California's Consumer Privacy Act (CCPA) was passed unanimously in 2018, giving Californians more control over which companies have their personal information, and what they do with it. It was then amended and expanded by the CPRA in January 2023.
The law, which took effect in January of 2020, is hailed as one of the most influential consumer privacy laws in the United States.
This article will look at what the law requires, who it applies to, how businesses must comply, and what changes businesses will need to make to their Privacy Policies in order to be compliant.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Background of the CCPA
- 2. New Definitions in the CCPA (CPRA)
- 2.1. Business
- 2.2. Sale
- 2.3. Personal Information
- 3. What the CCPA (CPRA) Means For Businesses
- 3.1. Transparency
- 3.2. Control
- 3.2.1. The Right to Disclose
- 3.2.2. The Right to Delete
- 3.2.3. The Right to Access
- 3.2.4. The Right to Opt Out
- 3.2.5. Special Rules for Minors
- 3.2.6. The Right to Nondiscrimination
- 3.3. Accountability
- 4. Complying with CCPA (CPRA)
Background of the CCPA
The California Consumer Privacy Act accomplishes the following protections for consumers:
- An extensive definition of what qualifies as "personal information"
- The creation of new data privacy rights for consumers
- New required disclosures from businesses regarding consumers' information
- New rules for gathering and selling the information of minors
- Fines or damages charged to companies who do not take reasonable security precautions to protect consumers' information
Although other privacy laws have been in effect in California and on a federal level, many of them apply only to a specific type of information. Others are outdated or are simply not comprehensive in covering increasingly important factors like mobile data or biometric data.
Technological innovations in recent years have been so incredible that many tools and electronics are collecting data that was never intended to be monitored under privacy laws.
Some of these are:
- "Wearables" such as FitBits that track your movements, health, and biometric data;
- "In-home devices" like Amazon's Alexa, silent eavesdroppers to all conversations; and
- GPS devices that track speed or enable geofencing
The CCPA (CPRA) was needed because it specifically addresses the use of consumers' personal information in a manner that can be applied to these new and emerging technologies.
In many ways, the CCPA (CPRA) is modeled on the General Data Protection Regulation (GDPR), a recent law passed in the European Union addressing similar concerns about personal information and privacy.
New Definitions in the CCPA (CPRA)
As we mentioned, in 2018 there were already a number of existing privacy laws in the United States both in California and at the federal level. These include CalOPPA, HIPAA, and the FTCA.
However, the CCPA (CPRA) was passed because it covers problems many of the other laws do not. This is partly because of the broad definitions that it establishes, allowing the law to be applied to emerging technology.
The most important definitions to understand under the new law are:
- Personal information
Like CalOPPA, the CCPA (CPRA) applies to any business that affects consumers in California. For the purposes of the CCPA (CPRA), a "business" is any legal entity which:
- Pursues a profit,
- Operates in California, and
- Has control over the "purposes and means" of the processing of consumers' personal information
However, while CalOPPA does not require that consumers give consent before their personal data is sold, this consent requirement is a major component of the CCPA (CPRA).
CalOPPA also doesn't require businesses to offer a link or resource to opt out of having personal information sold while the CCPA (CPRA) does.
The CCPA (CPRA) is also different from CalOPPA in that it is designed to apply to large corporations who use consumers' personal information for profit, not to small or medium-sized businesses.
To ensure this, the law requires a company must meet at least one of the following criteria to be subject to the law:
- The company's annual gross revenue is $25 million or more
- The company buys, shares, sells, or otherwise receives personal information from at least 100,000 consumers or households
- A minimum of 50 percent of the company's annual revenue is made by selling or sharing consumers' personal information
Put another way, this law is meant to apply to social media sites, data brokers, and major corporations that have access to personal information (like Amazon or Google).
The CCPA (CPRA) defines the sale of personal information as:
"the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating ... a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
The following uses of personal information are NOT considered to be a sale:
- Use of the information as the consumer intended or disclosed
- Use of the information to identify consumers "opting out" of their data being shared
- Sharing of personal information with a service provider as necessary for performance of a business purpose (fine print)
- Transfer of personal information to a third party as an asset during a merger, acquisition, bankruptcy, or other transaction
The CCPA (CPRA) uses what may be the broadest legal definition of "personal information" in the world. Under Cal. Civ. Code § 1798.140(o)(1), personal information is considered to be:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Specifically, the Act gives the following examples of information which is considered to be personal or household information:
- Name (real or alias)
- Unique personal or online identifier
- Postal address
- IP address
- Email address
- Account names
- Social security number
- Driver's license number
- Passport number
- Biometric information
The CPRA amendment expanded this list to include "sensitive personal information" as well.
