The California Consumer Privacy Act of 2018 (CCPA) was signed into law on June 28, 2018, and became effective on January 1, 2020.
CCPA was the first consumer privacy law in the US to address major privacy concerns of the internet age including commercial exploitation of consumers’ personal information, intrusive advertising, and the overreach of digital tracking technologies.
CCPA was amended by the California Privacy Rights Act (CPRA), which became effective on January 1, 2023 and enforceable by the California Privacy Protection Agency on July 1, 2023.
For more information about the main rules added to CCPA by this amendment, read TrustArc’s Summary of the California Privacy Rights Act (CPRA) Main Rules.
Consumer Rights Under CCPA
The main rules of the CCPA (including CPRA amendments to the rules effective from January 1, 2023) are designed to strengthen California consumers’ privacy rights by giving them more knowledge about businesses’ data collection activities and more control of their personal information.
California consumers now have the following personal information privacy rights:
- Right to know what personal information is collected, used and/or sold by a business
- Right to permanently delete records of personal information held by a business
- Right to correct inaccurate personal information held by a business
- Right to limit the use and disclosure of their sensitive personal information collected about them by a business
- Right to opt-out (and therefore prevent) having their personal information shared or sold by a business to any other business
- Right to non-discrimination for exercising their privacy rights under CCPA.
The CCPA text contains several very strict rules about obtaining consent to sell or share personal information of minors and notices in Article 6. Special Rules Regarding Consumers Under 16 Years of Age.
We recommend reading the following articles for more detail about California minors’ privacy rights under CCPA and other state laws: California State Privacy Law Leads Protection of Children in the US and Understanding the California Age-Appropriate Design Code Act (AB-2273).
CCPA Meaning of Personal Information
The CCPA text defines personal information as meaning: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
The text then lists key types of personal information that could be connected to or identify a natural person, including:
- Personal identifiers – real name and alias, postal address and other contact information, identity numbers (see ‘sensitive personal information’ below) and several kinds of online identifiers
- Physical person identifiers – biometric information, recordings or tracking of audio, electronic, visual, thermal, olfactory or similar information
- Physical location (geolocation) data
- Professional or employment-related information
- Education information that is personally identifiable and not publicly available (the privacy of student education records is protected under the Family Educational Rights and Privacy Act)
- Unique electronic activity data (collected online or through electronic networks) – interactions with websites, apps, ads, search tools, online stores and social media
- Consumer profile data – data about a consumer’s activities which could be used to infer “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”
- Commercial information – collecting records of property, products or services considered and/or bought by a consumer, which can be used to identify preferences and other commercial opportunities
- Sensitive personal information (SPI) – the CPRA amendment to the CCPA added this category to provide extra protections for information about a natural person’s identity, including official identity numbers/documents (driver’s license, passport, social security), racial origin and ethnicity, beliefs, sexual orientation, precise geolocation, communication activities, social and their health, medical and financial statuses and histories.
Note: Under the Act’s definitions, personal information does not include deidentified or aggregated consumer information (for example, a collection of data about the online activity trends for a website audience).
Which Organizations Must Be CCPA Compliant
The California Consumer Privacy Act generally applies to any for-profit organization (business) that:
- Does business in California – the CCPA text doesn’t contain an explicit definition for doing business in California, though it is clear any for-profit organization collecting data of California citizens is covered, regardless of whether it has a physical presence or interacts with consumers in the state online-only
- Collects personal information of Californian consumers – the Act defines a California resident as “a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state”
- Determines how and why Californian consumers’ personal information is processed – CCPA takes its definition of ‘processing’ almost word-for-word from the European Union’s General Data Protection Regulation (GDPR): “any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means”. However, the CCPA text doesn’t present a list of processing activities. In the GDPR text, a non-exhaustive list explaining processing activities includes recording, structuring and categorizing, consulting and/or analyzing, sharing, disclosing or transferring data for a business purpose, including selling it.
The organization must satisfy one or more of the following minimum thresholds:
- Earned $25 million-plus gross annual revenue in the preceding calendar year – CPRA amendment: the qualifiers earned and in the preceding calendar year were added to this threshold
- Buys, sells, or shares personal information of 100,000 or more Californian consumers (or households or devices) – CPRA amendment: the threshold was increased from 50,000 to 100,000 consumers for businesses selling or sharing personal information.
- Derives 50% or more annual revenue from selling or sharing California consumers’ personal information – CPRA amendment: the qualifier: ‘or sharing’ was added after ‘selling’.
CCPA Meaning of ‘Collecting’ and ‘Selling’ Personal Information
The text of the California Consumer Privacy Act defines ‘collecting’ (and collected or collection) as meaning: “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior”.
In its definition of ‘selling’ (and sale, sell, sold) the text of the Act contains some similarities to ‘collect’ and adds some more detail about common data handling practices in its meaning: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.
