As the United States' first comprehensive data privacy law, the California Consumer Privacy Act (CCPA) is a landmark piece of legislation. It promotes transparency on the part of businesses and gives Californians more control over how their personal data is collected, used, and sold.
Here are the CCPA's key features at a glance.
Want to learn more? Read our Complete CCPA Guide.
As a California law, the CCPA grants privacy rights to California residents ("consumers"), defined as:
It's an inclusive definition that does not require a business-customer relationship. Employees and job applicants are considered consumers, though there are some temporary exemptions in place regarding their privacy rights, currently set to expire on January 1, 2023.
The CCPA's definition of a business is a for-profit entity that collects personal information, does business in California, and meets at least one of these three thresholds:
The third threshold requirement can be a bit deceptive. Under the CCPA’s definition, “selling” personal information covers a lot of everyday activity, including the use of interest-based advertising. For example, when a customer clicks on a retargeting ad and makes a purchase, that revenue is “derived” from selling consumers’ personal information and should be included in this threshold calculation.
In some limited circumstances, the CCPA can also apply to nonprofit organizations.
Effective January 1, 2023, the California Privacy Rights Act (CPRA) changes the second threshold requirement to: "Businesses that buy, sell, or share the personal information of 100,000 consumers or households." Beyond raising the number to 100,000, this change also relaxes the threshold by not counting individual devices or when businesses simply "receive" personal information.
The CCPA only applies to "personal information", which is defined in the statute as:
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The key component to this expansive definition is the connection between the information and a particular person or household. Here are just a few examples of data that the CCPA considers to be personal information.
There are a few categories of data that are specifically not personal information. These include publicly available information and information collected in accordance with federal laws such as HIPAA, GLBA, and FCRA.
Under the CCPA, consumers have four distinct data privacy rights:
The CPRA adds two new rights, which will go into effect on January 1, 2023:
The California Attorney General currently has the exclusive authority to enforce the CCPA. Any business thought to be in non-compliance must be given 30 days to cure any violations. After that period, violators can face injunctions and fines of up to $2,500 per violation or up to $7,500 per intentional violation.
When the CPRA goes into effect on January 1, 2023, the newly created California Privacy Protection Agency (CPPA) will take over enforcement of the data privacy law. This first-of-its-kind state agency is already fully funded and is expected to significantly increase CCPA enforcement actions.
The CCPA does not create a private right of action for consumers to sue businesses over violations of their privacy rights. However, it does create a private for consumers in the event of a data breach. According to the CCPA, consumers can sue a business if their nonencrypted and nonredacted personal information is subject to unauthorized access due to the business's failure to implement and maintain reasonable security procedures. Plaintiffs can recover statutory damages of up to $750 per consumer per incident, or actual damages, whichever is greater. This provision is likely to give rise to a new type of class-action lawsuit.
The CCPA takes a lot of inspiration from the European Union's General Data Protection Regulation (GDPR), but they are not identical. They use different definitions, have slightly different consumer rights, and are enforced differently. In many ways, the GDPR is more stringent, so businesses that are already compliant with the European law should find it easy to become CCPA compliant.
In 2020, voters approved the California Privacy Rights Act (CPRA), sometimes called CCPA 2.0. The CPRA makes quite a few significant amendments to the CCPA, most of which will go into effect on January 1, 2023. Among the most important changes are:
Becoming CCPA compliant requires an examination of your business's current data practices from every angle, as well as a complete understanding of how the law's various components work together. The process can be divided into four steps:
CCPA compliance is a major project, but TrueVault Polaris makes it much more manageable. Designed by attorneys, this innovative automation tool guides your team through every step, helping you reach compliance in less time and with less expense. Contact us today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.