What is the purpose of CCPA?

CCPA creates new privacy protections for California residents

The California constitution guarantees privacy as a human right. Governor Gavin Newsom recently signed the last round of amendments to the California Consumer Privacy Act (CCPA), solidifying what will go into effect on January 1, 2020.

CCPA gives California consumers – i.e. people who live in California, even while they are traveling – more control over how their personal information can be collected and sold, new abilities to opt-out of those sales, and ways to hold companies accountable if that data is stolen.

The law can be boiled down to four primary areas:

  • Transparency – Ability to see what personal information is being collected, why it’s being collected, and where that data is being shared or sold
  • Access – Ability to access that data in a portable format and correct inaccuracies
  • Control – Ability to opt-out of data sales partially or completely and have the option to have the data deleted, without discrimination
  • Justice – Ability to take action against companies who ignore the law or act recklessly

What types of data are covered?

Any data that could be used to identify a person or household is covered

CCPA protects broad categories of data considered to be Personally Identifiable Information (PII), such as:

  • Unique Identifiers - Any data that can be used to identify someone or their household, like their name, email, account number, IP address, fingerprints, or credit card number
  • Consumer Behavior - Information about shopping and purchase habits
  • Online Behavior – Information around browsing activity and search history
  • Professional Data – Data around current and past employment and education
  • Other data – Data like current geolocation, social network graphs, and other protected data like medical records
  • Inferred Data – Data that was created by looking across data, like profiling or creating personality buckets

You can find a full list of the "Personal Information" at Section 1798.140 – o

What types of businesses are affected?

CCPA is mostly targeted at large businesses and those that buy and sell consumer data

Most small businesses won’t need to worry about CCPA, since it only affects businesses that:

  • Have data on 50,000+ customers, or
  • Have yearly revenue of $25+ million, or
  • Deal primarily in selling data

The law does not apply to non-profit businesses.

What does this mean for individual consumers?

It will be much easier to access data companies have collected about you

A company must respond to your request for data within 45 days, and fully comply within 90 days. Companies have to provide the data up to twice per year, covering the previous 12 months.

To make it easy for consumers to understand what data a company has collected, companies will need to have clearly placed buttons and links to opt-out, request data, delete data, and understand exactly how that data is being used.

Consumers will be able to find information in the following places:

  • Privacy policy – Should outline what data is collected and sold
  • Opt-out button – An explicit “Do Not Sell My Personal Information” link
  • Place to request / delete data – Can be in the consumer's online account if they have one, but they can't be required to create an account just for this purpose.

Who will enforce the law?

Penalties will be doled out by the California Attorney General

The state Attorney General has until July 1, 2020 to put policy in place to define exactly how the law will be enforced, but it will be retroactive back to January 1, 2020. The first draft of the Attorney General's proposed regulations was recently released.

Each accidental violation can be up to $2,500 and an intentional violation can be up to $7,500 per incident or consumer.

What data can be deleted?

Not all data has to be deleted, like business critical data

If the data is collected for internal business processes, it doesn't have to be deleted. Consumers do have the right to know that it is being collected, but that doesn't mean it can be sold or lost! Data never has to be collected or relinked just for this law.

The data doesn't have to be deleted if it is only for:

  • providing goods or services requested by the consumer
  • security and fraud prevention or debugging/maintaining systems
  • exercising free speech
  • research, if the user provided informed consent
  • legal reasons
  • employees or applicants records

Is this only for adult consumers?

Kids get extra protection until they turn 16

A business can only collect data from people under the age of 16 if they opt-in. Children under the age of 13 must have their parents opt-in on behalf of the child.

What’s this about financial incentives / non-discrimination?

A business cannot discriminate against someone for exercising their rights

Companies cannot charge a different price or offer a different service to someone that has opted out of data collection or sale, unless that price difference is based on the value of the data. Businesses can offer price incentives if the consumer opts-in to sharing their personal data.

It seems the law is trying to make the common practice of providing free services in exchange for data collection more transparent and explicit.

What about data breaches and cybersecurity incidents?

Consumers can take action without the state Attorney General

In the case of a cybersecurity breach, individuals can take additional action with no need to wait for the Attorney General to step in. There are some procedural waiting times, but in general, a consumer can seek damages from $100-$750 per incident (without the need to prove specific monetary damages), or they may seek more if the actual damages can be proven and are greater than $750.

CCPA does have built in exceptions for mistakes – companies can take up to 30 days to respond to notifications of violations from consumers, and if the problem is corrected, the company will not be penalized. If the company doesn't comply, the Attorney General may decide to pursue the issue. If the Attorney General decides not to investigate, the consumer still has the right to private action, which means individuals can sue the company directly. There is even the right to pursue a Class Action lawsuits in the case of data and security breaches.

Want to learn more?

Dive deeper into the details of CCPA

This was a very brief introduction to the CCPA. If you want to dig in further, we have compiled a full text version of the CCPA, with amendments, we've found that it is much easier to read and follow than the versions posted on the California government websites.

The California State Attorneys General office has also put out a basic fact sheet you can download that explains next steps in the rulemaking process.

Finally, you can review the first draft of the Attorney General's proposed regulations to see how the law may be applied. That is still subject to change pending public feedback.

Need some help?

We help businesses and consumers navigate compliance and cybersecurity

Get in touch, we'd love to help.