California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Consumer Privacy Act (CCPA) is a state law that gives California residents more control over the collection and sale of their personal data, similar to the European Union’s General Data Protection Regulation (GDPR). It operates primarily by requiring businesses to inform consumers as to what personal information is being collected and respond to consumer requests for specific actions. The law went into effect on January 1, 2020, and enforcement by the California Attorney General began on July 1, 2020.
The CCPA creates four distinct data privacy rights:
In addition to recognizing these new rights, the CCPA also requires businesses to implement reasonable security procedures to prevent data breaches. If businesses fail to do so and consumers’ nonencrypted and nonredacted personal information is subject to unauthorized access, consumers can recover up to $750 in statutory damages even without showing actual damages. Class-action lawsuits are very likely in such an event. Read more about private rights of action under the CCPA.
The CCPA protects “consumers,” defined very broadly as any California resident. This includes (1) anyone who is in the state of California (unless only there temporarily) and (2) anyone who lives in California, even while they are outside the state.
Designed to protect Californians, the CCPA applies to businesses in California and businesses that are located outside of the state but still offer goods or services in California. Any for-profit business is bound by the California law if it (1) does business in California and (2) meets at least one of the following criteria:
As to the last threshold requirement, “selling” and "sharing" personal information are broadly defined in the CCPA, as discussed below. Importantly, the use of interest-based advertising is considered sharing, so any revenue connected to these types of ads is “derived” from selling consumers’ personal information and should be included in this calculation.
Knowing what counts as “personal information” under the CCPA is fundamental to understanding how the data privacy law works and what businesses must do to be compliant.
The CCPA’s definition of personal information is very broad, to the point that many businesses may be surprised at how much personal information they are collecting. The statute defines it as:
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
If this definition seems a bit vague, it was intentionally written to be open ended in order to cover the ever-growing list of types of information being collected by businesses. Thankfully, the CCPA also provides many examples of consumer data that are considered personal information.
The inclusion of IP addresses as personal information is significant for a couple of reasons. First, they are very easy to overlook; businesses often use tools that automatically collect and share IP addresses without ever thinking of it. Second, this is one instance where the CCPA goes farther than the GDPR, which does not consider IP addresses to be personal information. Businesses that already have a GDPR compliance system in place will need to make some adjustments to meet the CCPA’s requirements.
With personal information being defined so broadly, it’s important to know what kind of data the CCPA specifically calls out as not personal information.
Many of businesses’ most important obligations under the CCPA revolve around the “selling” and "sharing" consumers’ personal information, but those terms may not mean what you think.
The CCPA defines sale broadly, covering transactions that businesses often don’t even think about. The legal definition is:
Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
Disclosing personal information with a third party for monetary consideration is the most obvious example. If a business exchanges consumers’ email addresses for money, few would argue that this is not a sale.
It’s the last phrase—“or other valuable consideration”—that is of key importance. This covers a variety of information transactions for which businesses do not receive any money. For example, giving access to your customers' personal information in exchange for free or discounted software, or in exchange for access to personal information from other businesses (a "data co-op") would likely be considered selling.
When a transfer of information is considered a sale, the most important consequence is that it is covered by consumers’ right to opt-out, covered in more detail below.
The CCPA provides a few key categories of transactions that are not considered a sale of personal information. Disclosing consumer data to a third party is not a sale when:
For businesses covered by the CCPA, the exemption for service providers will take on critical importance in their compliance strategy.
"Sharing" is the use or disclosure of a consumer’s personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. Cross-context behavioral advertising means targeting ads towards consumers on other sites based on their activity on your site—in other words, retargeting or interest-based advertising.
The bottom line is, if you use this type of advertising, it is considered "sharing" and will trigger opt-out rights.
“Service providers” are mentioned throughout the CCPA and are one of the data privacy law’s most important exemptions. Businesses that are in the process of becoming CCPA compliant will need to understand what a service provider is and how they affect consumers’ privacy rights.
The CCPA gives consumers control over the sale of their personal information by businesses to “third parties” (basically anyone else). However, the law makes a major exception for the disclosure of consumer information to service providers, who are not treated as third parties. This type of activity is not a sale and thus not subject to the same CCPA requirements.
This difference between third parties and service providers in the CCPA is best illustrated by an example:
Company A is fully CCPA compliant. As part of its business, Company A collects email addresses from consumers and sells them to Company B. It also sends out a weekly newsletter, and in order to do so it shares its email list with Company C, an email marketing vendor. This is all fine and perfectly legal under the CCPA, because Company A has posted all the required privacy notices and opt-out links.
When a consumer clicks on the “Do Not Sell My Personal Information” link on Company A’s homepage and requests to opt out of the sale of their personal information, Company A must honor that request. It has to stop selling that particular consumer’s data to Company B, BUT it can continue sharing the consumer’s email address with Company C because Company C is a service provider and needs the email address in order to do its job.
Overall, it’s a common-sense exemption that recognizes the realities of modern business, but there are a few nuances and requirements that companies should be aware of.
The CCPA defines a service provider as an entity that that processes personal information on behalf of a business, provided that the two parties have a written contract that prohibits the service provider from:
The contract requirement means businesses have to ensure that their vendor contracts are CCPA compliant in order for those vendors to qualify as service providers. If the contract does not meet these requirements, any disclosure of information might be considered a sale.
