The CCPA will become operative on January 1, 2020. The California attorney
general shall adopt regulations on or before July 1, 2020, and shall not bring
an enforcement action until 6 months after the publication of such regulations
or July 1, 2020, whichever is sooner. In October 2019, the California attorney
general released proposed regulations. In August 2020, the California
attorney general released final regulations. Developments regarding
the foregoing should be monitored carefully.
CCPA Application and Definitions
The CCPA applies to a business, service provider, and third party.
A business means a legal entity organized or operated for
the profit or financial benefit of its owners, which is one of the
following.
- Either of the following
-
- Has annual gross revenues in excess of $25 million
- Alone or in combination, annually buys, receives for the
business's commercial purposes, sells, or shares for commercial
purposes, alone or in combination, the personal information of 50,000 or
more consumers, households, or devices
- Derives 50 percent or more of its annual revenues from selling
consumers' personal information
- Collects consumers' personal information or on the behalf of which
that information is collected
- Alone, or jointly with others, determines the purposes and means of the
processing of consumers' personal information
- Does business in California
A business also means any entity that controls or is controlled by a
business and that shares common branding with the business, meaning sharing a
name, servicemark, or trademark.
A service provider means a legal entity organized or operated for the profit
or financial benefit of its owners that does the following.
- Processes information on behalf of a business and
- To which the business discloses a consumer's personal information for
a business purpose pursuant to a written contract, provided that the contract
prohibits the entity receiving the information from retaining, using, or
disclosing the personal information for any purpose other than for the
specific purpose of performing the services specified in the contract for the
business, or as otherwise permitted by the CCPA, including retaining, using,
or disclosing the personal information for a commercial purpose other than
providing the services specified in the contract with the business
Third party means a person that is not either of the following.
- A business that collects personal information from consumers under the
CCPA
- A person to which the business discloses a consumer's personal
information for a business purpose pursuant to a written contract, provided
that the contract does the following.
-
- Prohibits the person receiving the personal information from the
following.
-
- Selling the personal information
- Retaining, using, or disclosing the personal information for any
purpose other than for the specific purpose of performing the
services specified in the contract, including retaining, using, or
disclosing the personal information for a commercial purpose other
than providing the services specified in the contract
- Retaining, using, or disclosing the information outside of the
direct business relationship between the person and the business
- Includes a certification made by the person receiving the personal
information that the person understands the foregoing restrictions and
will comply with them
A consumer means a California resident.
Personal information means information that identifies, relates to,
describes, is reasonably capable of being associated with, or could reasonably
be linked, directly or indirectly, with a particular consumer or household, and
the CCPA describes various types of personal information.
Sell, selling, sale, or sold means selling, renting, releasing, disclosing,
disseminating, making available, transferring, or otherwise communicating
orally, in writing, or by electronic or other means a consumer's personal
information by one business to another business or a third party for monetary
or other valuable consideration, subject to certain specified exceptions.
Consumer Rights under the CCPA
Consumer rights under the CCPA are as follows.
Disclosure. A business that collects personal information
needs to disclose, in response to a verifiable consumer request, in the
preceding 12 months the following.
- Categories of personal information the business has collected about the
consumer
- Categories of sources from which the personal information is
collected
- Business or commercial purpose for collecting or selling personal
information
- Categories of third parties with which the business shares personal
information
- Specific pieces of personal information the business has collected about
the consumer
A business that sells a consumer's personal information or discloses a
consumer's personal information for a business purpose needs to disclose
the following in response to a verifiable consumer request, in the preceding 12
months.
- Categories of personal information the business has collected about the
consumer
- Categories of personal information the business has sold about the
consumer and categories of third parties to which the personal information
was sold by category or categories of personal information for each category
of third parties to which the personal information was sold (if the business
has not sold consumers' personal information, it shall disclose that
fact)
- Categories of personal information the business has disclosed about the
consumer for a business purpose (if the business has not disclosed
consumers' personal information for a business purpose, it shall disclose
that fact)
Access. A business that collects a consumer's personal
information must, at or before the point of collection, inform the consumer as
to the categories of personal information to be collected and the purposes for
which the categories of personal information shall be used. A business must
disclose and deliver the personal information the business collected about the
consumer in response to a verifiable consumer request.
