California Consumer Privacy Act: Everything You Need to Know About CCPA, the New California Data Privacy Law

California Consumer Privacy Act Everything You Need to Know About CCPA the New California Data Privacy Law

The California Consumer Privacy Act (CCPA) seemed to appear out of nowhere as it passed the desk of Gov. Jerry Brown in 2018. In our modern world, you’d be hard-pressed to find a business that doesn’t collect data – especially because many businesses today profit financially from selling consumer data – the new California data privacy law may affect half a million companies across the United States. To help you navigate, we’ve put together a guide of everything you need to know about the California data protection law.

Table of Contents

What law are we talking about?

When does it take effect?

Why is this significant?

Where did this law come from?

Is the bill similar to GDPR?

Who does CCPA protect?

What does CCPA protect?

What businesses must comply with CCPA?

How do I know if my organization collects or sells information?

How does CCPA apply to third parties?

How does CCPA define “personal information”?

What must businesses do to comply?

How will the law be enforced?

What is the penalty?

What’s next?

Additional resources

What law are we talking about?

The California Consumer Privacy Act of 2018 (AB 375) was signed into law on June 28, 2018, by California Gov. Jerry Brown. It’s described as landmark policy, and is the first major data privacy law passed in the United States. Generally, it guarantees Californians the right to:

  • Know what personal information is being collected about them
  • Know whether their personal information is sold or disclosed, and to whom
  • Access their personal information

When does it take effect?

The law goes into effect January 1, 2020 and enforcement begins on July 1, 2020.

Why is this significant? CEO Marc Benioff applauded the new law, saying it could help ease the “crisis of trust” between the technology industry and consumers. He also spoke in support of a national privacy law similar to the EU’s recent General Data Protection Regulation (GDPR).

“Our customers’ data belongs to them,” Benioff said. “It’s their data. I think in some cases, companies that are startups and next-generation technologies here in San Francisco, they think that data is theirs.”

The passage of CCPA is significant for several reasons:

  • Consumers have become more aware of how little control they have over their data. Facebook’s Cambridge Analytica scandal and other privacy missteps contributed to the social network’s recent $5 billion fine from the FTC. Google has repeatedly faced FTC scrutiny over user privacy violations, and paid $22.5 million over its use of activity-tracking cookies on users of the Apple Safari web browser. People around the world are beginning to see the impact of a data-for-service model, and grassroots movements are aligning with legislative power to return control of their data to their own hands.
  • The sweeping protection of GDPR went into effect on May 25, 2018. As with CCPA, GDPR protects EU citizens and residents but applies to any company worldwide that collects, stores, or sells personal data of consumers from the EU.
  • California has often led the way in codifying privacy protections. In 2002, it enacted the first U.S. laws requiring notifications of data security breaches, and in 2004, the first law requiring website privacy policies. In fact, there are roughly 25 existing privacy and security laws in California. Many believe CCPA will motivate other states to create similar laws and may pave the way for national privacy legislation.
  • Many of the world’s technological juggernauts are headquartered in California, particularly Silicon Valley – the birthplace of innovation for Google, Facebook, and many others. It’s notoriously tough to fight the tech giants – CCPA co-author Assemblyman Ed Chau, tried to push a bill requiring internet service providers to seek permission from customers before accessing, selling, or sharing their browser activity, but the bill never made it past the initial committee. The fact that CCPA became law, and so quickly, speaks to its widespread support and the pressure constituents are placing on their legislators to take action.

Where did this law come from?

CCPA was pushed through in just one week’s time and signed hours before the close of the 2017-18 California legislative session – incredibly quick for legislation with such widespread ramifications. The push was in response to a much stricter ballot initiative backed by San Francisco real estate developer Alistair Mactaggart.

Mactaggart says he decided to take on the privacy issue after a Google engineer told him consumers have no idea just how much data online companies have collected on them. Supported by $3.5 million of Mactaggart’s own funds, initiative measure No. 17-0039 received more than 629,000 signatures, which exceeded the amount required to put the issue on the November 2018 ballot.

