The California Consumer Privacy Act (CCPA) took effect in January of 2020 and is sometimes described as the strongest privacy law in the United States to date. It requires organizations to tell people what personal information they store, to adequately secure the data, and to give people the right to opt out from the organization selling their data.

The CCPA specifically requires that organizations include particular pieces of information in their Privacy Policies, or to publish the information if they don't already have a policy.

If your organization is already affected by other privacy laws such as the California Online Privacy Protection Act (CalOPPA) or the General Data Protection Regulation (GDPR), you may still need to add extra detail to your Privacy Policy.

As the law is yet to take effect, the precise measures and enforcement could be altered but the broad principles are unlikely to change.


Timeline of the CCPA

  • The CCPA stems from a proposed California ballot initiative for the November 2018 elections.
  • Rather than wait for the vote on the ballot initiative, California lawmakers produced and passed a bill covering some of the same issues in June 2018.
  • The California legislature could theoretically amend the passed bill up to September 13, 2019.
  • The act took legal effect on 1 January 2020, though consumers will have the right to ask for details of personal data collected in the 12 months before their request. That means data from January 1, 2019 could be affected.
  • An implementation period means the Attorney General of California may begin enforcing the law some time after it takes effect. The latest date enforcement can begin on July 1, 2020.

Who and What the CCPA Affects

Who and What the CCPA Affects

The CCPA's legislative text refers to a "business" but gives this term a specific meaning. The law applies to any for-profit organization that does business in California and meets at least one of the following three criteria:

  • Its annual gross revenue is more than $25 million.
  • It makes at least half of its annual revenue from selling personal information about consumers.
  • It deals with personal information covering at least 50,000 people, households or devices in California during a year. (This can include buying, receiving, selling or sharing the data.)

If a parent company falls under the scope of the CCPA, any other business it controls (such as a subsidiary) that shares "common branding" will also be under the scope of the CCPA. This applies even if the controlled business doesn't meet any of the criteria.

The CCPA deals with how companies handle "personal information."

It defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The act gives the following examples but notes this isn't an exhaustive list:

  • Names, postal addresses, email addresses or numbers (such as social security or passport)
  • Commercial information such as details of purchases
  • Biometric data
  • Internet records such as browsing or search history
  • Geolocation data
  • Employment and education information

Two key points to remember are:

  • The definition is designed to be very broad (it even mentions "olfactory" information, meaning smells) so it is safest to err on the side of caution when deciding if something counts as personal data.
  • The definition covers inferences rather than just purely objective fact. For example, you might create a list of "impulsive buyers" by cross-referencing the products, prices and timings of previous purchases. The fact that somebody was on this list could count as personal data.

CCPA Principles

CCPA Principles

The stated aim of the CCPA is to ensure six rights for Californian consumers:

  • To know what personal data you hold about them
  • To access the personal data without charge
  • To know whether you sell or share their personal data (and if so, who gets it)
  • To demand that you don't sell their personal data
  • To demand that you delete their personal data
  • To exercise these rights without it affecting the services and prices you offer

You should keep these in mind when considering and interpreting the specific measures the CCPA requires.

Note that the rules for selling personal data under the CCPA depend on the person's age:

  • You can sell data about people 16 or older unless they demand you don't
  • You can't sell data about people you know to be aged between 13 and 16 unless they actively give you permission to do so
  • You can't sell data about people you know to be aged under 13 unless their parent or guardian has actively given permission.

CCPA Requirements For Privacy Policies

CCPA Requirements For Privacy Policies

The CCPA specifically states that you must include the following five pieces of information in your Privacy Policy. If you don't already have a Privacy Policy, you must publish this information on your website and update it at least once every 12 months.

Consumer Rights

You must detail the consumer's rights under the CCPA. This section must also list at least one way in which the consumer can submit a request to exercise these rights, for example by asking to see their personal data or asking whether you sell the data.

Collection of Personal Information

You must list all the types of personal information that you have collected (across all consumers) in the previous 12 months. Specifically you must list the category or categories of data from the following list that most closely match the information you have collected:

  1. Any identifiers. These can include things such as names, mailing addresses, email addresses, passport numbers, IP addresses, etc.
  2. Categories of information described in subsection (e) of Section 1798.80 of the CCPA
  3. Any characteristics of classifications that are protected under California or federal law
  4. Any commercial information obtained, purchased or considered, such as records of personal property, records of products or services purchased or other purchasing or use histories or tendencies
  5. Biometric information
  6. Activity information relating to internet or other electronic networks such as browsing or searching history, or interaction with a website, ad or app
  7. Geolocation information
  8. Audio, visual, thermal, electronic, olfactory or other similar information
  9. Information related to employment or other professional standings
  10. Information related to education
  11. Any inferences drawn using any of the above information in order to profile a consumer and reflect the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

If you haven't collected any personal information, you must say so.

This example from Hotel Cerro's Privacy Policy goes beyond the minimum requirements by giving some detailed examples rather than just listing the categories:

Hotel Cerro Privacy Policy: Information we collect clause excerpt

These examples help a reader really understand what some of the terms mean, such as "Identifier." The column at the far right that says whether or not the information is collected helps meet the requirement that you disclose if you don't collect personal information.

Instead of leaving out a certain type of information if you don't collect it (such as protected classification characteristics under California or federal law seen in part C. of the above screenshot), you can include it and note that you do not collect it.

Selling Personal Information

Selling Personal Information

You must list all the types of personal information about consumers that you have sold in the past 12 months, or state if you haven't sold any consumers' personal information.

