Starting January 1, 2020, new California protection for personal information comes into effect that directly affects some businesses that offer products or services to consumers in the state.
The California Consumer Privacy Act of 2018 (CCPA) aims to protect the personal information of California consumers, in a similar although not identical way to the General Data Protection Act (GDPR) in European countries.
The CCPA therefore introduces significant requirements for businesses that fall within its scope.
Considering that many US and even worldwide businesses ship products to California, or have online properties like websites that are available to Californians, a significant number of businesses will need to make timely preparations, and ensure ongoing compliant processes are in place.
Below we answer some frequently asked questions about the CCPA that might help kick start your preparedness plans. This is not a substitute for legal advice. We advise you consult the legislation yourself to find out how it impacts your business. You might also seek the advice of a data protection expert, or consult the California Attorney General directly for an opinion on how to comply (a right that is provisioned under the act).
Note: The CCPA is subject to legislative amendments before its introduction, so some of the information below may change.
What is the CCPA?
In broad terms the CCPA is a continuation of the California Constitution that says the right to privacy is inalienable. It forms part of California privacy legislation, which includes other legislation such as the Online Privacy Protection Act (CalOPPA), the Privacy Rights for California Minors in the Digital World Act, and—in particular—Shine the Light, which gives Californians the right to know how businesses handle their personal information.
Again in broad terms, the CCPA specifically gives California consumers the right to know the following from businesses that conduct commercial activities in the state:
- What personal information is being collected about them
- Whether their personal information is sold or disclosed—and to whom
It gives them the right to:
- Say no to the sale of personal information, and request it is deleted
- Request a copy of their personal information held by a business
- Not be discriminated against in price or product/services offered should they exercise their rights under the CCPA
Affected businesses (see below) need to put in place measures to ensure the above is possible.
When does the CCPA take effect?
The CCPA becomes law on January 1, 2020.
What kinds of businesses or organizations does the CCPA affect?
The CCPA applies to any business that can be described in any or all of the following ways:
- Has annual gross revenues in excess of $25,000,000
- That alone or in combination with another business, buys or sells the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ personal information
Additionally, the CCPA applies to any entity controlled by any of the types of business described above, and that shares common branding with the business.
What kinds of businesses or organizations are exempt from the CCPA?
A business does not fall under the scope of the legislation if it has gross revenues of $25,000,000 or less, or does not buy or sell the personal information of consumers, households, or devices. If the business buys or sells the personal information of less than 50,000 consumers, households or devices then it also does not fall under the scope of the legislation.
Some charities, social enterprises, not-for-profit organizations, or non-governmental organizations (NGOs) fall outside the scope of the CCPA provided they are not operated for the profit or financial benefit of their shareholders or other owners, and they are not incorporated into a legal entity such as a sole proprietorship, partnership, LLC, corporation, or association (or are controlled by such a business, including sharing branding).
What does the CCPA mean for my business?
The CCPA imposes a number of requirements on eligible businesses in order to comply, with the following being prime examples:
- Enabling consumer disclosure requests: There must be two or more ways made available to consumers for them to submit requests for personal information disclosure. At the very least, these must be a toll-free telephone number and a website address (if the business operates a website).
- Disclosure requirements: Information disclosed following a request from a consumer should cover the 12-month period preceding the date of the request and—as with the GDPR—should be in a readily-usable format that “allows the consumer to transmit [the] information from one entity to another entity without hindrance”. This includes a so-called “look back” requirement, that predates the CCPA’s introduction. In other words, businesses are already required to maintain records conforming to the CCPA’s requirements, all the way back to January 1, 2019. The consumer cannot be required to create an account with the business in order to make a request. Any personal information provided to verify the disclose request should be used solely for the purposes of verification. There cannot be a charge for this disclosure.
- Timely disclosure: Once a request has been received from a consumer, the information must be supplied within 45 days. This can be extended a single time by a further 45 days when “reasonably necessary” although the consumer must be provided with notification of the extension within the first 45 day period. Verifying the consumer’s request as genuine should not delay the process, so it effectively has to occur within the initial 45 day period.
- Opt-out requests: There must be a process by which consumers can instruct businesses that sell data to third parties not to sell their personal information (see “Do my business’ privacy or data protection policies need to be updated for the CCPA?” below). A consumer is able to reverse this decision by providing subsequent express authorization for the business to sell their personal information, but the business can’t approach the consumer to do so until 12 months have passed after the initial opt-out.
