What is the CCPA?
The California Consumer Privacy Act (CCPA) is a bill meant to enhance privacy rights and consumer protection for residents of California, United States. Targeted at companies that collect and/or sell personal information, it is designed to give Californians more control over their own data.CCPA AB 37) gives California consumers the right to request all the data a company has collected on them over the previous 12 months, as well as a full list of all the third parties that data is shared with.
What entities are subject to the CCPA?
The CCPA applies to any for-profit entity that does business in California, collects personal information about California consumers and meets at least one of the following threshold criteria:
- Earns annual gross revenue above $25 million,
- Annually buys, sells or, for commercial purposes, receives or shares personal information of at least 50,000 California consumers, households or devices, or
- Derives at least 50% of its annual revenue from selling California consumers’ personal information.
Companies don't have to be based in California or have a physical presence there to fall under the law. They don't even have to be based in the United States.
Who has rights under the CCPA?
The CCPA applies to “consumers,” which is broadly defined as any natural person who is a California resident.
The California law takes a broader approach to what constitutes sensitive data than the GDPR. Under CCPA, “personal information” means any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Here’s what AB 375 considers “personal information”:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
An amendment, AB 874, currently awaiting the governor's signature would exempt publicly available, deidentified and aggregate consumer information from being classified as PII. Publicly available information is defined as data available and maintained from government records.
What rights does CCPA provide?
The CCPA expands upon rights afforded under existing California legislation—including the California Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act (often referred to as SB 568) and the Shine the Light law—and creates some new rights for California consumers. These rights generally fall into the following categories:
- Access. Consumers have a right to access information about the personal information a business collects about them, including a right to the specific pieces of personal information collected. Upon receipt of a verifiable consumer request, a company must provide the requesting consumer with access to the specific pieces of information collected about that consumer over the prior 12 months, sometimes in a portable format.
- Choices Related to Sale of Personal Information. In addition to requiring businesses to make disclosures about the sale of personal information, the CCPA gives consumers more control over this business activity. Like other aspects of the law, “sale” is defined broadly to include “renting, releasing, disclosing or otherwise communicating a consumer’s personal information to a third party for monetary or other valuable consideration.” Some data sharing is exempt from the definition of sale, including certain information sharing with service providers. Generally, businesses that sell personal information to other businesses or third parties must permit consumers to opt-out of such sales. Note, however, that explicit opt-in consent to the sale of personal information is required if such information relates to consumers under the age of 16. Finally, companies that sell personal information must also include a clear link on their websites’ homepage (or platform or download page for mobile apps) and in their privacy policies labeled “Do Not Sell My Personal Information” that enables consumers to exercise their opt-out rights.
- Deletion. Consumers have the right to request deletion of their personal information. Upon receipt of a verifiable request, a company must delete personal information held about a consumer unless an exception applies, such as the need to retain the information to complete a transaction, comply with a legal obligation, exercise free speech or enable internal uses that are aligned with consumer expectations, among others.
- Non-Discrimination. Consumers also enjoy a general right to equal service and price, meaning that companies generally cannot discriminate against those who have exercised their privacy rights, subject to some exceptions. The law specifically prohibits denying good or services, charging different prices, or providing different levels or quality of products or services to consumers who exercise their rights under the law, although certain exceptions may apply. At the same time, the CCPA also permits businesses to offer financial incentives in exchange for the collection or sale of personal information.
This page was last updated on 15 November 2019.