Deletion. A business must delete the personal information
the business collected about a consumer and direct service providers to delete
the consumer's personal information in response to a verifiable consumer
request, subject to certain specified exceptions.
Antidiscrimination. A business must not discriminate
against a consumer who exercises any of the consumer's rights under the
CCPA. However, a business may charge different prices or provide a different
quality of goods or services if the difference is reasonably related to the
value provided to the business by the consumer's data and may offer
financial incentives to a consumer for the collection, sale, or deletion of
personal information on a prior opt-in consent basis.
Opt Out and website requirements. A business that sells
consumers' personal information to third parties needs to provide notice to
consumers thereof and that consumers have the right to opt out of the sale of
their personal information. A business must provide a "Do Not Sell My
Personal Information" link on its Internet home page that links to a Web
page that enables a consumer to opt out of the sale of the consumer's
personal information.
A business must not sell the personal information of consumers if the
business has actual knowledge that the consumer is less than 16 years of age,
unless the consumer, in the case of consumers at least 13 years of age and less
than 16 years of age, or the consumer's parent or guardian, in the case of
consumers who are less than 13 years of age, has affirmatively authorized the
sale of the consumer's personal information.
Privacy policy requirements. A business must describe in
its online privacy policy or in any California-specific description of consumer
privacy rights the following, which must be updated at least once every 12
months.
- Consumers' rights under the CCPA, including the consumer right to opt
out of the sale of the consumer's personal information and a separate
link to the "Do Not Sell My Personal Information" Web page
- The methods for submitting consumer requests
- In the preceding 12 months
-
- The categories of personal information that the business has
collected about consumers
- The categories of sources from which the personal information is
collected
- The business or commercial purpose for collecting or selling personal
information
- The categories of third parties with whom the business shares
personal information
- That a consumer has the right to request the specific pieces of
personal information the business has collected about that consumer
- Categories of personal information the business has sold about the
consumer
- Categories of personal information the business has disclosed about
the consumer for a business purpose
CCPA Enforcement and Civil Action
Any person, business, or service provider that violates the CCPA shall be
subject to an injunction and be liable for a civil penalty of not more than
$2,500 for each violation or $7,500 for each intentional violation.
In addition, after satisfying certain procedural requirements, a consumer
can bring a civil action in an amount not less than $100 and not greater than
$750 per consumer per incident or actual damages, whichever is greater,
regarding their nonencrypted and nonredacted personal information that is
subject to an unauthorized access and exfiltration, theft, or disclosure as a
result of the business's violation of the duty to implement and maintain
reasonable security procedures and practices appropriate to the nature of the
information to protect the personal information.
CCPA Exceptions
The CCPA shall not restrict a business's ability to do the
following.
- Comply with federal, state, or local laws
- Collect, use, retain, sell, or disclose consumer information that is
deidentified or in the aggregate consumer information
- Collect or sell a consumer's personal information if every aspect of
that commercial conduct takes place wholly outside of California
The CCPA is intended to supplement federal and state law, if permissible,
but shall not apply if such application is preempted by, or in conflict with,
federal law or the US or California Constitution.
The CCPA shall not apply to the following.