Public information and "aggregate consumer information" are specifically NOT subject to this law. Public information is accessible by public records. Aggregate consumer information is information about consumer preferences or behavior which is not linked to any consumers' identity, such as large-scale statistical information.
Remember, under the CCPA (CPRA), if it could "reasonably" be linked to a consumer directly or indirectly, it's considered personal information.
What the CCPA (CPRA) Means For Businesses
The CCPA (CPRA) puts forth criteria to protect consumer data:
- What kind of personal information they are collecting
- How they are going to use it (i.e. sell it)
- How long they're going to retain the personal information
- Types of third parties they share the information with
- Consumers' rights to restrict that information
- How to restrict the sale of personal information
In some cases, the company must also provide a link for the consumer to use to opt out.
In this screenshot from Amazon's Privacy Notice, we can see the types of information the company collects:
Under the law, consumers will have more control over their personal information and how it is used. In order to achieve this, several new consumer rights were established: the right to disclosure, deletion, access, opting out, and nondiscrimination.
The Right to Disclose
Under Title 1.81.5, Section 1798.155, a business must disclose to a consumer what personal information they collect or sell, and how it is used in response to consumer's request. This means disclosing:
- The types of information collected
- The sources of information collected
- Types of third parties information is shared with
- The business purpose of sharing the information,
- Pieces of information collected specific to that consumer
If a business intends to sell personal information, they must provide notice of this to any consumers over the age of 16, and provide them with an opportunity to opt out.
The Right to Delete
Although there are some exceptions, for the most part, if a business is contacted by a consumer and requests that their personal information be deleted, they must comply.
In the screenshot below, we can see that Facebook's Data Policy directly instructs consumers that they can delete their account in order to delete all of their personal information.
The Right to Access
A consumer has the right to access information about themselves that is collected, stored, or sold by a business subject to the CCPA (CPRA). The business is required to release this information to the consumer upon the consumer's request.
The Right to Opt Out
A consumer has the right to opt out of having their personal information shared or sold. If a business intends to sell personal information, they are required to offer consumers a chance to opt out of this, often via a link titled "Do Not Sell My Personal Information."
Special Rules for Minors
The CCPA (CPRA) also specifically addresses how companies handle the personal data of minors (those under 18). Instead of opting out, minors must "opt-in" - their personal information cannot be legally sold without appropriate consent.
Consumers between the ages of 13 and 16 may give consent for their own information to be sold.
Consumers below the age of 13 must have a parent or guardian's consent given for their data to be sold, and a business who disregards the consumer's age altogether will be considered to know their age.
The Right to Nondiscrimination
The CCPA (CPRA) makes it clear that a consumer who exercises their rights under the law may not be discriminated against. That means the company cannot deny the consumer goods or services, or subject them to different prices than other consumers.
The law specifically bans any related practices that are unjust, unreasonable, coercive, or usurious in nature.
However, the law doesn't prohibit these companies from offering incentives to entice consumers to permit sharing of their information. These incentives can even be financial in nature.
Companies subject to the CCPA (CPRA) will have some increased responsibilities, including understanding the broader definitions than have been used in past data privacy laws.
Those companies who are not compliant with the CCPA (CPRA) will be subject to a steep fine. Any business who violates the CCPA (CPRA) may be charged a fine of at least $2,500 - and this goes up to $7,500 for violations which are judged to be intentional.
If a business is identified as being in violation of the CCPA (CPRA), they have 30 days from the time they are notified of the violation to correct it. This rule can be found in Title 1.81.5, Section 1798.155(b):
(b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
Additionally, the Act gives consumers the right to bring civil claims against companies who do not conform to the law, meaning that they can also sue for personal damages.
Note that the CCPA (CPRA) does not restrict a business' ability to comply with state or federal law, or with any regulatory agencies or investigations. Therefore, releasing personal information to a government agency in order to comply with a state or federal law or investigation is specifically not a violation of the CCPA (CPRA).
Complying with CCPA (CPRA)
- An explanation of what kind of information is collected and processed, and how
- Why this information is being collected (i.e. if it is sold)
- Explanations of how consumers may access, delete, or request their personal information stop being collected
- Disclosure of processes in place for verifying consumers' ages, and for obtaining the consent for consumers who are minors
- An explanation of how consumers' identity is verified with regard to accessing or disclosing information
In some cases, you may also need to provide a toll-free number for your customers to use to contact you.
As the requirements of the CCPA (CPRA) are implemented, remember that the purpose of the law is to allow consumers to have more control over the transmission of their personal information.
Also remember, the CCPA (CPRA) states that it is to be "liberally construed," so when in doubt, play it safe!