The California Consumer Privacy Act (CCPA)
The CCPA was passed in 2018 and amended in 2020 by the California Privacy Rights Act (CPRA). The two together are referred to as the CCPA.
What You Need to Know About the CCPA
The CCPA applies to you if your business:
- Is for-profit, operates in California, and
- Annually:
- Has a gross revenue of at least $25 million in the proceeding calendar year, OR
- Annually buys, sells, or shares PI of 100,000 or more California consumers or households, OR
- Derives 50% or more of its annual revenues from selling or sharing consumers’ PI.
The CCPA exempts both certain data types and certain entities entirely. However, unlike every other state data privacy law, the CCPA does apply to individuals acting in an employment or commercial (B2B) context.
Exempt Data: The CCPA exempts many different types of data from coverage under the law. Below is a list of the more commonly held data types that are exempt under the law. For a complete list, refer to the law or reach out to us at Red Clover Advisors, we would be happy to help you understand how your various data types effect your privacy obligations.
- PI collected as part of a clinical trial or other biomedical research study
- PI subject to GLBA and to the CA Financial Information Privacy Act
- Protected Health Information (HIPAA) or the
- PI covered by FCRA
- Certain student records under the CA Educational Code
- PI subject to the Driver’s Privacy Protection Act of 1994
- PI processed in compliance with the Farm Credit Act
- Vehicle/ownership information retained/shared between new motor vehicle dealer and manufacturer (with conditions, only opt out right only)
- Vessel ownership information under the Harbors and Navigation Code (with conditions. only opt out right exempt)
Exempt Entities:
- Government agencies
- Non-profits
- Sole proprietorships
Context: California provides very limited exemptions compared to other state’s data privacy laws, even covering B2B data and employee data. The lack of exemptions is one of the many reasons the CCPA is one of the most closely followed privacy laws in the United States.
- Review and update your privacy notice to specify the business purpose for collecting and processing PI.
- Review whether you process sensitive PI and ensure you provide a method for consumers to opt out of the processing if so.
- Review your PI disclosures carefully! Common analytics tools, behavioral marketing cooperatives, and other tools that use cookies may invoke a sale or share under the CCPA.
- Ensure you offer appropriate privacy notices and that they’re accessible as per CCPA and its regulations.
- Ensure you have appropriate methods for consumers to exercise their rights and a process for responding to individual rights requests.
- Ensure vendor contracts include appropriate privacy protections.
- Update your online platforms to recognize universal opt-out mechanisms, such as the Global Privacy Control (GPC).
Key Components of CCPA
The CCPA defines “personal information” as: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The statute includes a long list of what counts as PI, including online identifiers and IP addresses. The inclusion of those two is particularly broad, meaning many things one would not normally expect to be PI are captured.
Uniquely for the US, B2B data (such as business contact information) and employee data is included in the definition of personal information.
De-identified data is exempt from CCPA requirements. Where a business processes de-identified data, the CCPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the CCPA rules on de-identification.
The CCPA designates the following categories of PI as Sensitive Personal Information:
- Social Security, driver’s license, state identification card, or passport numbers;
- account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- Racial or ethnic origin;
- Religious or philosophical beliefs;
- Union (trade) membership;
- Mail, email, and text messages contents unless the business is the intended recipient of the communication;
- Mental or physical condition or diagnosis;
- Sex life or sexual orientation;
- Citizenship or immigration status;
- Precise geolocation data; and
- Genetic or biometric data.
In a word: No! The CCPA functions under an opt-out structure.
Parental consent is required to process PI about a known child (under 13) in accordance with COPPA, and individual consent is required to sell the Personal Information of a person under 16.
Under the CCPA, a privacy notice must include:
- The categories of Personal Information collected in the preceding 12 months;
- The categories of Personal Information sold or shared in the preceding 12 months;
- If did not sell or share disclose as such.
- The categories of sources of Personal Information;
- The business or commercial purpose for collection, selling, or sharing;
- Whether you sell or share the PI;
- The categories of third parties with which Personal Information is shared;
- The categories of Personal Information that are shared with third parties;
- A description of consumer’s rights and how to exercise them;
- Retention period or method for determining the retention;
- Make available to consumers two or more methods for submitting requests: including at minimum, a toll-free phone number or if you operate exclusive online an active email address.
