What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a California state regulation intended to protect consumers and enhance their privacy rights. The bill, officially called AB-375, was signed into law in 2018 and has been amended several times. The largest batch of amendments, in the form of the California Privacy Rights Act, became law in 2019.

What rights does the CCPA give consumers?

As outlined by the CCPA fact sheet provided by the California State Government, the CCPA grants new rights to California consumers, including:

• The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information
• The right to delete personal information held by businesses and by extension, a business’s service provider
• The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
• The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA
  
  

How does the CCPA define “personal information”?

Personal information is any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, license plate number, passport number, or other similar identifiers.”

Publicly available information is not considered personal information.

Despite only applying to California residents, from a practical standpoint, most large businesses need to be in compliance with the CCPA in order to easily do business in America. The aforementioned fact sheet outlines which kind of businesses need to adhere to the regulation:

The CCPA applies to any business where one of the following is true:

• Has annual gross revenues in excess of $25 million
• Buys, receives, or sells the personal information of 50,000 or more consumers or households
• Earns more than half of its annual revenue from selling consumers’ personal information

Overseas businesses that meet those requirements are also liable if they ship items into California.

The CCPA bill outlines the compliance requirements. In order to achieve compliance, businesses must do the following: 

• Implement processes to obtain parental or guardian consent for minors under 13 years (and the affirmative consent of minors between 13 and 16 years) for data sharing purposes (Cal. Civ. Code § 1798.120(c)).
• Include a “Do Not Sell My Personal Information” link on the home page of the website of the business that will direct users to a web page enabling them, or someone they authorize, to opt-out of the sale of the resident’s personal information (Cal. Civ. Code § 1798.135(a)(1)).
• Designate methods for submitting data access requests including, at a minimum, a toll-free telephone number (Cal. Civ. Code § 1798.130(a)).
• Update privacy policies with newly required information, including a description of California residents’ rights (Cal. Civ. Code § 1798.135(a)(2)).
• Avoid requesting opt-in consent for 12 months after a California resident opts-out (Cal. Civ. Code § 1798.135(a)(5)).

There are some other provisions of the bill that should be taken into consideration: 

• Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents (Cal. Civ. Code § 1798.135(c).
• Privacy notices must be accessible and have alternative formats clearly communicated.