California Consumer Privacy Act (CCPA) Compliance Guide
California Consumer Privacy Act (CCPA) Compliance Guide
Last Updated: July 28, 2020
CCPA Summary: What is the California Consumer Privacy Act?
In 2018, Gov. Jerry Brown signed the California Consumer Privacy Act (CCPA) — the first consumer privacy bill in the U.S. that provides California citizens with GDPR-like protections.
It went into effect on January 1, 2020 and enforcement began on July 1.
Any businesses collecting or storing data about California residents are affected by the CCPA, regardless of location.
In short, the new California privacy law gives consumers the right to know what personal information is being collected and shared with third parties. It also gives consumers the right to access or delete their information and opt-out of the sale of personal information.
Who does the CCPA apply to?
Any businesses collecting or storing data about California residents are affected by the CCPA, regardless of location of the business.
Additionally, a company must meet one of the following thresholds for the CCPA to apply:
- Generate $25 million or more in annual revenue; or
- Possess the personal data of more than 50,000 “consumers, households, or devices;” or
- Earn more than half of its annual revenue from selling consumers’ personal data.
Some health and financial companies are exempt, because they’re already monitored under federal data security laws.
The CCPA does not apply to the following entities:
- Health providers and insurers already covered under HIPAA
- Banks and financial companies covered by Gramm-Leach-Bliley
- Credit reporting agencies (Equifax, TransUnion, etc.) that are covered under the Fair Credit Reporting Act
What are the rights provided by the CCPA?
Under the CCPA, California consumers (defined below in our Gloassary) “own” their personal information and are granted the following rights, including:
To access the personal information collected about them:
Consumers have the right to request to know what data categories have been collected about them by a business, their source and the purpose for which it is being used.
Consumers may also request to know specific pieces of information collected about them. In that instance, companies will need to provide consumers a full download of their data in a machine readable format.
The CCPA requires that businesses provide specific means for consumers to submit these requests depending on the nature of the business, typically a toll-free number and a web link. Once the request is made, businesses must disclose the requested information free of charge within 45 days, with extensions of time available in certain circumstances.
To know whether and to whom their personal information is sold/disclosed, and to opt-out of its sale:
Companies that provide or make consumer data available to third parties for monetary or other benefit(s) are deemed to have sold the data and must disclose this.
Subject to certain exceptions, consumers will then have the additional right to opt out of the sale of their information by using the “Do Not Sell My Personal Information” link on the business’ home page, which is required by the Act.
Those 16 years and under must opt in to have their information sold. The term “sold” is not limited to the actual sale of privacy information. It can be broadly interpreted to include sharing of privacy information with other parties.
To have a business delete their personal information: Consumers can request that their personal information that’s been collected be deleted. Some personal information is exempt from deletion requests, including information under legal hold (until the matter is adjudicated or until the hold is released) and for information that must be retained per legal or regulatory requirements.
To not be discriminated against for exercising their rights under the Act: The CCPA gives consumers the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act. As such, businesses may not “discriminate” against consumers for exercising these privacy rights. They cannot deny goods or services, charge different prices, or provide a different quality of goods or services to those consumers. There are some exceptions, however, on the service levels that can be provided, for example with memberships to a certain program. It is expected that this definition of “discrimination” will evolve either from guidance from the California Attorney General or case law. It should be noted that even though the Act requires the California Attorney General to provide implementation guidelines, he has publicly stated he is reluctant to do so.
A consumer under the CCPA is any permanent California resident.
Don’t let the word “consumer” fool you.
Any permanent California resident has rights under the CCPA — employees and customers — even if they’re traveling out-of-state on business or a family vacation, which means segmenting your customers by login location won’t necessarily work.
Companies, like Overstock, Drift, Revolve and Microsoft, have decided to solve this problem by treating all Americans as California residents.
All of the CCPA requirements center around whether or not a business is collecting or processing personal information.
Personal Identifiable Information (PII) refers to information that identifies, relates to or describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Note: Household is loosely defined in the CCPA. It could refer to two non-family members sharing an apartment or only family members.
What are the CCPA categories of Personal Information?
