Expert Commentary

The California Consumer Privacy Act of 2018, as Amended

In October 2019, the California governor signed Assembly Bills 25, 874, 1146,1355, and 1546, which amended the California Consumer Privacy Act of 2018. This article provides a brief overview of the CCPA, as amended (CCPA).

Cyber and Privacy Risk and Insurance
October 2019

The CCPA will become operative on January 1, 2020. The California attorney general shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020, whichever is sooner. In October 2019, the California attorney general released proposed regulations. In August 2020, the California attorney general released final regulations. Developments regarding the foregoing should be monitored carefully.

CCPA Application and Definitions

The CCPA applies to a business, service provider, and third party.

A business means a legal entity organized or operated for the profit or financial benefit of its owners, which is one of the following.

  • Either of the following
    • Has annual gross revenues in excess of $25 million
    • Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
    • Derives 50 percent or more of its annual revenues from selling consumers' personal information
  • Collects consumers' personal information or on the behalf of which that information is collected
  • Alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information
  • Does business in California

A business also means any entity that controls or is controlled by a business and that shares common branding with the business, meaning sharing a name, servicemark, or trademark.

A service provider means a legal entity organized or operated for the profit or financial benefit of its owners that does the following.

  • Processes information on behalf of a business and
  • To which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business

Third party means a person that is not either of the following.

  • A business that collects personal information from consumers under the CCPA
  • A person to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract does the following.
    • Prohibits the person receiving the personal information from the following.
      • Selling the personal information
      • Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract
      • Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business
    • Includes a certification made by the person receiving the personal information that the person understands the foregoing restrictions and will comply with them

A consumer means a California resident.

Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, and the CCPA describes various types of personal information.

Sell, selling, sale, or sold means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer's personal information by one business to another business or a third party for monetary or other valuable consideration, subject to certain specified exceptions.

Consumer Rights under the CCPA

Consumer rights under the CCPA are as follows.

Disclosure. A business that collects personal information needs to disclose, in response to a verifiable consumer request, in the preceding 12 months the following.

  • Categories of personal information the business has collected about the consumer
  • Categories of sources from which the personal information is collected
  • Business or commercial purpose for collecting or selling personal information
  • Categories of third parties with which the business shares personal information
  • Specific pieces of personal information the business has collected about the consumer

A business that sells a consumer's personal information or discloses a consumer's personal information for a business purpose needs to disclose the following in response to a verifiable consumer request, in the preceding 12 months.

  • Categories of personal information the business has collected about the consumer
  • Categories of personal information the business has sold about the consumer and categories of third parties to which the personal information was sold by category or categories of personal information for each category of third parties to which the personal information was sold (if the business has not sold consumers' personal information, it shall disclose that fact)
  • Categories of personal information the business has disclosed about the consumer for a business purpose (if the business has not disclosed consumers' personal information for a business purpose, it shall disclose that fact)

Access. A business that collects a consumer's personal information must, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business must disclose and deliver the personal information the business collected about the consumer in response to a verifiable consumer request.

Deletion. A business must delete the personal information the business collected about a consumer and direct service providers to delete the consumer's personal information in response to a verifiable consumer request, subject to certain specified exceptions.

Antidiscrimination. A business must not discriminate against a consumer who exercises any of the consumer's rights under the CCPA. However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the business by the consumer's data and may offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior opt-in consent basis.

Opt Out and website requirements. A business that sells consumers' personal information to third parties needs to provide notice to consumers thereof and that consumers have the right to opt out of the sale of their personal information. A business must provide a "Do Not Sell My Personal Information" link on its Internet home page that links to a Web page that enables a consumer to opt out of the sale of the consumer's personal information.

A business must not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information.

Privacy policy requirements. A business must describe in its online privacy policy or in any California-specific description of consumer privacy rights the following, which must be updated at least once every 12 months.

  • Consumers' rights under the CCPA, including the consumer right to opt out of the sale of the consumer's personal information and a separate link to the "Do Not Sell My Personal Information" Web page
  • The methods for submitting consumer requests
  • In the preceding 12 months
    • The categories of personal information that the business has collected about consumers
    • The categories of sources from which the personal information is collected
    • The business or commercial purpose for collecting or selling personal information
    • The categories of third parties with whom the business shares personal information
    • That a consumer has the right to request the specific pieces of personal information the business has collected about that consumer
    • Categories of personal information the business has sold about the consumer
    • Categories of personal information the business has disclosed about the consumer for a business purpose

CCPA Enforcement and Civil Action

Any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.

In addition, after satisfying certain procedural requirements, a consumer can bring a civil action in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, regarding their nonencrypted and nonredacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

CCPA Exceptions

The CCPA shall not restrict a business's ability to do the following.

  • Comply with federal, state, or local laws
  • Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information
  • Collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California

The CCPA is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the US or California Constitution.

The CCPA shall not apply to the following.

  • Medical information governed by the California Confidentiality of Medical Information Act or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act or a provider of health care governed by the California Confidentiality of Medical Information Act or a covered entity governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant to HIPAA, to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in this bullet point (the definitions of "medical information" and "provider of health care" in section 56.05 of the California Confidentiality of Medical Information Act shall apply, and the definitions of "business associate," "covered entity," and "protected health information" in 45 C.F.R. 160.103 shall apply)
  • An activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, by a furnisher of information, who provides information for use in a consumer report, and by a user of a consumer report, only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act
  • Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act and implementing regulations or the California Financial Information Privacy Act

Cal. Civ. Code section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle's manufacturer if the vehicle or ownership information is shared for the purpose of (or in anticipation of) effectuating a vehicle repair covered by a vehicle warranty or a recall, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.

Before January 1, 2021 (January 1, 2022, only if the voters do not approve any ballot proposition that amends Cal. Civ. Code section 1798.145 at the November 3, 2020, statewide general election per Assembly Bill 1281), the CCPA shall not apply to the following.

  • Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person's personal information is collected and used by the business solely within the context of the natural person's role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business
  • Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file
  • Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits

Before January 1, 2021 (January 1, 2022, only if the voters do not approve any ballot proposition that amends Cal. Civ. Code section 1798.145 at the November 3, 2020, statewide general election per Assembly Bill 1281), the obligations imposed on businesses by Cal. Civ. Code sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.

The CCPA shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

Finally, the rights afforded to consumers and the obligations imposed on any business under the CCPA shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in a specified provision of the California Constitution addressing activities related to newspapers and periodicals.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More