The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act was passed in 2018 and amended in 2020 by the PRA). The two together are referred to as the CCPA. CCPA is a stand-out privacy law among states, with privacy rights for employees, prescriptive rules around opt-outs, attorney general regulations, and the creation of a privacy regulatory agency, the California Privacy Protection Agency (CPPA).

Book a Free Consultation

What You Need to Know About the CCPA

To Whom Does the CCPA Apply?

The CCPA applies to for-profit entities that:

  1. Operate in California, and
  2. Annually:
    1. Have a gross revenue of at least $25 million in the proceeding calendar year, or
    2. Annually buy, sell, or share personal information of at least 100,000 California consumers or households, or
    3. Derives at least 50% of their annual revenue from selling or sharing consumers’ personal information.
Where Does the CCPA NOT Apply?

Exempt Entities: California provides limited entity-level exemptions compared to other states. Exempt entities include:

  • Government agencies;
  • Non-profits; and
  • Sole proprietorships.

Exempt Data: The CCPA exempts a long list of information, including but not limited to:

  • PI collected as part of a clinical trial or other biomedical research study;
  • PI subject to GLBA and to the CA Financial Information Privacy Act;
  • Protected Health Information under HIPAA;
  • PI covered by Fair Credit Reporting Act;
  • Certain student records under the CA Educational Code;
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act;
  • Vehicle/ownership information retained/shared between new motor vehicle dealer and manufacturer (with conditions, only opt out right only); and
  • Vessel ownership information under the Harbors and Navigation Code (with conditions. only opt out right exempt).

Exempt Use Cases:

The CCPA is unique in that it does not exempt personal information processed for employment or B2B purposes.

The CCPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • product recalls;
  • identifying and repairing technical errors that impair existing or intended functionality; and
  • performing internal operations.

Key Components of CCPA

What Constitutes Personal Information Under CCPA?

The CCPA covers “personal information,” or PI, which it defines as: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The statute includes a long list of what counts as PI, including online identifiers and IP addresses. The inclusion of those two is particularly broad, bringing into scope information that one generally may not consider as PI.

Note: CCPA is applicable to B2B and employee information, this is unique among U.S. state consumer privacy laws.

What Constitutes Sensitive PI?

California’s definition of sensitive PI includes the following information where that information is not publicly available information:

  • Social Security, driver’s license, state identification card, or passport numbers;
  • Account login credentials, financial account, debit card, or credit card number in combination with any required security or access code, or password;
  • Racial or ethnic origin;
  • Religious or philosophical beliefs;
  • Union membership;
  • Content of personal communications unless the business is the intended recipient of the communication;
  • Mental or physical condition or diagnosis;
  • Sex life or sexual orientation;
  • Citizenship or immigration status;
  • Precise geolocation data; and
  • Genetic or biometric data processed for identification purposes.
Any Other Categories of Data I Should Think About?

De-identified data is exempt from CCPA requirements. Where a business processes de-identified data, the CCPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the CCPA rules on de-identification.

Notably, unlike other state privacy laws, Pseudonymization of data grants little benefit under the CCPA and outside of research scenarios, it does not impact compliance obligations.

Note: The CCPA uses the terms de-identification, pseudonymization and aggregation imprecisely. It also bestows on de-identification a higher level of anonymization than pseudonymization, and this imprecision has caused some confusion around when that level is achieved.

Is Consent Needed to Process Sensitive Data?

In a word: NO!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA, and individual consent is required to sell the PI of a person under 16.

Consent is also required for businesses to enter consumers into a financial incentive program.

What Needs to Be Included in the Privacy Notice?

Under the CCPA, a privacy notice must include:

  • The categories of PI collected in the preceding 12 months;
  • The categories of sources of PI;
  • The business purpose for collection, selling, or sharing PI;
  • Whether you sell or share the PI;
  • The categories of PI disclosed in the preceding 12 months by category;
  • The categories of PI sold or shared in the preceding 12 months by category;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • Privacy rights;
  • Methods for a consumer to exercise their privacy rights (see below)
    • At least two methods including, at minimum, a toll-free phone number or if you operate exclusive online an active email address.
  • Retention period or method for determining the retention period;
What Constitutes Sale and Sharing of PI?

California defines “sale” as selling, renting, releasing, disclosing, disseminating, making available or transferring a consumer’s PI by the business to a third party for monetary or other valuable consideration.

California defines “sharing” as sharing, renting, releasing, disclosing, disseminating, making available or transferring a consumer’s PI by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

Service providers or contractors collecting PI pursuant to a written contract with the business required by the CCPA and its regulations does not constitute selling or sharing PI.

