In October 2019, the California governor signed Assembly Bills 25, 874, 1146,1355, and 1546, which amended the California Consumer Privacy Act of 2018. This article provides a brief overview of the CCPA, as amended (CCPA).
The CCPA will become operative on January 1, 2020. The California attorney general shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020, whichever is sooner. In October 2019, the California attorney general released proposed regulations. In August 2020, the California attorney general released final regulations. Developments regarding the foregoing should be monitored carefully.
The CCPA applies to a business, service provider, and third party.
A business means a legal entity organized or operated for the profit or financial benefit of its owners, which is one of the following.
A business also means any entity that controls or is controlled by a business and that shares common branding with the business, meaning sharing a name, servicemark, or trademark.
A service provider means a legal entity organized or operated for the profit or financial benefit of its owners that does the following.
Third party means a person that is not either of the following.
A consumer means a California resident.
Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, and the CCPA describes various types of personal information.
Sell, selling, sale, or sold means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer's personal information by one business to another business or a third party for monetary or other valuable consideration, subject to certain specified exceptions.
Consumer rights under the CCPA are as follows.
Disclosure. A business that collects personal information needs to disclose, in response to a verifiable consumer request, in the preceding 12 months the following.
A business that sells a consumer's personal information or discloses a consumer's personal information for a business purpose needs to disclose the following in response to a verifiable consumer request, in the preceding 12 months.
Access. A business that collects a consumer's personal information must, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business must disclose and deliver the personal information the business collected about the consumer in response to a verifiable consumer request.
Deletion. A business must delete the personal information the business collected about a consumer and direct service providers to delete the consumer's personal information in response to a verifiable consumer request, subject to certain specified exceptions.
Antidiscrimination. A business must not discriminate against a consumer who exercises any of the consumer's rights under the CCPA. However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the business by the consumer's data and may offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior opt-in consent basis.
Opt Out and website requirements. A business that sells consumers' personal information to third parties needs to provide notice to consumers thereof and that consumers have the right to opt out of the sale of their personal information. A business must provide a "Do Not Sell My Personal Information" link on its Internet home page that links to a Web page that enables a consumer to opt out of the sale of the consumer's personal information.
A business must not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information.
Any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.
In addition, after satisfying certain procedural requirements, a consumer can bring a civil action in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, regarding their nonencrypted and nonredacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
The CCPA shall not restrict a business's ability to do the following.
The CCPA is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the US or California Constitution.
The CCPA shall not apply to the following.
Cal. Civ. Code section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle's manufacturer if the vehicle or ownership information is shared for the purpose of (or in anticipation of) effectuating a vehicle repair covered by a vehicle warranty or a recall, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.
Before January 1, 2021 (January 1, 2022, only if the voters do not approve any ballot proposition that amends Cal. Civ. Code section 1798.145 at the November 3, 2020, statewide general election per Assembly Bill 1281), the CCPA shall not apply to the following.
Before January 1, 2021 (January 1, 2022, only if the voters do not approve any ballot proposition that amends Cal. Civ. Code section 1798.145 at the November 3, 2020, statewide general election per Assembly Bill 1281), the obligations imposed on businesses by Cal. Civ. Code sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.
The CCPA shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
Finally, the rights afforded to consumers and the obligations imposed on any business under the CCPA shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in a specified provision of the California Constitution addressing activities related to newspapers and periodicals.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.