What is the California Consumer Privacy Act (CCPA)?

What the CCPA Does

The CCPA went into effect on January 1, 2020 and was the first comprehensive consumer privacy law in the US. It gives California residents (called "consumers" in the statute, though the definition is broader than the everyday meaning) a set of rights over the personal information businesses hold about them.

The core rights are:

• Right to know: Consumers can request the categories and specific pieces of personal information a business has collected about them, the sources, the purposes, and the third parties it's been shared with.
• Right to delete: Consumers can request that a business delete their personal information, subject to specified exceptions (legal obligations, fraud prevention, completing transactions, etc.).
• Right to opt out of sale: Consumers can direct a business not to sell their personal information to third parties.
• Right to non-discrimination: Businesses can't penalize consumers for exercising their CCPA rights, though they can offer financial incentives for data collection within strict limits.

Who's Covered

The CCPA applies to for-profit businesses that do business in California, collect California residents' personal information, and meet at least one of three thresholds:

• Annual gross revenues over $25 million
• Buy, sell, or share personal information of 100,000 or more California consumers or households per year
• Derive 50% or more of annual revenue from selling consumers' personal information

The thresholds are alternative, not cumulative. A small business with no California revenue but that buys data on 100,000 California consumers is still covered.

What Counts as Personal Information

The CCPA defines personal information broadly. It includes the obvious (name, address, Social Security number, driver's license, account numbers) and a lot more: IP addresses, browsing history, geolocation data, biometric information, employment information, education records, and "inferences drawn from any of the information identified above to create a profile about a consumer."

Anything that identifies, relates to, describes, or could reasonably be linked with a particular California resident or household is in scope. This is intentionally wider than HIPAA's PHI or PCI's cardholder data.

The Sale Definition

The CCPA's definition of "sale" caused real headaches for businesses when the law took effect. It covers selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information "for monetary or other valuable consideration."

That last phrase swept in a lot of activity that businesses didn't think of as selling: passing data to ad-tech vendors in exchange for analytics, sharing data with marketing partners for cross-promotion, using third-party trackers on websites. The CPRA (the 2023 amendment) added a separate concept of "sharing" for cross-context behavioral advertising, which closed some of the loopholes.

Required Disclosures and Notices

Businesses subject to the CCPA must publish a privacy policy that describes:

• Categories of personal information collected in the past 12 months
• Categories of sources
• Business or commercial purposes for collection or sale
• Categories of third parties with whom the information is shared
• Specific pieces of personal information collected, on consumer request
• How consumers can exercise their rights
• The methods for submitting requests (typically a toll-free number and a web form)

If the business sells personal information, the homepage must include a clear and conspicuous "Do Not Sell My Personal Information" link. The CPRA expanded this to include opt-out of sharing for behavioral advertising.

Enforcement and Penalties

Originally the California Attorney General was the sole enforcer. The CPRA created the California Privacy Protection Agency (CPPA), which now shares enforcement authority. Civil penalties are $2,500 per violation, rising to $7,500 for intentional violations or violations involving consumers under 16. There's no statutory cap.

The CCPA also created a private right of action for consumers whose non-encrypted, non-redacted personal information is breached due to a business's failure to implement reasonable security. Statutory damages are $100 to $750 per consumer per incident, or actual damages if higher. Class actions under this provision are common.

Practical Compliance Steps

Businesses subject to the CCPA generally need to:

• Map data flows: what personal information is collected, where it goes, who it's shared with, and why
• Update the privacy policy with required disclosures
• Build a process for handling consumer rights requests within the 45-day deadline
• Implement "Do Not Sell" and "Do Not Share" mechanisms
• Train staff who handle consumer requests
• Vet vendors and put service-provider contracts in place that limit how vendors can use the data
• Maintain reasonable security practices to limit breach exposure