CCPA Notice Requirements
If the CCPA applies to a business, the organization’s public presence(s) (online or offline) must make it easy for California consumers to know, understand, and exercise their privacy rights under the Act. CCPA notices must include:
- Notice at collection of personal information
- Notice of right to opt-out of sale/sharing and a link to a form to exercise this right: “Do Not Sell or Share My Personal Information”
- Notice of right to limit and a link to a form to exercise this right: “Limit the Use of My Sensitive Personal Information”
- Alternative opt-out link
- Notice of financial incentive (defined in the CCPA text as a “program, benefit or other offering, including payments to consumers, for the collection, retention or sharing of personal information”).
For more information about CCPA notice requirements we recommend reading our articles on CCPA compliance. You can also take the guesswork out of how your business manages CCPA notices and compliance with TrustArc’s CCPA & CPRA Compliance Solutions & Tools.
Which Organizations Are Exempt from CCPA Compliance?
The CCPA generally doesn’t apply to nonprofit organizations and government agencies, even if they collect California consumers’ personal information.
Not-for-profit organizations are generally exempt because they don’t fit the definition of a ‘business’ in the act.
Government agencies are generally exempt because they sometimes need to use Californians’ personally identifiable information to deliver services or manage/comply with legal matters (under local, state or federal laws).
Other organizations whose personal data use activities may be exempt from CCPA include:
- Organizations that don’t do business in California and/or don’t collect or acquire personal information of California consumers, and can prove it if challenged. The Act also contains an exemption for businesses that can prove every aspect of collecting, selling or sharing consumer personal information takes place wholly outside of California.
- Organizations that don’t satisfy any of the thresholds outlined above (e.g. earned less than $25 million gross annual revenue in the preceding year) and can prove they only collect minimal, if any, personal information from California consumers, and don’t buy, sell, or share personal information.
What Personal Information is Exempt from CCPA Regulations?
The CCPA regulations do not apply to certain personal information when it is already covered by privacy rules under some federal and California state Acts, including:
- Medical information covered by California’s Confidentiality of Medical Information Act (CMIA)
- Health information covered the federal Health Insurance Portability and Accountability Act (HIPAA)
- Financial information covered by the federal Gramm-Leach-Bliley Act and the California Financial Information Privacy Act and credit history information covered by the federal Fair Credit Reporting Act.
Businesses are given exemptions from CCPA regulations on the use of personal information in section 17981.145 of the CCPA text, which makes it clear obligations imposed on a business by CCPA must not restrict a business’ ability to:
- Exercise or defend legal claims
- Collect, use, retain, sell, share, or disclose de-identified or aggregate personal information
- Comply with laws at federal, state, or local levels
- Comply with legal instructions from federal, state, or local authorities to provide personal information, such as through inquiries, investigations, court orders, subpoenas or summonses. Law enforcement agencies may direct a business not to delete a consumer’s personal information for 90 days or more; and in cases where a consumer has requested deletion of their personal information, the business must comply with the law enforcement direction not to delete it but cannot use the personal information for any purpose outside the use by law enforcement
- Cooperate with law enforcement agencies concerning illegal conduct or activity (i.e. violations of federal, state, or local law)
- Cooperate with a government agency request for emergency access to a consumer’s personal information if the person is in danger of death or serious injury. This exemption has several qualifiers, including a requirement for the request to be approved by a high ranking agency officer, determined lawful in good faith, and the agency agrees to petition a court within three days for an order.
Organizations are also generally allowed to use information that isn’t considered personal because it is deemed publicly available. Publicly available information about a California consumer may include:
- Government records (local, state, or federal level), such as professional licenses and real estate records
- Information about a consumer made lawfully publicly available by the consumer or in widely distributed media
- Some information disclosed and made available by a consumer in a public domain and/or made available by the consumer without restricting it to a specific audience.
What Penalties Apply for Breaches of CCPA Rules?
Administrative fines imposed on organizations found to breach CCPA rules are mainly decided and enforced by the California Privacy Protection Agency, which is authorized to implement the California Consumer Privacy Act.
As part of its enforcement activities, the Agency can pursue actions for payments of the following administrative fines:
- Up to $2500 for each violation if the breach of the Act was unintentional
- Up to $7500 for each violation if the breach of the Act was intentional
- Up to $7500 for each violation if the breach involved the personal information of Californians under 16 years of age.
The California Office of the Attorney General can pursue civil penalties for the same amounts in court on behalf of the people of California. In such cases, it may request the California Privacy Protection Agency does not pursue its own administrative action so the Attorney General can proceed with a civil action or investigation – but if the Agency has already issued an action for the same violation, the Attorney General cannot file for civil action on the same breach.
Californians can independently or collectively sue for damages between $100 to $750 per person when a business fails to prevent exposure of personal information through a data hack or other exposure. However, in these cases, businesses are given 30 days to cure, which may negate the actions.
Access More Information from TrustArc About CCPA Regulations and Compliance
This summary of the main rules businesses must follow to be CCPA compliant is part of a series of briefs by TrustArc experts on the CCPA, which includes a background brief, a compliance checklist, a technical brief, and expert commentary on CCPA implications.
We recommend you also access TrustArc’s CCPA & CPRA Compliance Solutions & Tools and read How the California Privacy Rights Act Updates the California Consumer Privacy Act.