This article was originally published on the Sage Advice website on August 7, 2019 by Keir Thomas-Bryant
As of January 1, 2020, the new California protection for personal information comes into effect, which directly affects some businesses that offer products or services to consumers in the state.
The California Consumer Privacy Act of 2018 (CCPA) aims to protect the personal information of California consumers, in a similar, although not identical way, to the General Data Protection Act (GDPR) in European countries.
The CCPA therefore introduces significant requirements for businesses that fall within its scope. Many US, and even worldwide businesses, ship products to California, or have online properties like websites that are available to Californians, these businesses will need to make timely preparations, and ensure ongoing compliant processes are in place.
Below we answer some frequently asked questions about the CCPA to help businesses start to plan and prepare for the upcoming changes. Please note this is not a substitute for legal advice. We advise you consult the legislation yourself to find out how it impacts your business. You might also seek the advice of a data protection expert, or consult the California Attorney General directly for an opinion on how to comply (a right that is provisioned under the act).
Note: The CCPA is subject to legislative amendments before its introduction, so some of the information below may change.
In broad terms the CCPA is a continuation of the California Constitution that says the right to privacy is inalienable. It forms part of California privacy legislation, which includes other legislation such as the Online Privacy Protection Act (CalOPPA), the Privacy Rights for California Minors in the Digital World Act, and—in particular—Shine the Light, which gives Californians the right to know how businesses handle their personal information.
Again in broad terms, the CCPA specifically gives California consumers the right to know the following from businesses that conduct commercial activities in the state:
It gives them the right to:
Affected businesses (see below) need to put in place measures to ensure the above is possible.
The CCPA becomes law on January 1, 2020.
The CCPA applies to any business that can be described in any or all of the following ways:
Additionally, the CCPA applies to any entity controlled by any of the types of business described above, and that shares common branding with the business.
A business does not fall under the scope of the legislation if it has gross revenues of $25,000,000 or less, or does not buy or sell the personal information of consumers, households, or devices. If the business buys or sells the personal information of less than 50,000 consumers, households or devices then it also does not fall under the scope of the legislation.
Some charities, social enterprises, not-for-profit organizations, or non-governmental organizations (NGOs) fall outside the scope of the CCPA provided they are not operated for the profit or financial benefit of their shareholders or other owners, and they are not incorporated into a legal entity such as a sole proprietorship, partnership, LLC, corporation, or association (or are controlled by such a business, including sharing branding).
The CCPA imposes a number of requirements on eligible businesses in order to comply, with the following being prime examples:
Sage's dedicated CCPA home page contains useful resources and training that can help your business adapt and become compliant in time for the new legislation.
Personal information is broadly defined under the CCPA as being that which identifies, relates to, describes, is capable of being associated with, or is able to be reasonably linked to a particular consumer or household (whether directly or indirectly).
The following specifics are listed in the legislation and it should be noted the legislation says this list should not be considered comprehensive, and that it goes beyond the scope of the GDPR:
The legislation further defines as personal information any “inferences” that can be drawn from the above list that might be used to create a profile about a consumer. The profile might reflect the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Notably, although many examples of personal information above are collected or generated digitally (through a website, for example), the legislation applies to the collection and sale of all personal information collected by a business from consumers. In other words, the CCPA does not just relate to electronic data.
If a business collects or sells personal information about a consumer then that consumer has the right to request a business disclose the information listed below, covering the 12 months prior to the request (which should be verified as genuine).
If a business collects personal information about the consumer, they should disclose:
If a business sells personal information about the consumer (or discloses it for a business purpose), they should disclose the following:
If personal information in any category has not been sold or disclosed for a business purpose then this should be stated in response to the request.
No. For businesses that collect personal information, the CCPA doesn’t require them to retain information for a single one-time transaction if it wouldn’t ordinarily. Nor does it require businesses to re-identify or otherwise link any data that ordinarily is not maintained in a way that would be considered personal information.
The CCPA doesn’t change or place restrictions on the kinds of personal information that can be stored by businesses.
However, the CCPA does allow consumers to request a business or its service providers delete personal information relating to them. As with requests for personal information disclosure, the business should verify the request is genuine before taking action.
Notably, a business can refuse to comply with a deletion request for any of the following reasons:
It’s also noted within the CCPA that the business can refuse to comply with the deletion request if it otherwise uses the personal information internally in a lawful manner that’s compatible with the context in which the consumer provided the information.
Any natural person who is legally defined as a California resident, which in broad terms is every individual who is in the State for other than a temporary or transitory purpose, and every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.
Not if any commercial conduct takes place in California. You should not treat consumers who exercise their rights under the CCPA any differently. To do so is considered unlawful discrimination and examples might include denying consumers goods or services, charging different prices or rates (or suggesting different prices or rates will apply), or providing a different level of quality of goods or services.
It’s similar in spirit to the GDPR but, generally speaking, the CCPA has a narrower and more specific focus compared to the GDPR.
The GDPR places restrictions on how companies collect and handle personal data, bring about transparency, and provides individuals with rights over that data. It is limited to digital data.
The CCPA is solely concerned with providing rights to consumers regarding their personal information (digital or otherwise), and demanding transparency from businesses. The requirements it places upon businesses are simply to facilitate this, and to ensure consumers are aware of their rights. The CCPA covers all personal information that a business might hold, digital or otherwise.
Some of the work done by a business to comply with the GDPR will likely mean that it’s compliant with the CCPA, but this is not guaranteed and the CCPA has additional and specific requirements that require significant additional actions.
Businesses can sell personal information they have collected about consumers.
However, before they sell information they have bought from another business, they must explicitly inform the consumer and provide them with an opportunity to opt out.
The CCPA doesn’t apply to a business that collects or sells a non-California consumer’s personal information provided every aspect of that commercial conduct takes place wholly outside of California (and this includes the consumer being outside California at the time).
Nor does the CCPA restrict a business’ ability to comply with federal, state or local laws.
Simply ask yourself the question: Are the services or products my business offers available in California? Even if a business is located in another state (or even outside the US), if its services are available in California or products can be shipped there then the CCPA probably applies. For example, websites can typically be accessed by anybody worldwide, so even a website in Europe or Russia arguably could be required to make adaptations (although with the use of geo IP redirection it might be possible to provide a version of your website specifically for California residents).
California consumers can take action against businesses that violate the CCPA in order to seek damages. Examples of violations could include “unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.”
Consumers can recover damages of not less than $100, but not greater than $750 per consumer, per incident. However, a court can apply declaratory relief and any other relief it deems proper, as well as injunctive relief.
The California Attorney General can also take civil action on behalf of the people of California, including imposing an injunction and a civil penalty of civil penalty of $2,500 for each violation or up to $7,500 for each intentional violation.
Once informed of a violation, which must be done in writing, businesses have 30 days to fix it before they are considered to have violated the CCPA.
Yes. Such policies need to include the following, at a minimum:
Businesses are not obligated to provide information to the same consumer more than twice in a 12-month period.
Sage’s dedicated CCPA home page contains additional useful resources that can help your business adapt and become compliant in time for the new legislation: https://sage.com/en-us/ccpa.
Note: We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the California Consumer Privacy Act (CCPA) on their businesses.