- Minors opt-in: Processes must be in place to block the sale of personal information for a consumer for whom the business has actual knowledge is less than 16 years of age. However, consumers aged between 13 and 16 years of age (or their parents/guardian) can affirmatively authorize the sale of personal information (the CCPA calls this the “right to opt-in”). A policy of deliberate ignorance about the age of minors by businesses will be interpreted as the business having had actual knowledge of their age and, therefore, should be avoided.
- Deletion requests: There must be a process by which personal information collected for a consumer can be deleted by the business or their service providers. However, the business does not necessarily have to comply, given specific circumstances—see “Do I have to delete data for the CCPA?” below.
- Updated privacy policies: Online privacy policies (or any other description of California-specific consumer rights) should be updated in time for January 1, 2020 and then updated at least once every 12 months subsequently. For more details of what should be included, see “Do my business’ privacy or data protection policies need to be updated for the CCPA?” below. If your business begins to collect additional categories of personal information then it should be instantly reflected in the policies.
- Website changes: If the business has a website then it must show a clear and conspicuous link entitled, “Do Not Sell My Personal Information”. This should link to a web page that lets consumers opt-out of the sale of their personal information. It should not be required for the consumer to create an account to opt-out. By taking “reasonable steps”, businesses can redirect California consumers to a specific version of their website that includes the “Do Not Sell My Personal Information” link and CCPA information, avoiding the need for all website visitors to see them.
- Staff training: All individuals responsible for handling consumer inquiries about privacy practices or compliance need to be informed about the CCPA’s requirements. They need to know how to direct consumers to exercise their rights under the CCPA.
What is considered personal information under the CCPA?
Personal information is broadly defined under the CCPA as being that which identifies, relates to, describes, is capable of being associated with, or is able to be reasonably linked to a particular consumer or household (whether directly or indirectly).
The following specifics are listed in the legislation and it should be noted the legislation says this list should not be considered comprehensive, and that it goes beyond the scope of the GDPR:
- Personal identifiers such as real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Personal information such as a signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, education-related information (defined as not publicly available identifiable information as per the Family Education Rights and Privacy Act), professional or employment-related information (e.g. employment, employment history), bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
- Characteristics of protected classifications under California or federal law, including race, religion, gender, marital status, age, disability, military or veteran status, and ancestry.
- Commercial information such as records of personal property, and products or services purchased or obtained. This also personal information pertaining to consideration of purchases, including consuming histories or tendencies.
- Biometric information.
- Geolocation data.
- Internet or other electronic network activity information, such as browsing or search history, or information relating to interact with a website, application or advertisement.
- Audio, electronic, visual, thermal, olfactory (relating to smell), or similar information.
The legislation further defines as personal information any “inferences” that can be drawn from the above list that might be used to create a profile about a consumer. The profile might reflect the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Notably, although many examples of personal information above are collected or generated digitally (through a website, for example), the legislation applies to the collection and sale of all personal information collected by a business from consumers. In other words, the CCPA does not just relate to electronic data.
What data can California consumers request under the CCPA?
If a business collects or sells personal information about a consumer then that consumer has the right to request a business disclose the information listed below, covering the 12 months prior to the request (which should be verified as genuine).
If a business collects personal information about the consumer, they should disclose:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected about that consumer.
If a business sells personal information about the consumer (or discloses it for a business purpose), they should disclose the following:
- The categories of personal information that the business collected about the consumer.
- The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information. This should be split out according to each third party to whom the personal information was sold.
- The categories of personal information that the business disclosed about the consumer for a business purpose.
If personal information in any category has not been sold or disclosed for a business purpose then this should be stated in response to the request.
Does my business have to collect additional personal information for the CCPA?
No. For businesses that collect personal information, the CCPA doesn’t require them to retain information for a single one-time transaction if it wouldn’t ordinarily. Nor does it require businesses to re-identify or otherwise link any data that ordinarily is not maintained in a way that would be considered personal information.
Does my business have to delete personal information for the CCPA?
The CCPA doesn’t change or place restrictions on the kinds of personal information that can be stored by businesses.
However, the CCPA does allow consumers to request a business or its service providers delete personal information relating to them. As with requests for personal information disclosure, the business should verify the request is genuine before taking action.
Notably, a business can refuse to comply with a deletion request for any of the following reasons:
- The personal information is required to complete a transaction for which the data was collected, such as providing a good or service requested by the consumer.
- The business reasonably anticipates they will provide a good or service to the consumer, for which the data was collected, or otherwise perform a contract between business and consumer.
- The personal information enables solely internal uses that are reasonably aligned with the expectations of the consumer based on their relationship with the business.
- The personal information is used to detect security incidents, or protect against malicious, deceptive, fraudulent, or illegal activity (or the personal information is required to prosecute those responsible).