Here's how Hotel Cerro does this:

Hotel Cerro Privacy Policy: Personal information sales clause

Since it doesn't sell any personal information, this clause doesn't need to disclose specific categories.

Disclosed Personal Information

You must list all the types of personal information about consumers that you've disclosed in the past 12 months, or state if you haven't done so. This doesn't cover selling information, but does cover any other disclosure done for "a business purpose." Again, you need to do this by listing the relevant categories.

Do Not Sell Page

Do Not Sell Page

You must detail the person's right to demand you do not sell their personal data. You must also link to a dedicated page on your site for exercising this right. Note that you can include the relevant information in your Privacy Policy, but you must still have this dedicated page as well.

The dedicated page must be headed "Do Not Sell My Personal Information". It must tell the person how to exercise this right and do so in a way that is "reasonably accessible." You must let the person exercise this right without having to create an account.

Elite Sports NY has a page which carries the "Do Not Sell My Personal Information" title that provides some useful details. However, it could more explicitly state that users have the right to demand their personal data not be sold.

Elite Sports NY Do Not Sell My Personal Information Page: Your rights with respect to personal data clause

Once somebody exercises this right, you aren't allowed to ask them to change their mind and give you permission to sell their data for at least 12 months.

As well as linking to this dedicated page from your Privacy Policy, you must have a "clear and conspicuous" link to it from your homepage.

The only exception is if you create a separate homepage for California consumers that includes the link, and then take "reasonable steps" to make sure California consumers are directed to this homepage. The law doesn't detail the technical measures you should use to do this.

Updates to Your Privacy Policy

If a third party takes control of a business (for example in a buyout or merger), it must stick to any privacy promises made by the selling business. If the buying business changes anything, for example by collecting new types of personal information or selling them, it must give users prior notice. A business can't retroactively change its Privacy Policy to cover these changes.

Note that in some cases you may be required to provide a toll-free telephone number for your users to contact you.

Penalties for Violating the CCPA

  • If you intentionally breach the CCPA you can be fined up to $7,500 for each violation. This fine is under the CCPA itself.
  • If you unintentionally breach the CCPA, the Attorney General can give you 30 days to correct the breach. If you fail to do so you can be fined up to $2,500 for each violation. This fine is under California's Business and Professions Code.
  • If you suffer a data breach involving unencrypted or unredacted personal information, consumers can take private legal action. You may have to pay damages of up to $750 for each affected consumer (or cover actual losses if greater), plus a court could impose further penalties.

Comparisons with the GDPR

Comparisons with the GDPR

A business covered by the CCPA may also be covered by the General Data Protection Regulation, a set of European Union rules. While these laws cover similar principles, they have the following key differences:

Scope

The CCPA applies to organizations doing business in California.

GDPR applies to businesses who meet any of three criteria:

  • The business operates in an EU country
  • The personal data is processed in an EU country
  • The business offers goods or services to people who are in an EU country

This means it's much more likely a California business will be affected by the GDPR than a European business will be affected by the CCPA.

Definition

The CCPA defines personal information as relating to individuals and households.

The GDPR only covers personal information about a specific individual.

Penalties

The CCPA has a fixed rate for violation penalties that doesn't take into account the company's size.

The GDPR instead has a maximum penalty of four percent of the company's worldwide revenues in the previous year.

Comparisons with CalOPPA

Comparisons with CalOPPA

A business affected by the CCPA may also be affected by the California Online Privacy Protection Act (CalOPPA). While the two share some principles, they have the following key differences.

Types of Businesses Covered

The CCPA covers any organization doing business in California.

CalOPPA covers operators of commercial websites and online services (including mobile apps) that collect data about individual consumers in California.

Unlike the CCPA, CalOPPA's applicability doesn't depend on your revenues or how much data you handle.

Privacy Policy Requirements

The CCPA's Privacy Policy requirements are described above.

CalOPPA covers several similar points, but also requires some specific technical information.

This includes:

  • Detailing whether a website follows "Do Not Track" signals from browsers
  • Detailing how any third-party software and tools on the website could mean personal data is shared with a third party

Enforcement and Penalties

As detailed previously, the CCPA has separate penalties and enforcement depending on whether or not a breach is intentional. It also allows for private claims by consumers against businesses.

CalOPPA has a single penalty rate of up to $2,500 per violation. It's enforced solely by the Attorney General and doesn't allow for private claims.

Conclusion

Let's recap what you need to know about the CCPA:

  • The CCPA took effect on January 1, 2020, though enforcement will begin at some point between then and July 1, 2020.
  • It affects organizations doing business in California that meet any of three annual criteria:
    • Revenues of more than $25 million.
    • Half of annual revenue coming from selling consumer personal information.
    • Handling personal data of more than 50,000 individuals, households of data.
  • It covers personal information, which is defined very broadly.
  • It gives consumers the right to know about and access the personal data you store and whether you sell it. It also gives them the right to demand you delete the data and to demand you stop selling it.
  • Your Privacy Policy must detail the consumer's rights and list the types of data you have collected, sold and disclosed in the past month.
  • Your website must have a "Do Not Sell My Personal Information" page that lets consumers opt out easily. Both your Privacy Policy and homepage must link to this page.
  • It doesn't require advance consent to collect data.
  • The CCPA has a fixed range of penalties for violations while maximum GDPR penalties depend on the company's revenues.
  • The CCPA will affect fewer businesses than CalOPPA. Of the two, the CCPA's definition of personal data is much broader.