Note: This list is not exhaustive and any ONE “match” satisfies the definition above. For example, an email address, such as firstname.lastname@example.org, could be personal information by itself because it tells us a person and her employer.
Personal Identifiers (PID) are a subset of personally identifiable information (PII) data elements, which identify a unique individual and can permit another person to “assume” that individual’s identity without their knowledge or consent.
Examples of Personal Identifiers:
- Real name,
- postal address,
- unique personal identifier, (see below)
- online identifier,
- IP address,
- email address,
- account name,
- social security number,
- driver’s license number,
- passport number
Unique Personal Identifiers:
A unique personal identifier is a consistent identifier that can be used to recognize a consumer, a family or a device that’s linked to a consumer or family over time and across services.
Examples of Unique Personal Identifiers:
- Device identifiers
- IP addresses
- Pixel tags
- Mobile ad identifiers
- Customer number
- Unique pseudonym / User alias
- Telephone numbers
Commercial information refers to an individual’s purchasing behavior, history or tendencies.
Examples of Commercial Information:
- Personal property records
- Previous purchases
- Considerations of purchases
- Any other purchasing or consumption histories or tendencies
Biometric information refers to an individual’s physiological, biological or behavioral characteristics.
Examples of Biometric Information:
- Individual’s DNA that can be used, singly, or in combination with other identifiers to establish individual identity.
- Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns and voice recordings, from which the identifier template, such as a faceprint, a minutiae template or a voiceprint, can be extracted
- Keystroke patterns or rhythms
- Sleep, health or exercise data that contain identifying information
Computer activity refers to any Internet or other electronic network activity information.
- Browsing history
- Search history
- Information regarding a consumer’s interaction with a website, app or ad.
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, etc.
- Professional information or employment-related history
- Educational-related information that is not publicly available personally identifiable information as defined by the Family Educational Rights and Privacy Act
Inferences based on PII
Personal Identifiable Information (PII) is defined as: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
Further, PII is defined as information:
- that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.)
- by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).
- permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
Any inferences drawn from any of the information identified in this subdivision to create a consumer profile that includes consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Exceptions to the above PII categories
Publicly available information that is made available to the public from the federal, state or local government is NOT covered by the CCPA provided that its use is compatible with the purpose for which the data is maintained and made available by the government records.
A consumer’s biometric information WITHOUT the consumer’s consent is not deemed publicly available.
Deidentified information is information that can’t reasonably identify, relate to, describe, be capable of being associated with or be linked to, directly or indirectly, to a specific consumer, provided that the business using the information:
- Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain
- Has implemented business processes that specifically prohibit reidentification of the information
- Has implemented business processes to prevent inadvertent release of deidentified information
- Makes no attempt to reidentify the information
The challenge for businesses is determining whether information can NOT reasonably “be capable of” being associated with a particular consumer, directly or indirectly, especially in a world where technology makes it extremely easy to recreate an individual’s identity from disparate sources of data.
Aggregate consumer information
Aggregate consumer information is defined as information that relates to a group or category of consumers, from which the consumers’ identities have been removed or is not linked, or reasonably linkable to any consumer or household, including via a device.
“Collect” and “Sell” information defined
Collection: “Buying, renting, gathering, obtaining, receiving or accessing any personal information related to a consumer by any means.” It includes any information you receive — actively, passively or by observing consumer behavior.”
Sale: “Selling, renting, releasing, disclosing disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means” the PI of a consumer to another business or third-party “for monetary or other valuable consideration.”
IMPORTANT NOTE: Because the definition is broad, assume that a “sale” could have occurred if it’s provided as part of a bigger business deal, even if no money is directly given for the information. Also, a website could be considered “selling” information simply by passing data to third-party ad networks through cookies.
The following are exceptions to the “sale” definition.
- A consumer uses or directs the business to intentionally disclose PI to a third-party. Intentional, meaning when the consumer intends to interact with the third-party via one or more deliberate actions. Hovering over a piece of content or closing it does NOT qualify as a “deliberate action.”
- A business shares a consumer identifier to alert a third-party of a consumer’s opt-out decision.