How is the CCPA enforced?

Unique to California, the CCPA grants enforcement authority to both the Attorney General and a dedicated privacy body, the California Privacy Protection Agency. Additionally, there is a limited private right of action for certain data breaches due to a business’s failure to implement and maintain reasonable security procedures and practices. Consumers may be eligible to recover financial damages ranging from $100 to $750 per consumer per incident, or actual damages, whichever is greater.

Unintentional violations are subject to civil penalties of up to $2,500 per violation, while intentional violations can incur penalties of up to $7,500 per violation. CCPA’s right to cure sunsetted January 1, 2023.

Privacy Rights

 

If CCPA applies to your business, you must provide the following privacy rights to consumers:

  • Right to know whether a business is processing your PI;
  • Right to access PI;
  • Right to correct inaccuracies in PI;
  • Right to delete PI collected from them;
  • Right to limit the use and disclosure of Sensitive PI
  • Right to obtain a copy of PI (data portability); and
  • Right to opt out of the sale or sharing of PI.
    • This includes the right to opt out of sale or sharing for targeted advertising or profiling as part of automated decision making (profiling is covered by draft regulations and is not yet final)
  • Right not to nondiscrimination.

CCPA and its regulations require that businesses acknowledge right to access, correction, and deletion requests within 10 business days, with a full response within 45 days. Opt-out requests must be fulfilled within 15 business days (sale or sharing and limiting processing of Sensitive PI)​. Businesses have the option to extend their response time by 45 additional days with notification to the consumer in limited circumstances.

Businesses are only obligated to comply with two access requests per consumer in a 12-month period. Businesses can charge a reasonable fee or refuse to act on requests that are unfounded or excessive (such as being extremely repetitive). Businesses must notify consumers of the refusal and the reason for refusing the request.

Business Friendly Exceptions to the Right to Delete:

The CCPA right to delete can be denied for a variety of reasons useful for organizations, including, but not limited to, circumstances when the PI is reasonably necessary for:

  • Completing transactions, fulfilling warranty or product recall terms, providing requested or anticipated goods or services, or performing contracts between the business and the consumer;
  • Debugging to ensure security and integrity;
  • Identifying and repairing errors that impair existing intended functionality; and
  • Performing internal operations.

Universal Opt Out

 

The CCPA requires that controllers recognize universal opt out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their personal information, to websites through their web browser or other technologies.

Privacy Impact Assessments

 

CCPA tasks the California Privacy Protection Agency (CPPA) with creating regulations that would require businesses to conduct annual privacy and security risk assessments for high-risk processing. However, the CPPA has yet to finalize the regulations.

Draft rules indicate that the rules will be a blend of what is required under the GDPR and many other state laws. Expect the triggers to be activities such as:

  • Processing for targeted advertising;
  • Processing sensitive PI;
  • Selling PI;
  • Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
  • Unfair or deceptive treatment or unlawful disparate impact on consumers;
  • Financial, physical or reputational injury to consumers;
  • Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
  • Other substantial injury.

Vendor Contracts

 

California requires controllers to have a contract in place with vendors that dictates obligations with respect to processing PI. Contracts must include:

  • The nature and purpose of processing;
  • Type of data that is subject to processing;
  • Prohibition on further selling or sharing of the PI;
  • Combining the PI with with information it collects from other controllers or consumers;
  • Obligation to process PI only as instructed in the contract;
  • Obligation to comply with applicable privacy and data protection laws;
  • Maintain appropriate security;
  • Assist the business in its compliance efforts;
  • Allow and cooperate with audits by the controller, or an independent auditor to review its policies and practices, and provide a report of the assessment to the controller; and
  • Pass along the same obligations to any subcontractors in a written contract.

Data Minimization

 

Under CCPA, businesses must identify the business purpose for processing PI and disclose it in the privacy notice.Additionally, the CCPA states that businesses should only collect PI that is necessary for or compatible with the purposes that it was collected. The purposes should align with the reasonable expectations of the consumer and be notified to them. Where the business uses or collects PI for additional or incompatible purposes the business must provide additional notice.

The CCPA includes a list of acceptable purposes, which encompasses the appropriate ways PI may be used. These purposes include auditing, performing services on behalf of the business, internal research, and more.

Data Privacy is Just Good Business

In light of the sheer volume of state consumer privacy laws being proposed and passed, managing privacy compliance may seem daunting. But, you don’t have to go at it alone!

With the right support, you can embed data privacy measures in your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve privacy compliance, support business goals and build and maintain consumer trust.

Book a Free Consultation