CCPA

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a privacy law enacted in California in 2020, amended and strengthened in 2023 by the California Privacy Rights Act (CPRA). The CCPA/CPRA provides residents of California with specific rights regarding the collection and use of their personal data—to know what data is collected; to have data deleted; and to opt out of, or opt into, the sale of their data. CCPA requires businesses to accommodate these consumer rights and applies civil fines if not complied with.

The CCPA also provides additional protection for the data of minors. Although the reach of the CCPA is only one state, it sets a precedent within the US, and is a model for future state and federal laws to continue the press for returning control of personal data to the individual.

Why CCPA was passed into law

After decades of unrestricted data collection by the tech industry, public sentiment has turned. In response, governments have started enacting laws to rein in data collection and sharing. A core concept of this movement is that privacy is a fundamental human right. New laws are shifting control of consumer’s data, privacy, and security back to the individual, while requiring businesses to collect and handle this data in a more transparent, responsible, and accountable way. The GDPR, adopted by the EU in 2018, was influential in the creation of the CCPA.

Data and people protected by CCPA

The protections of the CCPA apply to any data that is considered “personal,” and is either directly or indirectly identifying. Directly identifying information includes things like name, birth date, social security number, or employment history. Indirectly identifying data refers to less obvious pieces of information that, in combination, can be traced back to an individual. This latter category includes things like geographic location, browser history, or online purchases and online identifiers.

CCPA does not cover information generally considered to be publicly available. It also does not include data covered under other laws, such as health data covered under HIPAA (Health Insurance Portability and Accountability Act) and financial data covered under the Gramm-Leach-Billey Act.

The CCPA is a state law, and only applies to California residents, both those currently in the state and legal residents who may be temporarily outside of the state. CCPA does not apply to non-residents, even if they are temporarily located in California. A resident is a person who files state income tax with California or, in the case of minors, whose guardians file state income tax on their behalf.

Note: Because California’s population is so large—and to avoid maintaining multiple customer policies—some tech companies have extended the protections and provisions of CCPA to all users in the USA, or even outside the USA.

Rights of consumers under CCPA

Consumers covered by CCPA have several rights regarding their personal data, including:

• To request a business disclose what data is collected, how it’s used, and where it’s sold or shared
• To request their data be deleted from the records of a business that collected it, and from any third parties the data was sold to or shared with
• To opt out of having data sold or shared by either the business that collected the data, or any third parties who might have bought or received the data
• To not be discriminated against for exercising these rights

There are also additional protections for minors under 13 years of age, and minors from 13 to 16 years of age. A business cannot sell a minor’s data unless they have received affirmative “opt-in” consent. For those under 13, the opt-in consent must come from the parent or guardian; for those aged 13 to 16, the opt-in consent can be provided by the minor.

Businesses that are regulated by CCPA

To be regulated by CCPA, a business will be for-profit, do business within California, collect a consumer’s personal data, and meet at least one of the following criteria:

• The business has annual revenue over $25 million
• The business handles (buys, sells, collects, or shares) data of at least 100,000 protected individuals (i.e. California residents)
• If the business outsources data handling to a third party, both parties (“owner” and “handler”) are subject to CCPA
• At least 50% of the business’s revenue comes from handling personal data

These criteria extend up and down a business’s family tree—if a parent company meets one of the criteria, then all subsidiaries are also subject to CCPA, and vice versa. A company can be subject to CCPA even if it does not have a physical presence in California, as long as it conducts business within the state.

A regulated business must inform the consumer of their rights and of what data is being collected, and these disclosures must be included in the business’s privacy notice. The business must also provide mechanisms for a protected individual to access and delete their data, and to opt out of having their data sold. These mechanisms must include a phone number and at least one other method, usually a website. A “Do not sell my personal information” page on the site is explicitly required.

CCPA requires that a business follow through on requests in a timely manner (generally 45 days), including passing the request along to partners (data handlers, parent or subsidiary companies, and third parties who received the data). The business must also be able to confirm the requestor is the actual consumer (or the guardian) and not an imposter.

Enforcement of CCPA

There is no established system to verify that a business is complying with CCPA. Compliance relies on the investigation of possible violations. Initially, the CCPA tasked the California state Attorney General’s office with enforcement. But later amendments created a new agency (the California Privacy Protection Agency, or CPPA), that can also implement and enforce the CCPA.

When either the Attorney General or the CPPA determine a business has violated the regulations, they can impose civil penalties, with fines applied for each individual violation. When a business fails to respond in a timely manner to a consumer request, the fine can be up to $2,500 or $7,500 depending on whether the violation was unintentional or intentional. CCPA also provides for fines paid directly to the affected consumer in the event of a data breach. These fines start in the range of $100 to $750 but can be larger if actual damages warrant.

Similar laws

Currently, there are a handful of similar laws around the world, with many more in the works. Two notable ones include:

EU General Data Protection Regulation (GDPR)

The GDPR was enacted in the European Union in 2018. The specifics of the GDPR and the CCPA vary considerably, with CCPA providing more specific consumer protection rights for individuals. But the general scope of the GDPR is similar to CCPA in that it also deals with individual rights regarding personal data, data breaches, and transparency about business practices surrounding consumer data. The GDPR has a strong data breach reporting requirement of 72 hours; this is not present in the CCPA. The GDPR also seeks to protect the fundamental rights and freedoms of individuals, as set out in the EU Charter of Fundamental Rights.

The GDPR applies to a much larger population (anyone in the EU, whether or not they are considered residents) and reaches outside the EU by including non-EU companies that do business in the EU.

American Data Privacy and Protection Act (ADPPA)

The ADPPA is currently working its way through the US Congress. Since it is still a work-in-progress, it’s unclear exactly what its final provisions will be. However, it has the potential to be stronger than the CCPA in the areas of protection of minors, influencing businesses to store less sensitive data, and making data sharing opt in vs. opt out.

In the event the ADPPA is passed into law, there may be conflicts with the CCPA, and it’s unclear which will supersede the other.