California values data privacy more than any other state in the US. The state previously passed the California Online Privacy Protection Act, commonly known as the CalOPPA, which became law on July 1, 2004, as well as the “Shine the Light” Law which became part of the California Civil Code on January 1, 2005. We can now add the California Consumer Privacy Act of 2018 or what is commonly referred to as the CCPA to the list of privacy laws that the state has passed which combined have a major impact across the globe.
The CCPA is the latest privacy legislation passed by the State of California which took effect on January 1, 2020. This latest law has a very substantial impact on California consumers as well as businesses that cater to California residents.
Among the noteworthy changes made by the CCPA is the imposition of strict transparency obligations on the part of companies primarily engaged in collecting and selling personal information and large businesses as well as the introduction of a very broad definition of “personal information” which is considered by many as possibly the broadest definition there is at the moment. Aside from this, the CCPA likewise grants new rights to consumers and imposes new fines against businesses that do not comply with the provisions of the law.
To get a better idea as to which entities the CCPA would apply to, it is important to examine how a business is defined under the law. While other data privacy legislation has a very broad scope of covered businesses that need to comply with it, the CCPA defines covered businesses in a very narrow manner. This means that not all entities are required to comply with the provisions of the CCPA.
Table of Contents
Which Entities are Covered by the CCPA?
For a business to be covered by the CCPA, it must be: 1.) operating for profit, 2.) doing business in California, 3.) decide why and how personal data or information is being processed, and 4.) have at least one of the following characteristics:
- The business has an annual gross revenue of exceeding $25 million
- The entity engages in buying, selling, receiving or sharing personal information from more than 50,000 consumers, households or devices every year
- Half or more of the business’s annual revenue is earned from selling personal information
What is “Personal Information” Under the CCPA?
As mentioned previously, the CCPA provides maybe the broadest definition of “personal information” there is in the world today. Under the law, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
As can be observed in the definition, “personal information” not only includes information that relates to a particular consumer but to a household as well. A few specific examples of information that fall under the definition of “personal information” as provided in the CCPA are a person’s name, residential address, e-mail address, social security number, and IP address.
Not only that, the CCPA likewise lists general categories of information which are considered as “personal information”. These categories are as follows:
- Legally Protected Characteristics
- Commercial Purchasing Information
- Select Information in Customer Records
- Information Typically Detected by the Senses
- Internet or Network Activity
- Employment Information
- Education Information
- Biometric Information
- Inferences from Above Used to Profile
Privacy Policies Under the CCPA
If applicable, the business would likewise need to disclose the commercial reason it collects and sells personal information, where it obtains the personal data that is being collected, and whether it sells the consumers’ personal information. If the answer to the latter is in the affirmative, the business must also disclose what types of personal data it sells.
Rights of Consumers Under the CCPA
Under the CCPA, consumers are granted new privacy rights that allow them to have more control over their privacy and personal information. The consumer has the following rights under the CCPA:
The Right to Know
Under this right, consumers may request covered entities to disclose what personal information they have collected, used, shared, or sold about the consumer. They must also provide the reason why they collected, used, shared, or sold such information. Entities are required to provide the information being requested for the 12-month period prior to the request and it must be accommodated by the business free of charge.
The Right to Deletion
This right allows users to request that covered entities delete the personal information they have collected from the consumer and to tell their service provider to do the same as well. This is subject to some exceptions, however, such as the following:
- Security or legal reasons
- If such would infringe the business’ freedom of speech or other rights
- In order to comply with a contractual obligation
- For purposes of debugging
- For research which is in the public’s interest, if the consumer consented to it.
The Right to Non-Discrimination
This right provides that a business shall not discriminate against a consumer if the latter exercises any of his or her rights under the CCPA. This ensures that consumers can freely exercise their rights under the law without fear of repercussions from covered businesses.
The Right to Opt-Out
Under the CCPA, consumers are given the right to request that businesses stop selling their personal information. Once a business receives what is termed as the “opt-out” request, it cannot sell the consumer’s personal information, except for certain exceptions or if the consumer gives the business authorization allowing them to sell his or her personal information again.
Children's Right to Opt-In
Businesses cannot sell the personal information of a child they know to be younger than 16 years of age unless they get affirmative authorization or what is commonly called an “opt-in”. For kids below 13 years of age, the “opt-in” must be from the child’s parent or guardian while children at least 13 years of age but below 16 can “opt-in” themselves.
Fines Under the CCPA
Businesses that do not comply with the provisions of the CCPA may be penalized with a fine of up to $7,500 for every violation. It may seem like a small amount when considering the businesses covered by the CCPA but it can add up to quite a significant amount for large-scale violations or repeated infractions.
Consumers can likewise bring civil claims against covered businesses for “unauthorized access and exfiltration, theft, or disclosure [of personal information] as a result of the business’ violation of the duty to implement and maintain reasonable security procedures”. While the claim amounts must be between $100 and $750, it can certainly add up to a large amount if even a small percentage of Californians are affected by a business’s security breach.