Mere days before Mactaggart could certify the signatures, California Democrats agreed to push CCPA as a compromise bill in exchange for dropping the initiative. While tech industry lobbyists are no fans of CCPA, the industry agreed not to oppose the bill since the much less favorable ballot initiative had a good shot of passing among voters later that year.

While the ballot initiative is similar to CCPA, there are some notable differences:

  • CCPA moves the effective date from August 2019 to January 1, 2020.
  • The California legislature can modify CCPA by a simple legislative minority, while the ballot measure would have required either another voter ballot or a 70% legislative majority. What’s more, the only modifications the original initiative would have allowed were those that were “consistent with and further the intent of this Act.”
  • CCPA makes it more difficult for consumers to sue noncompliant businesses, putting most of the enforcement action in the hands of the state Attorney General.
  • CCPA affects more companies, as it lowered the threshold to apply to businesses with $25 million annual revenue – half of the $50 million threshold floated by the ballot initiative.

Is CCPA similar to GDPR?

Before CCPA, the headlining privacy regulation was GDPR, and many are quick to compare the two acts. However, CCPA is not as sweeping as GDPR, and it’s different in key ways.

Most notably, U.S. businesses may believe that any GDPR-related compliance measures will make them CCPA-compliant. This is not the case. When compared with GDPR, CCPA:

  • Requires disclosures, communication channels, and other measures not required by GDPR.
  • Defines “personal data” more broadly and includes data on households and devices – not just individuals.
  • Gives Californians greater rights to direct data deletion and to access personal data.
  • More rigidly restricts data sharing for commercial purposes.
  • Makes it more difficult for companies to offer a choice between for-charge and charge-free services based on whether the consumer gives informed, voluntary, specific, and express consent to data monetization.

Who does CCPA protect?

The law applies to any consumer, defined as a “natural person who is a California resident.” This is further defined as:

  1. Any individual in the state for any purpose that’s not transitory or temporary
  2. Any individual who is domiciled in the state but currently or occasionally outside the state for a temporary or transitory purpose

This means that consumers traveling or with partial residence in other states would be protected, so long as their domicile is California. It also means the law applies to business-to-business (B2B) companies as well as business-to-consumer (B2C).

California has the fifth-largest economy in the world – just ahead of the United Kingdom ($2.94 trillion versus $2.81 trillion, respectively) – and 40 million residents. That offers broad protection for a sizeable portion of the world’s population.

What does CCPA protect?

The law gives consumers the right to:

  • Request a record of the types of data an organization holds about them, along with information about how that data is used for business purposes and third-party sharing
  • Request to have their data erased
  • Opt-out of the sale of their data

What businesses must comply with CCPA?

A covered “business” is defined as a for-profit entity that meets one of the three following conditions:

  1. Earns $25 million or more in annual revenue
  2. Buys, receives, or sells the personal data of at least 50,000 consumers or households
  3. Obtains at least half of its revenue selling California residents’ personal data

According to the IAPP, it must also meet all the following conditions:

  1. A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized and operated for the profit or financial benefit of shareholders or other owners
  2. Collects consumers’ personal information, or has someone collect it on its behalf
  3. Alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information
  4. Does business in California

Any entity passing this test will be subject to the law, regardless of its geographic location. It’s estimated the law will apply to more than 500,000 U.S. companies, most of which are small- to medium-sized. It will also impact businesses outside the U.S. as long as they do at least part of their business in California.

One exception is a business where commercial conduct “takes place wholly outside of California.” This is the case when:

  1. The business collected information while the consumer was outside of California
  2. No part of the sale of the consumer’s personal information occurred in California
  3. There was no sale of the personal information collected while the consumer was in California

How do I know if my organization collects or sells information?

The law considers a business to “collect” personal information if it buys, rents, gathers, obtains, receives, or accesses it by any means. This can be active or passive and could even be obtained by observing a consumer’s behavior.