- Medical information governed by the California Confidentiality of Medical
Information Act or protected health information that is collected by a
covered entity or business associate governed by the privacy, security, and
breach notification rules issued by the US Department of Health and Human
Services, 45 C.F.R., parts 160 and 164, established pursuant to the Health
Insurance Portability and Accountability Act (HIPAA) and the Health
Information Technology for Economic and Clinical Health Act or a provider of
health care governed by the California Confidentiality of Medical Information
Act or a covered entity governed by the privacy, security, and breach
notification rules issued by the US Department of Health and Human Services,
45 C.F.R., parts 160 and 164, established pursuant to HIPAA, to the extent
the provider or covered entity maintains patient information in the same
manner as medical information or protected health information as described in
this bullet point (the definitions of "medical information" and
"provider of health care" in section 56.05 of the California
Confidentiality of Medical Information Act shall apply, and the definitions
of "business associate," "covered entity," and
"protected health information" in 45 C.F.R. 160.103 shall
apply)
- An activity involving the collection, maintenance, disclosure, sale,
communication, or use of any personal information bearing on a consumer's
credit worthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living by a consumer
reporting agency, by a furnisher of information, who provides information for
use in a consumer report, and by a user of a consumer report, only to the
extent that such activity involving the collection, maintenance, disclosure,
sale, communication, or use of such information by that agency, furnisher, or
user is subject to regulation under the Fair Credit Reporting Act and the
information is not used, communicated, disclosed, or sold except as
authorized by the Fair Credit Reporting Act
- Personal information collected, processed, sold, or disclosed pursuant to
the federal Gramm-Leach-Bliley Act and implementing regulations or the
California Financial Information Privacy Act
Cal. Civ. Code section 1798.120 shall not apply to vehicle information or
ownership information retained or shared between a new motor vehicle dealer and
the vehicle's manufacturer if the vehicle or ownership information is
shared for the purpose of (or in anticipation of) effectuating a vehicle repair
covered by a vehicle warranty or a recall, provided that the new motor vehicle
dealer or vehicle manufacturer with which that vehicle information or ownership
information is shared does not sell, share, or use that information for any
other purpose.
Before January 1, 2021 (January 1, 2022, only if the voters do not approve
any ballot proposition that amends Cal. Civ. Code section 1798.145 at the
November 3, 2020, statewide general election per Assembly Bill 1281), the CCPA shall not
apply to the following.
- Personal information that is collected by a business about a natural
person in the course of the natural person acting as a job applicant to, an
employee of, owner of, director of, officer of, medical staff member of, or
contractor of that business to the extent that the natural person's
personal information is collected and used by the business solely within the
context of the natural person's role or former role as a job applicant
to, an employee of, owner of, director of, officer of, medical staff member
of, or a contractor of that business
- Personal information that is collected by a business that is emergency
contact information of the natural person acting as a job applicant to, an
employee of, owner of, director of, officer of, medical staff member of, or
contractor of that business to the extent that the personal information is
collected and used solely within the context of having an emergency contact
on file
- Personal information that is necessary for the business to retain to
administer benefits for another natural person relating to the natural person
acting as a job applicant to, an employee of, owner of, director of, officer
of, medical staff member of, or contractor of that business to the extent
that the personal information is collected and used solely within the context
of administering those benefits
Before January 1, 2021 (January 1, 2022, only if the voters do not approve
any ballot proposition that amends Cal. Civ. Code section 1798.145 at the
November 3, 2020, statewide general election per Assembly Bill 1281), the obligations
imposed on businesses by Cal. Civ. Code sections 1798.100, 1798.105, 1798.110,
1798.115, 1798.130, and 1798.135 shall not apply to personal information
reflecting a written or verbal communication or a transaction between the
business and the consumer, where the consumer is a natural person who is acting
as an employee, owner, director, officer, or contractor of a company,
partnership, sole proprietorship, nonprofit, or government agency and whose
communications or transaction with the business occur solely within the context
of the business conducting due diligence regarding, or providing or receiving a
product or service to or from such company, partnership, sole proprietorship,
nonprofit, or government agency.
The CCPA shall not be construed to require a business to collect personal
information that it would not otherwise collect in the ordinary course of its
business, retain personal information for longer than it would otherwise retain
such information in the ordinary course of its business, or reidentify or
otherwise link information that is not maintained in a manner that would be
considered personal information.
Finally, the rights afforded to consumers and the obligations imposed on any
business under the CCPA shall not apply to the extent that they infringe on the
noncommercial activities of a person or entity described in a specified
provision of the California Constitution addressing activities related to
newspapers and periodicals.