- The personal information is required to debug, identify or repair errors that impair existing intended functionality.
- The personal information is required to exercise free speech (both for the business or consumer).
- The personal information is required to exercise another right provided for by law, or to comply with a legal obligation.
- The personal information is required to comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- The personal information is required to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest.
It’s also noted within the CCPA that the business can refuse to comply with the deletion request if it otherwise uses the personal information internally in a lawful manner that’s compatible with the context in which the consumer provided the information.
Who can request disclosure of information or request deletion of information under the CCPA?
Any natural person who is legally defined as a California resident, which in broad terms is every individual who is in the State for other than a temporary or transitory purpose, and every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.
Can my business opt out of the CCPA?
Not if any commercial conduct takes place in California. You should not treat consumers who exercise their rights under the CCPA any differently. To do so is considered unlawful discrimination and examples might include denying consumers goods or services, charging different prices or rates (or suggesting different prices or rates will apply), or providing a different level of quality of goods or services.
Is the CCPA the same as the GDPR?
It’s similar in spirit to the GDPR but, generally speaking, the CCPA has a narrower and more specific focus compared to the GDPR.
The GDPR places restrictions on how companies collect and handle personal data, bring about transparency, and provides individuals with rights over that data. It is limited to digital data.
The CCPA is solely concerned with providing rights to consumers regarding their personal information (digital or otherwise), and demanding transparency from businesses. The requirements it places upon businesses are simply to facilitate this, and to ensure consumers are aware of their rights. The CCPA covers all personal information that a business might hold, digital or otherwise.
Some of the work done by a business to comply with the GDPR will likely mean that it’s compliant with the CCPA, but this is not guaranteed and the CCPA has additional and specific requirements that require significant additional actions.
Does the CCPA let my business sell the personal information of consumers?
Businesses can sell personal information they have collected about consumers.
However, before they sell information they have bought from another business, they must explicitly inform the consumer and provide them with an opportunity to opt out.
If my business is outside California, do I have to comply with the CCPA?
The CCPA doesn’t apply to a business that collects or sells a non-California consumer’s personal information provided every aspect of that commercial conduct takes place wholly outside of California (and this includes the consumer being outside California at the time).
Nor does the CCPA restrict a business’ ability to comply with federal, state or local laws.
Simply ask yourself the question: Are the services or products my business offers available in California? Even if a business is located in another state (or even outside the US), if its services are available in California or products can be shipped there then the CCPA probably applies. For example, websites can typically be accessed by anybody worldwide, so even a website in Europe or Russia arguably could be required to make adaptations (although with the use of geo IP redirection it might be possible to provide a version of your website specifically for California residents).
Can my business be fined if it violates the CCPA?
California consumers can take action against businesses that violate the CCPA in order to seek damages. Examples of violations could include “unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.”
Consumers can recover damages of not less than $100, but not greater than $750 per consumer, per incident. However, a court can apply declaratory relief and any other relief it deems proper, as well as injunctive relief.
The California Attorney General can also take civil action on behalf of the people of California, including imposing an injunction and a civil penalty of civil penalty of $2,500 for each violation or up to $7,500 for each intentional violation.
Once informed of a violation, which must be done in writing, businesses have 30 days to fix it before they are considered to have violated the CCPA.
Do my business’ privacy or data protection policies need to be updated for the CCPA?
Yes. Such policies need to include the following, at a minimum:
- A description of consumer rights as provided by the CCPA relating to disclosure or personal information, opting out, and deletion of relevant personal information by the business or its service providers.
- A link to the “Do Not Sell My Personal Information” page on the business’ website (if the business has a website).
- A statement about how the business will not discriminate against consumers who exercise their rights under the CCPA.
- Two separate lists, and within the wording of the CCPA there are rules about what data should be listed, and how it should be organized. The legislation should therefore be consulted before taking action. However, in broad terms the first list should display categories of personal information the business has sold about consumers in the preceding 12 months. The second should list categories of personal information disclosed about consumers for a business purpose in the preceding 12 months. In the event there has been no personal information sold or disclosed for a business purpose then this should be stated.
Can my business charge a fee for a consumer request under the CCPA?
Can my business take action against consumers who abuse the CCPA?
Businesses are not obligated to provide information to the same consumer more than twice in a 12-month period.
Learn more about the CCPA
Sage’s dedicated CCPA home page contains additional useful resources that can help your business adapt and become compliant in time for the new legislation: https://www.sage.com/en-us/ccpa.
Note: We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the California Consumer Privacy Act (CCPA) on their businesses.