The CCPA will go into effect on January 1, 2020, as provided in this legislation. The California attorney general, which generally enforces the CCPA, shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020. Any developments regarding the CCPA should be monitored carefully.
When the CCPA Applies to a Business
A business should first assess whether the CCPA is applicable to the business and its business partners.
The CCPA applies to a business, meaning a legal entity organized or operated for the profit or financial benefit of its owners, which is one of the following.
Has annual gross revenues in excess of $25 million
Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
Derives 50 percent or more of its annual revenues from selling consumers' personal information
Collects consumers' personal information
Determines the purposes and means of the processing of consumers' personal information
Does business in California
A consumer means a California resident.
Personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, and the CCPA describes various types of personal information.
Sell, selling, sale, or sold means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer's personal information by one business to another business or a third party for monetary or other valuable consideration.
Consumer Rights under the CCPA
Consumer rights under the CCPA are as follows.
Disclosure. A business must disclose the personal information collected, sold, or disclosed for a business purpose about a consumer.
A business that collects personal information needs to disclose, in response to a verifiable consumer request, the following.
Categories of personal information the business has collected about the consumer
Categories of sources from which the personal information is collected
Business or commercial purpose for collecting or selling personal information
Categories of third parties with which the business shares personal information
Specific pieces of personal information the business has collected about the consumer
A business that sells a consumer's personal information or discloses a consumer's personal information for a business purpose needs to disclose the following in response to a verifiable consumer request.
Categories of personal information the business has collected about the consumer
Categories of personal information the business has sold about the consumer and categories of third parties to which the personal information was sold by category or categories of personal information for each third party to which the personal information was sold (if the business has not sold consumers' personal information, it shall disclose that fact)
Categories of personal information the business has disclosed about the consumer for a business purpose (if the business has not disclosed consumers' personal information for a business purpose, it shall disclose that fact)
Access. A business that collects a consumer's personal information must, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business must disclose and deliver the personal information the business collected about the consumer in response to a verifiable consumer request.
Deletion. A business must delete the personal information the business collected about a consumer and direct service providers to delete the consumer's personal information in response to a verifiable consumer request, subject to certain exceptions.
Antidiscrimination. A business must not discriminate against a consumer who exercises any of the consumer's rights under the CCPA. However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the consumer by the consumer's data and may offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior opt-in consent basis.
Opt Out and Website Requirements. A business that sells consumers' personal information to third parties needs to provide notice to consumers thereof and that consumers have the right to opt out of the sale of their personal information. A business must provide a "Do Not Sell My Personal Information" link on its Internet homepage that links to an Internet webpage that enables a consumer to opt out of the sale of the consumer's personal information.
A business must not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information.
Consumers' rights under the CCPA, including the consumer right to opt out of the sale of the consumer's personal information and a separate link to the "Do Not Sell My Personal Information" Internet Web page
The methods for submitting consumer requests
A list of the categories of personal information that the business has collected about consumers, sold about consumers, and disclosed about consumers for a business purpose in the preceding 12 months
CCPA Enforcement and Civil Action
Any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.
In addition, after satisfying certain procedural requirements, a consumer can bring a civil action in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, regarding their nonencrypted or nonredacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
The CCPA shall not restrict a business's ability to do the following.
Comply with federal, state, or local laws
Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information
Collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California
The CCPA is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the US or California Constitution.
The CCPA shall not apply to the following.
Medical information governed by the California Confidentiality of Medical Information Act or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act or a provider of health care governed by the California Confidentiality of Medical Information Act or a covered entity governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant to HIPAA, to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in this bullet point (the definitions of "medical information" and "provider of health care" in section 56.05 of the California Confidentiality of Medical Information Act shall apply, and the definitions of "business associate," "covered entity," and "protected health information" in 45 C.F.R. 160.103 shall apply)
Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act and implementing regulations or the California Financial Information Privacy Act
Finally, the rights afforded to consumers and the obligations imposed on any business under the CCPA shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in a specified provision of the California Constitution addressing activities related to newspapers and periodicals.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.