There is now another type of outside party, the “contractor.” A contractor qualifies for the same exemptions as a service provider, i.e., they are not affected by opt-out requests, but are defined a little differently. As opposed to a service provider who “processes information” for a business, a contractor is “a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business.” The impact of this is that businesses’ contracts with their contractors must meet similar requirements as those of service providers.
The CCPA gives consumers the right to know what personal information businesses are collecting and how that information is being used. For businesses, this means they have two legal responsibilities toward consumers: They must inform consumers in advance regarding data collection and respond to a consumer’s request to know what has been collected.
To meet the first of these requirements, businesses must post a CCPA-compliant privacy notice at or before the point of collection. This is known as a “notice at collection.” It tells consumers what categories of personal information are being collected and for what purposes.
Example: An online retailer is offering a discount promo code, but requires consumers to enter their email address in order to receive it. This is a data collection point. At or before this point, the retailer must include a link to a privacy notice that lets consumers know what personal data is being collected (i.e., email addresses) and for what purposes (i.e., sending marketing content, etc.).
Second, consumers can submit a request to know what personal information a business has collected from them. For the 12-month period preceding the request, businesses must disclose the following information:
They must provide this information free of charge, but only after verifying that the consumer is who they say they are. Businesses are required to respond to an individual’s requests to know no more than twice in a 12-month period.
Learn more about responding to CCPA requests to know.
If a business sells or shares personal information about a consumer to a third party, the CCPA gives that consumer the right to request that the business stop selling or sharing their information. This is called the right to opt out. Any business that sells or shares consumers’ personal information must include a conspicuous “Do Not Sell or Share My Personal Information” link on their homepage that informs consumers how to submit a request to opt out.
After a consumer has opted out, businesses must wait at least 12 months before asking them to opt in again.
The CCPA also addresses the sale or sharing of the personal information from minors under the age of 16. If a consumer is between the ages of 13 and 16, businesses must get their affirmative consent to sell their personal information. For children under the age of 13, the child’s parent or guardian must give their affirmative consent. These rules apply when the business has actual knowledge of the consumer’s age or willfully disregards it.
An important exception to the consumer’s right to opt out is where the businesses give personal information to service providers, discussed in greater detail above. Businesses may continue disclosing personal information to a service provider even after a consumer opts out, because this is not considered a sale.
Learn more about responding to CCPA requests to opt out.
The right to delete is a major component of the CCPA’s attempt to give consumers more control over their personal information. It seeks to alleviate the “forever” aspect of online data by giving consumers the right to send a deletion request to businesses that have collected their information. It is not an absolute right, however, and businesses may still retain consumers’ personal information in a variety of circumstances.
The CCPA requires businesses to designate at least two methods for consumers to make a request to delete, such as an email address and a toll-free phone number. The request methods should match the way the company normally does business. For example, an online retailer can’t have exclusively offline methods to submit requests.
Once a business has received a request to delete, it has 45 days to comply. That deadline can be extended to a total of 90 days if necessary when considering the complexity and number of requests, provided the consumer is notified.
The business must also notify all service providers, contractors, and third parties who had access to the consumer's information of the request to delete.
Knowing which consumer information to delete can be tricky for businesses, especially if they do not already have a CCPA compliance system in place. They must delete “any personal information” upon request, but the law provides a number of exceptions. Businesses (and service providers) are not required to delete personal information if it is necessary to:
The complexity of processing a request to delete perfectly illustrates why businesses need to already have a CCPA compliance plan in place. Otherwise, they can easily end up either failing to fully comply with a request or deleting important information that could have been retained.
Learn more about responding to CCPA requests to delete.
The right to non-discrimination helps to ensure that consumers are comfortable exercising their data privacy rights under the CCPA without fear of retaliation. The basic rule is fairly straightforward. Businesses cannot deny goods or services, provide a different level of quality of goods or services, or charge a different price to consumers who exercise their CCPA rights.
As with the other CCPA rights, there are a number of exceptions to the rule.
A newer addition to the CCPA is the consumer’s right to correct inaccurate personal information. The law reads:
A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
Businesses are also required to inform consumers of this right in their privacy policy. The new right is a straightforward addition to the CCPA. It tries to balance consumer rights with the burden placed on businesses by only requiring businesses to use “commercially reasonable efforts” to correct the inaccurate information.
The CCPA now includes includes a separate category of consumer data—"sensitive personal information”—and gives consumers the right to limit its use and disclosure by businesses. This addition brings the California law closer in line with the robust privacy protections of the GDPR.
As a narrower category of personal information, sensitive personal information is defined more specifically in the CCPA. It is any information that fits in these four categories.
The overall structure of this right is similar to the right to opt out. Businesses are still allowed to collect sensitive personal information, but consumers have a say in how that information is used and disclosed. Specifically, it gives consumers the right to request that a business:
Limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
If a business collects sensitive personal information but already restricts its use to what is necessary to perform its services (and is reasonably expected by the average consumer), that business does not need to take any action when it receives a consumer request. A business that goes beyond necessary use of sensitive personal information, e.g., selling it to a third party, is required to stop that additional use upon receiving a consumer’s request.
Businesses that use sensitive personal information for additional purposes are required to disclose that use in their privacy policy, as well as provide a conspicuous “Limit Use of My Sensitive Personal Information” link on their homepage.
Sensitive personal information collected without the purpose of inferring characteristics about a consumer is not subject to these requirements. Future regulations are expected to provide more clarity on what this means and what qualifies as necessary use.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.