by Daniel J. Solove
The California Consumer Privacy Act (CCPA) has extensive requirements and there are a lot of questions and confusions around the Act at this time.
In this extensive FAQ, I will walk through the Act and explain what the CCPA is, whom it applies to, what rights it provides, what the law requires for training, and review key terms including personal information, what a sale is and what a service provider is under the CCPA, and how this regulation differs from the GDPR. I will also provide several additional resources that can be of assistance in complying with the requirements.
What is the CCPA?
The CCPA was passed in 2018. It provides for many consumer privacy rights and imposes many responsibilities on companies that collect and use personal data. The CCPA is one of the strongest state privacy laws in the United States. It also goes far beyond many federal laws.
This law was hurried through the legislative process to avoid a proposed ballot initiative with the same name. The ballot initiative was the creation of Alastair Mactaggart, a real estate developer who spent millions to bring the initiative to the ballot. Mactaggart indicated that he would withdraw the initiative if the legislature were to pass a similar law, and this is what prompted the rush to pass the new Act, as the deadline to withdraw the initiative was looming.
What is the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (CPRA) was passed by referendum in 2020. The CPRA strengthened the CCPA and added many new requirements and rights. The California Privacy Protection Agency (which enforces the CCPA) has said that the law will still be called the CCPA. Until January 1, 2023, the CCPA is in effect and is being enforced, but the CPRA changes and additions are not yet in effect. Companies must choose whether to train on the CCPA during this time or on the CPRA-amended law if they have already updated their compliance programs. After January 1, 2023, the CPRA changes will be in effect, so training should focus on the CCPA as amended by the CPRA.
When does it go into effect?
The CCPA went into effect on January 1, 2020. The CPRA changes go into effect on January 1, 2023.
Whom does the CCPA apply to?
The regulation doesn’t apply to all businesses. One of the following conditions must apply:
- A business must have annual gross revenues exceeding $25 million; or
- A business must obtain the personal information of 100,000 or more California residents or households annually; or
- A business must derive 50% or more of its annual revenues from selling California residents’ personal information.
Does it apply to businesses outside the state of California?
To be covered, companies must do business in California and collect and maintain personal data from California residents.
If an organization isn’t doing business in California, it isn’t covered by the CCPA – even if it gathers data about Californians.
Does it apply to non-profits? Does the law apply to government?
It only applies to “businesses,” which are for-profit companies. Other types of organizations, such as non-profit or government entities, are not covered.
What rights does the CCPA provide?
The heart of this law is providing individuals with rights regarding their personal data. These rights include:
- Right to be notified about information collected and the purpose of use
- Right of consumers to request and receive disclosures about their personal information within the past 12 months
- Right to data portability
- Right to correction
- Right to have businesses and their service providers delete their personal information
- Right to opt out of the sale of personal information to third parties
- Right to opt-in for children’s personal information
- Right to limit the use and disclosure of sensitive personal information
What must businesses disclose if a consumer makes a verified request?
Businesses must disclose:
- categories of personal information collected
- categories of sources from which information was collected
- purposes for which the information was collected
- categories of third parties with whom the information is shared
Consumers have the right to request the specific pieces of personal information collected about them.
What must be done to comply with the CCPA?
- Provide ways for consumers to request information (except businesses operating exclusively online with a direct relationship to the consumer can use just email)
- Train employees about how to administer consumer rights under the CCPA.
- Can’t discriminate against consumers by denying goods or services or charging difference prices to consumers who exercise their CCPA rights. Exception: A business may do so if that difference is reasonably related to the value provided to the businesses by the consumer’s data.
- Businesses must have a written agreement with the service providers to restrict use of personal information beyond specified purposes.
- For transfers of personal information to third parties that aren’t service providers, there are strict restrictions on use of the data by these third parties.
What does the CCPA require for training?
The training requirement specifically mentions that all employees responsible for handling consumer inquiries about privacy practices must be informed of the requirements of 1798.120 and 1798.135, which primarily focus on the sale of consumer personal information.
For employees who will be involved with consumers exercising their rights, they should be trained on the basics of the CCPA. These employees include: the privacy team, employees in IT who are designing the website and the Do Not Sell button, employees who respond to consumer questions and complaints, and employees involved in decisions involving the collection and possible sale of customer information.
