to disclose that use in their privacy policy, as well as provide a conspicuous “Limit Use of My Sensitive Personal Information” link on their homepage.

Sensitive personal information collected without the purpose of inferring characteristics about a consumer is not subject to these requirements. Future regulations are expected to provide more clarity on what this means and what qualifies as necessary use.

Next: CCPA Enforcement and Penalties

The CCPA presents businesses with a host of new data privacy terms, rules, and rights which they must learn and apply to their daily operations. When confronted with all these details, the next question business leaders often have is, “What happens if we’re not CCPA compliant?”

The next chapter, “CCPA Enforcement and Penalties,” helps businesses understand the various costs of non-compliance.