When it comes to selling, it’s not as clear-cut as merely trading data for cash. Simply disclosing data to a third party, so long as it results in financial gain, is activity subject to the law. Under CCPA, a business “sells” personal information when it sells, rents, releases, discloses, disseminates, makes available, transfers, or otherwise communicates it orally, in writing, or by electronic or other means for “monetary or other valuable consideration.” The law contains exclusions for:

  • Consumer consent
  • Communicating a consumer’s opt-out instructions to a third party
  • Data transfers during mergers, acquisitions, bankruptcies, etc.

It also excludes data used for any of seven specific business purposes:

  1. Counting ad impressions
  2. Detecting security incidents
  3. Debugging and repairing functionality
  4. Short-term, non-profiling transient use
  5. Performing services on a business’s behalf (e.g., “data processor” activities like fulfilling orders or processing payment)
  6. Internal research for technological development
  7. Verifying or maintaining the quality and safety of the business’s service or device

How does CCPA apply to third parties?

CCPA states under Section 1798.145 that a business is not liable for a service provider’s violation as long as the business has no “actual knowledge, or reason to believe, that the service provider intends to commit such a violation.” Service providers are similarly not responsible for their customers’ violations.

How does CCPA define “personal information?”

CCPA’s definition of personal information extends far beyond that data typically included in the definition of personally identifiable information (PII), though it does track more closely with the broader list in GDPR. It’s defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” And while it certainly includes the information typically included under PII, it also includes:

  • Aliases
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Biometric information
  • Characteristics of protected classifications under California or federal law
  • Commercial information (i.e., personal property records, purchasing history)
  • Education information
  • Geolocation data
  • Internet activity (i.e., browsing and search history, web tracking data)
  • IP addresses
  • Professional and employment information
  • Inferences drawn from any of the information contained in the definition

Amendments clarified this list by adding that the law doesn’t cover any and all instances of this PII — only PII that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

To the extent that it conflicts with the following laws, CCPA does not encompass:

  • Protected health information collected by a covered entity as defined under federal laws, including HIPAA
  • The sale of information to or from a consumer reporting agency for use in a consumer report consistent with the Fair Credit Reporting Act
  • Personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act of 1994

It may be possible to avoid the law’s scope by de-identifying or pseudonymizing personal information for research or internal analytics purposes. CCPA may also not apply to collection for a single, one-time transaction as long as the collected data is not then sold or re-identified.

What must businesses do to comply with CCPA?

The first obligation businesses have under CCPA (in its current state) is the disclosures. Any disclosures need to be “reasonably accessible” to consumers and updated every 12 months.

Disclosures for collecting data

Businesses collecting (but not necessarily selling) California consumer information must do the following by Jan. 1, 2020:

  • Inform consumers of the categories of personal information to be collected
  • Inform consumers of the purposes for which the categories of personal information should be used
  • Provide notice of the collection of any additional categories of information or use of collected information for any additional purposes taking place after initial disclosures have been made
  • Disclose the consumer’s rights to request deletion of personal information, including limitations to those rights

Disclosures for selling data

For businesses selling personal information about consumers or “disclosing it for a business purpose,” there are additional disclosure obligations. First, in addition to the above, they must release two specific lists:

  • The category or categories of personal information sold in the last 12 months (if it has not been sold, that fact should be stated)
  • The category or categories of personal information disclosed for a business purpose in the last 12 months (if it has not been disclosed, that fact should be stated)

They must also disclose that:

  • Consumer information may be sold
  • Consumers have the right to opt out of the sale of their personal information

As well as:

  • Provide a clear and conspicuous link on the business’ homepage titled “Do Not Sell My Personal Information”
  • Ensure any consumer can access the link without requiring the creation of an account
  • A description of the consumer’s rights to not be discriminated against for restricting the sale of their data
  • Include a description of a consumer’s rights under Section 1798.120 and an additional link to the “Do Not Sell My Personal Information” page in:
    • Its online privacy policy or policies (if the business maintains them)
    • Any California-specific description of consumer privacy rights

Businesses must also have – and clearly post – one or more ways for consumers to submit requests, including, at the bare minimum, a toll-free number.