For all employees, knowing about the requirements would be helpful. A short overview of some of the CCPA’s unique rights and requirements can be incorporated into a general privacy awareness training program. Many of the principles underpinning it and many rights and requirements overlap those of other privacy laws such as the GDPR, so a privacy awareness course can cover this ground in a more general manner.
For more information about training, see my California Consumer Privacy Act Training Guide The guide discusses the CCPA’s training requirements and makes recommendations for how organizations can meet these requirements.
For training, I have a 15-minute CCPA training course, a 10-minute version of the course, a short add on for my general privacy awareness courses, an interactive CCPA whiteboard module (5 minutes), and a print PDF CCPA whiteboard that sums up the CCPA in just 1 page.
What is “personal information” under the CCPA?
The law defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition is similar to the GDPR’s definition of “personal data” in that it includes information that is identifiable — that could be linked directly or indirectly to people. But it diverges in that it excludes “publicly available information” — “information that is lawfully made available from federal, state, or local government records.”
This is a very broad definition.
What is “sensitive personal information” under the CCPA?
“Sensitive personal information” is protected with heightened standards. Sensitive personal information is data that reveals a consumer’s:
- Social Security, driver’s license, state identification card, or passport number
- account log-in details, financial account, debit card, or credit card number
- precise geolocation
- racial or ethnic origin, religious or philosophical beliefs, or union membership
- sex life or sexual orientation
- contents of mail, email, and text messages, unless the business is the intended recipient of the communication
- genetic information, health data, or biometric information
How is the CCPA enforced?
There is a private right of action for security violations but not for privacy ones. The private right of action applies when there is an “incident” — defined as “an unauthorized access and exfiltration, theft, or disclosure.” People can recover damages “in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”
What is a “sale” of personal information under the CCPA?
A “sale” of personal information means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
What is a “service provider” under the CCPA?
A “service provider” is “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.”
How does the CCPA differ from the GDPR?
Although some have suggested that the CCPA is similar to the GDPR, the laws are quite different. A few key differences include:
- Both have similar definitions of personal information, but the GDPR doesn’t recognize information about a household as personal information. The GDPR uses the term “personal data” and the CCPA uses the term “personal information.”
- The GDPR has a broader right to object to data processing than the CCPA.
- The GDPR has a broader scope and applicability than the CCPA. The GDPR covers the EU, a much larger geographic region than California. The GDPR applies to persons in the EU, even visitors who are not EU citizens whereas the CCPA applies to California residents. The GDPR applies to many different types organizations; the CCPA only applies to for-profit businesses. The GDPR applies to organizations of any size; the CCPA excludes smaller businesses or businesses that aren’t collecting personal information about many California residents.
- The GDPR has many more governance requirements than the CCPA.
- The GDPR has stricter vendor management regulations.
- The CCPA is primarily an opt-out law (except for children’s data). The GDPR requires affirmative consent – it thus is an opt-in law.
- The GDPR requires a lawful basis for an organization to collect and use personal data. The CCPA doesn’t define any particular bases upon which businesses can collect and use personal data. This means that businesses can collect and use personal data for any purpose they desire.
Where can the full text of the CCPA be found?
The full text is here.
Where can the regulations be found?
The full text of the regulations is here.
Useful resource: California Consumer Privacy Act Regulation Chart – This chart links CCPA provisions to the corresponding sections of the draft CCPA regulation.
Is there any way to make compliance easy and fun?
Definitely! We have many training courses and materials. Just reach out to us and we can help.
As for fun, I created several cartoons for your amusement:
- Cartoon: The Travails of CCPA Compliance
- Cartoon: Multi-Jurisdictional Privacy Law Compliance
- Cartoon: Data Subject Access Requests Under the CCPA and GDPR
- Cartoon: The CCPA, a Federal Comprehensive Privacy Law, and Preemption
About Professor Solove and TeachPrivacy
This resource page was written by Professor Daniel J. Solove. Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught privacy law every year since 2000, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 1 million followers. Click here for more information about Professor Solove.
TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.