California Consumer Privacy Act

What you need to know about the CCPA:

To Whom Does the CCPA Apply?

The CCPA applies to for-profit entities that:

  1. Operate in California, and
  2. Annually:
    1. Have a gross revenue of at least $25 million in the proceeding calendar year, or
    2. Annually buy, sell, or share personal information of at least 100,000 California consumers or households, or
    3. Derives at least 50% of their annual revenue from selling or sharing consumers’ personal information.
Where Does the CCPA NOT Apply?

Exempt Entities: California provides limited entity-level exemptions compared to other states. Exempt entities include:

  • Government agencies;
  • Non-profits; and
  • Sole proprietorships.

Exempt Data: The CCPA exempts a long list of information, including but not limited to:

  • PI collected as part of a clinical trial or other biomedical research study;
  • PI subject to GLBA and to the CA Financial Information Privacy Act;
  • Protected Health Information under HIPAA;
  • PI covered by Fair Credit Reporting Act;
  • Certain student records under the CA Educational Code;
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act;
  • Vehicle/ownership information retained/shared between new motor vehicle dealer and manufacturer (with conditions, only opt out right only); and
  • Vessel ownership information under the Harbors and Navigation Code (with conditions. only opt out right exempt).

Exempt Use Cases:

The CCPA is unique in that it does not exempt personal information processed for employment or B2B purposes.

The CCPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • product recalls;
  • identifying and repairing technical errors that impair existing or intended functionality; and
  • performing internal operations.

Key Components of CCPA

What Constitutes Personal Information Under CCPA?

The CCPA covers “personal information,” or PI, which it defines as: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The statute includes a long list of what counts as PI, including online identifiers and IP addresses. The inclusion of those two is particularly broad, bringing into scope information that one generally may not consider as PI.

Note: CCPA is applicable to B2B and employee information, this is unique among U.S. state consumer privacy laws.

What Constitutes Sensitive PI?

California’s definition of sensitive PI includes the following information where that information is not publicly available information:

  • Social Security, driver’s license, state identification card, or passport numbers;
  • Account login credentials, financial account, debit card, or credit card number in combination with any required security or access code, or password;
  • Racial or ethnic origin;
  • Religious or philosophical beliefs;
  • Union membership;
  • Content of personal communications unless the business is the intended recipient of the communication;
  • Mental or physical condition or diagnosis;
  • Sex life or sexual orientation;
  • Citizenship or immigration status;
  • Precise geolocation data; and
  • Genetic or biometric data processed for identification purposes.
Any Other Categories of Data I Should Think About?

De-identified data is exempt from CCPA requirements. Where a business processes de-identified data, the CCPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the CCPA rules on de-identification.

Notably, unlike other state privacy laws, Pseudonymization of data grants little benefit under the CCPA and outside of research scenarios, it does not impact compliance obligations.

Note: The CCPA uses the terms de-identification, pseudonymization and aggregation imprecisely. It also bestows on de-identification a higher level of anonymization than pseudonymization, and this imprecision has caused some confusion around when that level is achieved.

Is Consent Needed to Process Sensitive Data?

In a word: NO!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA, and individual consent is required to sell the PI of a person under 16.

Consent is also required for businesses to enter consumers into a financial incentive program.

What Needs to Be Included in the Privacy Notice?

Under the CCPA, a privacy notice must include:

  • The categories of PI collected in the preceding 12 months;
  • The categories of sources of PI;
  • The business purpose for collection, selling, or sharing PI;
  • Whether you sell or share the PI;
  • The categories of PI disclosed in the preceding 12 months by category;
  • The categories of PI sold or shared in the preceding 12 months by category;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • Privacy rights;
  • Methods for a consumer to exercise their privacy rights (see below)
    • At least two methods including, at minimum, a toll-free phone number or if you operate exclusive online an active email address.
  • Retention period or method for determining the retention period;
What Constitutes Sale and Sharing of PI?

California defines “sale” as selling, renting, releasing, disclosing, disseminating, making available or transferring a consumer’s PI by the business to a third party for monetary or other valuable consideration.

California defines “sharing” as sharing, renting, releasing, disclosing, disseminating, making available or transferring a consumer’s PI by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

Service providers or contractors collecting PI pursuant to a written contract with the business required by the CCPA and its regulations does not constitute selling or sharing PI.

How is the CCPA enforced?

Unique to California, the CCPA grants enforcement authority to both the Attorney General and a dedicated privacy body, the California Privacy Protection Agency. Additionally, there is a limited private right of action for certain data breaches due to a business’s failure to implement and maintain reasonable security procedures and practices. Consumers may be eligible to recover financial damages ranging from $100 to $750 per consumer per incident, or actual damages, whichever is greater.

Unintentional violations are subject to civil penalties of up to $2,500 per violation, while intentional violations can incur penalties of up to $7,500 per violation. CCPA’s right to cure sunsetted January 1, 2023.

Data Privacy is Just Good Business