Finally, they must obtain an express opt-in to sell children’s data. If the minor is between 13 and 16, the child may opt-in themselves; if they are younger than 13, the parent or legal guardian will need to opt in for them.

CCPA Disclosure

How will the law be enforced?

The California Attorney General will enforce the law. CCPA enables two types of enforcement actions:

  1. Under Section 17206 of the California Business and Professions Code, the Attorney General can bring action against a non-compliant business.
  2. Consumers are granted the limited private right of action should a data breach involving unencrypted or unredacted personal information occur.

Per the law, the Attorney General is required to gather public input and establish rules and procedures that further the purposes of certain sections of the Act.

What is the penalty for noncompliance?

For intentional violations not addressed within 30 days, the fine is $7,500 per violation (e.g., per record in the database). Unintentional violations not addressed within 30 days are subject to a $2,500 penalty per violation. 20% of the penalties collected by the State will be allocated to a new “Consumer Privacy Fund.”

What’s next?

After the law’s introduction, legislators expected to pass “cleanup” bills to amend CCPA. The first set of amendments to the law were passed in August 2018. The revised bill contained 45 amendments, but many of them address technical errors. In February 2019, California’s Attorney General and a state Senator introduced Senate Bill 561 to further clarify and provide strength to CCPA.

In October 2019, a day after California Attorney General released proposed regulations implementing CCPA, the California Governor signed all five proposed CCPA amendments (AB 25, 874, 1146, 1355, and 1564) into law. An amendment was also made to California’s data breach law (AB 1130). The amendments did not change any of the fundamental aspects of CCPA, but rather provided clarity to the law by changing some definitions, including exemptions, and revising text. In the lead up to January 1, the attention will now be on the draft regulations proposed by the Attorney General, who will be holding public hearings in California in early December to hear comments.

In the meantime, affected businesses can take the following steps to prepare for CCPA’s implementation:

  • Businesses selling or transferring data for business purposes should inventory all third parties receiving their data. Pay special attention to requirements for “business purpose” transfers, including the duty to inform consumers when such transfers have not taken place.
  • Map and inventory all personal information you collect, use, and store. You’ll also need to map the age of your data subjects to avoid charges that you willfully disregarded the California resident’s age when obtaining opt-in from the minor or their parent/guardian.
  • Begin updating privacy policies, California-specific rights pages, and “Do Not Sell My Information” apparatus (if the latter applies).
  • Consider alternative business models and web/mobile presences, such as California-only sites and offerings.
  • Ensure you have a designated method for submitting data access requests, including, at a minimum, a toll-free number.
  • Begin funding and implementing new systems and processes that can help you comply with new requirements, including:
    • Verifying the identity and authorization of persons making requests for data access, deletion, or portability
    • Respond to requests for data access, deletion, and portability within 45 days
    • Avoid requiring opt-in consent for 12 months after a California resident opts out
  • Monitor your cloud-based and mission-critical applications like Salesforce to ensure any potential breaches or data theft are quickly spotted and remediated. This can help businesses mitigate the cost of a breach by protecting against CCPA’s penalty of up to $750 per resident and incident.
  • Consider aligning yourself with the data privacy movement as a business owner. Check out the resources below for an overview of the issue of data privacy and the potential regulatory and operational impact for affected businesses. Take the opportunity to assess how you’re collecting and handling data and how easy it is to fulfill a consumer’s request. CCPA doesn’t require privacy awareness training like GDPR, but it can be a good opportunity to assess your existing training and implement new training if necessary. That way, all involved team members understand the steps you’re taking to secure your customers’ and contacts’ data.

Additional Resources: