loader

California Consumer Privacy Act (CCPA) Explained

Home / Compliance / California Consumer Privacy Act (CCPA) Explained

The California Consumer Privacy Act (CCPA) gives California residents more control over the personal information that businesses collect on them. CCPA applies only to for-profit businesses that do business in California (regardless of where your headquarters is) and meet any of the following requirements:

  • Have a gross annual revenue of over $25 million.

  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices.

  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

*It doesn’t apply to non profit businesses or government agencies. 

What is personal information under CCPA

Personal information is defined as anything that identifies, relates to or could be reasonably linked to you or your household. Some common examples include:

– A Name

– Social Security Number

– Email Address

– Products Purchased

– Internet Browsing History

– Geolocation Data

– Fingerprints

What is not considered personal information under CCPA

Personal information doesn’t include publicly available information, including information from federal, state or local government records. It includes things like professional licenses and public real estate/property records.

CCPA Consumer Rights

CCPA gives California residents a number of rights to help them better control how their personal information is collected and used by businesses:

Right to opt out of sale

California residents have the right to request that their personal information stops being sold. With few exceptions, businesses cannot continue to sell your personal information once they receive an opt out request. Additionally, businesses must wait at least 12 months before asking the individual to opt back in. Some of the exceptions businesses may have for not honouring an opt out request are:

  • If a sale is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims

  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

Businesses must respond to these requests within 15 days of receipt but there is currently no requirement for acknowledgement of this request.

Right to know

California residents have the right to request a detailed account of the personal information that has been collected, used, shared or sold about them by a company. They also have a right to request why that information was collected and used by the company, this includes: 

  • The categories of personal information collected

  • Specific pieces of personal information collected

  • The categories of sources from which the business collected personal information

  • The purposes for which the business uses the personal information

  • The categories of third parties with whom the business shares the personal information

  • The categories of information that the business sells or discloses to third parties

Businesses must provide this for the 12 months prior to this request and must do it free of charge. CCPA mandates that businesses have 10 days to acknowledge the receipt of this request and provide the requester with information on how this request will be processed. Following that you have 35 days (for a total of 45 days from receiving the request) to provide the requester with the information. Businesses can extend this time to up to 90 days if they provide the consumer with notice and explanation of the need for extension. Businesses are required to give residents at least two methods of filling this request, eg by phone and email. 

The exceptions for this right include:

  • The business cannot verify your request

  • The request is manifestly unfounded or excessive, or the business has already provided personal information to you more than twice in a 12-month period

  • Businesses cannot disclose certain sensitive information, such as your social security number, financial account number, or account passwords, but they must tell you if they’re collecting that type of information

  • Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims

  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

If the business you contact is a service provider of the business that collected your information they will not be able to fill this request. Service providers are not required to respond to consumer requests, in that case you would need to find the business that hired the service provider and make the request with them. In some cases the service provider is not able to provide you with that information and you will have to find other means to determine who that business is. This can be very difficult or almost impossible without the right resources.

Right to be Notified

CCPA requires that businesses give consumers notice prior to collecting their information. It must list the categories of information that will be collected and the purposes for which the information will be used. If the business sells personal information, it must include a “do not sell link”, which will allow people to opt out of having their information sold. Additionally, the notice must provide a link to the business’s privacy policy, this policy must outline in full the businesses privacy practices and the privacy rights that will be afforded to the consumer. 

Right to Delete

You have the right to request that businesses delete the personal information that they collected and have their service providers do the same. Businesses have 45 days to respond to the request but may extend it to 90 days if they notify the consumer and give a reason why it must take longer than 45 days. Additionally, if the business stores personal information in archived or backup systems, they can extend the time required to respond to the next time those systems will be accessed or used. However, there are many exceptions to this rule such as for debt collectors, credit reporting agencies or any other body who needs your personal information to provide you with goods or services or to uphold the law.

Right to Non-discrimination

Consumers have the right not to be discriminated against for enforcing their CCPA rights. This means businesses cannot deny goods or services, charge a different price or provide a different quality of goods or services as a result of someone exercising their CCPA rights. This doesn’t apply if someone requests to have their information deleted and that information is necessary to provide the consumer with the goods or services.  Additionally, businesses can offer promotions, discounts and other deals in exchange for collecting, keeping or selling consumer’s personal information as long as the financial incentive offered is reasonably related to the value of the personal information. If a consumer asks a business to delete or stop selling their information, businesses have a right to discontinue your participation in any of the special deals they offered in exchange for the consumer’s consent. 

Data Brokers

CCPA also covers data brokers, which is a business that collects and sells personal information to third parties. Data brokers collect information about consumers from many sources, some include websites, other businesses or public government records. CCPA holds them accountable to some extent. The CCPA’s definition of personal information doesn’t include information obtained from public records, which is a common source by data brokers. But information they obtain from other sources would be included under the CCPA’s definition and you can exercise the right to have your information deleted. California’s law on data brokers requires them to register with the Attorney General’s website for data brokers

What can I do if a business violates my CCPA rights?

You can’t directly sue a company for a violation of CCPA unless there is a data breach and your information is leaked. Your information would have to be leaked in an unencrypted and non redacted form due to the business’s failure to maintain reasonable security procedures and practices to protect it. If that happens you can sue for the amount of monetary damage you suffered as a result or statutory damages of up to $750 per incident.

For any other situation only the Attorney General can file an action against a business for violating CCPA. The attorney General doesn’t represent individual California residents, rather they use consumer complaints and other information to identify patterns/history of misconduct and take action for the collective interest of the residents of California. If you believe a business has violated CCPA you can file a complaint with the Office that will help them build their case and eventually take action, but the Office cannot represent you or give you legal advice on how to resolve your individual complaint. 

Summary

CCPA is a privacy regulation, focused on giving California residents more control over their personal information. It affects for-profit companies that do business in California and it mandates that businesses:

  • give people the ability to opt out of the sale of their personal information

  • requires companies to provide consumers with the information that businesses have collected about them if the consumer requests it

  • requires businesses notify consumers of what information is being collecting and why prior to collection

  • give consumers the right to request for their personal information to be deleted.

    It’s important that businesses have at least 2 channels for consumers to make their requests, fulfill the requests promptly (usually within 45 days) and do not show any discrimination towards consumers for trying to exercise any of these rights. You can read more about this regulation at the CCPA website here