Sale means selling, renting, releasing, disclosing, disseminating, making available or transferring a consumer’s personal information by the business to a third party for monetary or other valuable consideration.
Sharing means sharing, renting, releasing, disclosing, disseminating, making available or transferring a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
Service providers or contractors collecting Personal Information pursuant to the written contract with the business required by the CCPA and its regulations does not constitute a sale or sharing of Personal Information.
Note: The breadth of this definition means many activities that businesses engage in may unintentionally be considered a “sale” under CCPA. One example is analytics tools, as both parties may receive value from the arrangement. Situations where the provider of the tool uses the PI collected for their own purposes and the client gets the tool for free or low cost May be considered “valuable consideration” under CCPA.
Unique to California, the CCPA grants enforcement authority to both the Attorney General and a dedicated privacy body, the California Privacy Protection Agency. Additionally, there is a limited private right of action for certain data breaches as a result of a business’s failure to implement and maintain reasonable security procedures and practices. That private right is eligible to recover financial damages ranging from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
Unintentional violations are subject to civil penalties of up to $2,500 per violation, while intentional violations can incur penalties of up to $7,500 per violation. CCPA no longer offers businesses a right to cure period.
Privacy Rights
The individual rights available under the CCPA are as follows:
- Right to know whether a business is processing your Personal Information;
- Right to access Personal Information;
- Right to Correct inaccuracies in Personal Information;
- Right to delete Personal Information;
- Right to limit the use and disclosure of Sensitive Personal Information
- Right to obtain a copy of Personal Information (data portability); and
- Right to opt out of the sale or sharing of Personal Information
- This includes the right to opt out of sale or sharing for targeted advertising or profiling as part of automated decision making (profiling is covered by draft regulations and is not yet final)
- Right not to be subject to discrimination
CCPA requires that businesses acknowledge right to know/access, correct, and delete requests within 10 business days, with a full response within 45 days. Opt-out requests must be fulfilled within 15 business days (Sale or Sharing, Limit Use of Sensitive Personal Information). Businesses can extend their response time by 45 additional days with notification to the consumer.
Individuals are limited to two access requests per 12 months. Businesses can charge a reasonable fee or refuse to act on requests that are unfounded or excessive (such as being extremely repetitive). Businesses must notify consumers of the refusal and the reason for refusing the request.
Privacy Risk Assessments (Privacy Impact Assessments aka PIAs)
CCPA tasks the California Privacy Protection Agency (CPPA) to require businesses to conduct annual risk assessments on processing that represents significant risk to consumers’ privacy or security. However, the CPPA has yet to finalize the regulations.
Draft rules indicate that the rules will be a blend of what is required under the GDPR and under other state laws like the Colorado Privacy Act. Expect the trigger to be activities such as:
- Processing for targeted advertising;
- Processing sensitive data;
- Selling Personal Information;
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
- Unfair or deceptive treatment or unlawful disparate impact on consumers;
- Financial, physical or reputational injury to consumers;
- Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
- Other substantial injury.
Vendor Contracts
Like most other state consumer privacy laws, California requires a contract that dictates how vendors (also called service providers or processors) may process Personal Information. Contracts must include the nature and purpose of processing, the type of data that is subject to processing, and specify the rights and obligations of both parties and require the vendor to:
- Process PI only as instructed in the contract;
- Comply with applicable privacy and data protection laws;
- Maintain appropriate security;
- Assist the business in its compliance efforts;
- Allow and cooperate with audits by the controller, or an independent auditor to review its policies and practices, and provide a report of the assessment to the controller; and
- Pass along the same obligations to any subcontractors in a written contract.
Business Purpose Requirements
CCPA requires businesses to identify the business purpose for processing PI. The business purpose must be disclosed to the consumer in the privacy notice.
The CCPA includes a list of acceptable purposes, which encompasses the appropriate ways PI can be used. These purposes include auditing, performing services on behalf of the business, and internal research. Note that almost all uses of PI can likely fit one of the business purposes listed in the law, such that identifying the purpose for processing activity should be relatively straight forward.
Data Privacy is Just Good Business
In light of the sheer volume of state consumer privacy laws being proposed and passed, managing privacy compliance may seem daunting. But, you don’t have to go at it alone!
With the right support, you can embed data privacy measures in your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve privacy compliance, support business goals and build and maintain consumer trust.
