What is the CALIFORNIA CONSUMER PRIVACY ACT (CCPA)?
The California Consumer Privacy Act (CCPA) is a state law designed to enhance privacy rights and consumer protection for residents of California, United States. Officially known as AB-375, the law was introduced by Ed Chau, a member of the California State Assembly, and State Senator Robert Hertzberg.
Key Dates of the CCPA
Law definitively adopted on June 28, 2018
Final amendments adopted on October 11, 2019
Effective from January 1, 2020, but with a 12-month “look back” requirement that allows consumers to request data collected on them going back a full year from when the request is made. This means that businesses must identify personal data files collected from January 1, 2019 (12 months prior to January 1, 2020).
Who is Covered by This Law
It applies to any business that:
Directly or indirectly collects or processes personal data of California consumers (i.e., any individual physical person residing in California) and alone or jointly with others determines the purposes and means of processing personal data
Conducts business in California (regardless of the business’s location, in California or in another state or country, as long as the conditions are met)
Meets at least one of the following thresholds:
– Has annual gross revenues exceeding 25 million dollars
– Or annually buys, receives, sells, or shares for commercial purposes, 50,000 or more personal data of California consumers, households, or devices
– Or earns more than half of its annual revenues from selling personal data
The CCPA also applies, indirectly, to the parent company and subsidiaries of an entity that meets the above criteria a), b), and c) if they share the same branding or trade name (“common branding“).
NB: The notion of “selling” personal data includes, notably:
- Placing a third-party cookie on a website to enable advertising; or
- Granting rights to sellers to analyze data for their own purposes.
Definition of "Personal Data"
Personal data is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.“
Personal data notably includes any cookie identifier, device identifier, pixel beacon, customer number, as well as information linked to a household.
Data that is anonymized or aggregated is not considered personal data.
Principal Rights of Consumers
Right to information regarding (i) the categories of personal data that will be collected about them prior to its collection and any changes to this collection, (ii) the purpose of the collection, (iii) the third parties with whom their personal data is shared (i) before any collection
Right to consent or object to the sale of their personal data (opt-out)
Right of access: to know the data collected about them by a company and the source of this collection
Right to object to the sale of their personal data
Right to deletion of their personal data
Right to take action (individually, not collectively) against companies that fail to meet their legal obligations
Principal Obligations of Businesses
To inform the concerned individuals by:
– A privacy notice at the time of collection
– A privacy policy containing information on online and offline collection practices (mandatory update every 12 months)
– A notification in case of enrichment or modification of the collected information
To notify the terms of any existing financial incentives during the collection, sale, or retention of personal data
To provide an opt-out means for the individual to object to the sale of their personal data
Specific obligations regarding the collection of personal data of minors under 13 years old
To train its staff on personal data protection rules
Unlike the GDPR, the CCPA recognizes the right to the monetization of data by allowing individuals to sell their personal data in exchange for a financial incentive (“financial incentive“).
Penalties in Case of Violation of the Law
Notice of non-compliance by the California Attorney General
Civil penalties imposed by the California Attorney General ranging from $2,500 to $7,500 for each violation that is not remedied following a notice
Civil action by the affected individual against the non-compliant company
Exemptions and Exceptions
The CCPA provides various exceptions and exemptions to personal data processing. For example, a general exemption applies until January 1, 2021:
To information that a business collects from its candidates, employees, contractors, and other similar individuals
To information about the personnel of business clients of an entity, in B2B scenarios