- Personal information is shared with a third-party for a “business purpose.” Business purpose means the business has provided notice of the sharing and opt-out right as described below; and the third-party does not further collect, sell or use the PI except as necessary to perform the business purpose.
- The personal information is an asset that is part of a merger, acquisition or bankruptcy or another transaction in which the third-party assumes control of all or part of the business, provided that the business complies with the CCPA disclosure requirements relating to the disclosure of information collected or sold (discussed below).
- If the business acquiring the data plans to use or share the data in a way that’s inconsistent with what consumers were told their data would be used for at the time of collection, then it must provide prior written notice of the new practices to the consumer and include a “prominent and robust” notice so the consumer can opt out.
Businesses must verify consumers’ identity before fulfilling their request.
Section 999.323 of the CCPA requires a business:
- To verify consumers’ requests by using available data and implementing reasonable security measures,
- Not to collect new data for verification unless necessary for security purposes, and
- To promptly delete newly collected information.
Notably, a business is not required to re-identify data or to provide or delete de-identified information.
Who enforces the CCPA?
The California Attorney General (AG) will enforce the CCPA.
Note: The California Privacy Rights Act (CPRA or CCPA 2.0) is on the November ballot, so if it gets the votes, then a new enforcement arm of the California government will be established to ensure the law is strictly enforced. CPRA wouldn’t go into effect until January 2023 though.
When will CCPA be enforced?
CCPA enforcement began July 1, 2020 and went into effect on January 1, 2020.
What is the CCPA 12-month lookback requirement?
Although the CCPA went into effect on January 1, 2020, companies are responsible for managing consumer information dating back to January 1, 2019.
This is because the CCPA has a 12-month lookback requirement that allows consumers to request their data records dating back an entire year from when the request is made.
When a consumer makes a verifiable request for access to their personal information, organizations are required to provide consumers records covering the 12-month period preceding the date of request. These records must be supplied without delay and free of charge.
Exceptions to the lookback requirement
- Organizations do not need to provide the same data to a consumer more than twice in a 12-month period.
- Organizations are not required to retain any personal data collected for a one-time transaction, or if the data will not be sold or retained by the organization.
What are the penalties for violating CCPA?
Under the CCPA, the AG may recover civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation.
Does CCPA have a private right of action?
Yes, the CCPA does have a private right of action for damages resulting from a data breach involving certain defined types of personal information.
Certain Defined Types of Personal Information Include:
- Social security number
- Driver’s license number or California identification card number
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Medical information
- Health insurance information
NOTE: This definition is much narrower than the definition of “personal information” for the rest of the CCPA.
California consumers have a private right of action when their “non encrypted and non redacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.”
This private right of action includes the availability of statutory damages and is unlike most data breach and privacy laws, which require proof of actual harm and do not allow for statutory damages.
Any consumer who commences a civil action lawsuit can either recover:
- actual damages; or
- statutory damages between $100 and $750 per consumer per incident (whichever is greater).
What factors will courts consider in regards to statutory damages?
Courts will weigh a number of factors when considering statutory damages, including:
- Nature and seriousness of the misconduct
- Number of violations
- Persistence of the misconduct
- Length of time over which the misconduct occurred
- Willfulness of the defendant’s misconduct
- Defendant’s assets, liabilities, and net worth
- Other “relevant circumstances presented by any of the parties”
Additional CCPA Resources
How does DataGrail help with CCPA compliance?
DataGrail was purpose-built specifically to help businesses simplify and comply with emerging data privacy laws such as CCPA and GDPR.
DataGrail’s 300+ pre-built connectors enable you to quickly discover business systems with personal data, map and inventory that data in real time, and automate the processes required to comply with consumer requests, all while keeping detailed compliance logs of activities.
Our platform was designed with the flexibility to scale and adapt as new regulations emerge over time to give you peace of mind that your business is continuously compliant.
Companies like Overstock.com, Restoration Hardware, NETGEAR and Drift trust DataGrail to power their privacy programs.
Check out our 5 star reviews on G2 and our inclusion in Gartner’s 2020 Cool Vendor in Privacy.