03 March 2020
The California Consumer Privacy Act of 2018 (CCPA) is a privacy law that was passed on June 28, 2018 and took effect on January 1, 2020. This law has a significant impact on consumers and certain businesses.
California has consistently passed laws which aim to protect its residents' privacy, such as the California Online Privacy Protection Act (CalOPPA) and the "Shine the Light" law, and the CCPA is no exception.
Some of the more significant changes that the CCPA introduces include:
To understand the types of people and activities the CCPA applies to, it's important to get to grips with the way it defines certain terms.
The CCPA uses the term "business" in a very narrow way.
You may know that the EU's recent privacy law, the General Data Protection Regulation (GDPR) has an extremely broad scope. It applies to any person or organization offering goods or services in the EU - it doesn't matter if it's a single website admin who provides their services for free, or a multi-billion dollar international corporation.
Similarly, another of California's major privacy laws, CalOPPA, has implications for all operators of commercial websites and online services accessible within California.
Whilst significant in its effects on all California residents, not all businesses will have to worry about complying with the CCPA.
Where the CCPA refers to a "business," it means a legal entity that has the following characteristics:
The CCPA brings a host of new rights to consumers. "Consumer" means a California resident, as defined at 18 CCR § 17014:
"(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."
This effectively means anyone who lives in California, even if they are temporarily outside of California, e.g. on vacation. The definition doesn't cover visitors to California.
Personal information is defined in the CCPA as:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This is a very broad definition, and it's noteworthy that it extends to a "household." Specific examples are given in the CCPA. These include a person's:
The CCPA also lists general categories of data that must be considered personal information, such as:
This is not an exhaustive list of the examples given in the CCPA.
Any individual one of these things may not identify a person on its own - but the key word is "indirectly" - if something could be used to identify a person in combination with other information, it should be treated as personal information.
A service provider is a company that "processes information on behalf of a business [...]." The business decides how and why personal Information is processed, and the service provider merely does as instructed by the business. This might be, for example, an email provider like MailChimp, or an eCommerce company like BigCommerce.
If you're familiar with the GDPR, you'll know that it applies to data controllers, who decide how and why personal data is processed - roughly equivalent to "businesses" under the CCPA. It also applies to data processors, who carry out processing on behalf of a data controller - like "service providers" under the CCPA.
It's worth noting that the CCPA applies to businesses, but does not apply to service providers.
The CCPA requires that businesses reveal certain information in their Privacy Policies.
Before a business collects personal information about a consumer, it must tell them what types of personal information it is collecting, and how it will use each type of personal information it collects.
Here's one of the ways that Google fulfills the first part of this requirement:
Here's how Workspace sets out its users' rights under the GDPR, and how they can access them:
Businesses must also reveal the types of third parties they share personal information with.
The CCPA introduces some new consumer rights. Some of these look a little like the data subject rights under Chapter 3 of the GDPR.
One additional requirement on businesses is to:
"Provide a clear and conspicuous link on the business' Internet homepage, titled 'Do Not Sell My Personal Information,'"
Those who are familiar with the GDPR's "right to be forgotten" might be a little underwhelmed by the CCPA's right to deletion.
The CCPA states that a consumer:
"has the right to request that a business delete any personal information about the consumer which the business has collected from the consumer."
The business also has to contact any service providers with whom they have shared the consumer's personal information and request that they delete the consumer's personal information as well.
Note that the business is only obligated to delete personal information it has collected from the consumer - this doesn't explicitly include personal information it has collected from third parties.
There are also a lot of reasons that a business might not have to carry out this request, for example:
It remains to be seen how meaningful this right will actually end up being, given all these exceptions.
The CCPA provides consumers with the right to access their personal information. Businesses covered by the CCPA that collect consumers' information must provide the following on request:
Additionally, where a business sells (or discloses for a commercial purpose) consumers' personal information, the following additional information can be requested by the consumer:
If the business has not done either of these things, it must disclose this.
The information must cover the preceding 12 month period and must be provided in a "readily useable" format (for example, an HTML file), provided free of charge and within 45 days. An additional 45 day extension to this period is possible when reasonably necessary.
The idea is that the consumer can then take their information to another business. Unlike under the GDPR, a business isn't obligated to carry out this transfer itself.
The customer's identity must be verified first. Businesses aren't required to comply more than twice over a 12 month period to the same consumer.
Here's how Facebook complies with a similar obligation under the GDPR:
There is an exception to this obligation - if the consumer only carried out a single transaction with the business, and the business hasn't sold the personal information it acquired from this transaction. In this case, the business isn't obliged to retain this information just in case the consumer requests access to it.
This is perhaps the CCPA's headline provision. Businesses not only have to give consumers the option to forbid the sale of their personal information. they also have to make it easy for them to do this by:
A business can invite a consumer to opt back in, but only after 12 months of them opting out.
Whilst this right is actually narrower in scope than the right to object and the right to restrict processing under the GDPR, it's possible that the right to opt out will have a bigger impact on businesses. This is because of the conspicuous way that businesses must draw their consumers' attention to this right.
That being said, any business that's complying with the GDPR should already have systems in place for carrying out data restriction and objection requests.
Rather than a "right to opt out," minors (children) have a "right to opt in." The Privacy Rights for California Minors in the Digital World Act defines a "minor" as a California resident under the age of 18.
There are some specific rules around selling the personal information of minors:
There's little point in having consumer rights if a business can "punish" consumers who exercise them. In this vein, the CCPA states that:
"A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights [...]"
The CCPA suggests four ways in which a business might discriminate:
Businesses who infringe the CCPA will be fined up to $7,500 per violation. This might sound like a relatively small amount in comparison to the GDPR's eye-watering maximum fine of €20 million or 4 percent of annual global turnover. But this will quickly add up if large-scale or repeated infringements occur.
Twenty percent of the fine will be paid into the newly created Consumer Privacy Fund. This fund is supposed to cover the costs of enforcing the CCPA.
Consumers can also bring civil claims against businesses on the grounds of :
"unauthorized access and exfiltration, theft, or disclosure [of personal information] as a result of the business' violation of the duty to implement and maintain reasonable security procedures [...]"
The claims must be for amounts between $100 and $750 - or more if the infringement caused an actual loss to the consumer of more than $750. Again, this can quickly add up to millions of dollars, even where a relatively small fraction of California's residents are involved in a security breach.
The CCPA doesn't introduce any specific new obligations on businesses to keep personal information secure or inform consumers of a security data breach. These obligations are covered in existing laws such as that found at California Civil Code § 1798.82. However, the broader definition of personal information means that breach reporting is likely to become more common.
Whilst the CCPA might not have the same far-reaching implications of the GDPR, it still places a number of new obligations on businesses, and will empower California residents with some important new rights over their personal information.
Certain large businesses and data brokers must:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.