The California Consumer Privacy Act (CCPA) is a state law that gives California residents more control over the collection and sale of their personal data, similar to the European Union’s General Data Protection Regulation (GDPR). It operates primarily by requiring businesses to inform consumers as to what personal information is being collected and respond to consumer requests for specific actions. The law went into effect on January 1, 2020, and enforcement by the California Attorney General began on July 1, 2020.

The CCPA creates four distinct data privacy rights:

• The right to know what personal information is being collected and how it is used
• The right to opt out of the sale of their personal information
• The right to delete personal information that has been collected
• The right to non-discrimination for exercising rights under the CCPA
• The right to correct inaccurate information
• The right to limit use and disclosure of sensitive personal information

In addition to recognizing these new rights, the CCPA also requires businesses to implement reasonable security procedures to prevent data breaches. If businesses fail to do so and consumers’ nonencrypted and nonredacted personal information is subject to unauthorized access, consumers can recover up to $750 in statutory damages even without showing actual damages. Class-action lawsuits are very likely in such an event. Read more about private rights of action under the CCPA.

Who Has Rights Under the CCPA?

The CCPA protects “consumers,” defined very broadly as any California resident. This includes (1) anyone who is in the state of California (unless only there temporarily) and (2) anyone who lives in California, even while they are outside the state.

What Businesses Does the CCPA Apply To?

Designed to protect Californians, the CCPA applies to businesses in California and businesses that are located outside of the state but still offer goods or services in California. Any for-profit business is bound by the California law if it (1) does business in California and (2) meets at least one of the following criteria:

• Has gross annual revenues in excess of $25 million
• Buys, sells, or shares the personal information of 100,000 or more consumers or households
• Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

As to the last threshold requirement, “selling” and "sharing" personal information are broadly defined in the CCPA, as discussed below. Importantly, the use of interest-based advertising is considered sharing, so any revenue connected to these types of ads is “derived” from selling consumers’ personal information and should be included in this calculation.

Related Articles

• Calculate if your business meets the 100,000-record requirement
• Calculate if your business meets the 50%-of-revenue requirement

Key CCPA Concepts

What Is "Personal Information"?

Knowing what counts as “personal information” under the CCPA is fundamental to understanding how the data privacy law works and what businesses must do to be compliant.

The CCPA’s definition of personal information is very broad, to the point that many businesses may be surprised at how much personal information they are collecting. The statute defines it as:

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

If this definition seems a bit vague, it was intentionally written to be open ended in order to cover the ever-growing list of types of information being collected by businesses. Thankfully, the CCPA also provides many examples of consumer data that are considered personal information.

Examples of Personal Information

• Identifiers, including names, online identifiers, social security numbers, email addresses, driver’s license numbers, IP addresses, and other similar identifiers
• Internet activity, including search history, browsing history, and advertising preferences
• Biometric data, including fingerprints, voiceprints, DNA, and sleep, health, or exercise data that contains identifying information
• Geolocation data
• Employment-related information
• Characteristics of protected classifications under California or federal law, such as race, gender, or disability
• Inferences drawn from personal information to create a profile regarding a consumer’s preferences, behaviors, attitudes, etc.

The inclusion of IP addresses as personal information is significant for a couple of reasons. First, they are very easy to overlook; businesses often use tools that automatically collect and share IP addresses without ever thinking of it. Second, this is one instance where the CCPA goes farther than the GDPR, which does not consider IP addresses to be personal information. Businesses that already have a GDPR compliance system in place will need to make some adjustments to meet the CCPA’s requirements.

What Is Not Personal Information?

With personal information being defined so broadly, it’s important to know what kind of data the CCPA specifically calls out as not personal information.

• Personal information does not include publicly available information. This includes:
  • Information lawfully made available from government records. However, information is not “publicly available” if it is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records.
  • Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience
  • Lawfully obtained, truthful information that is a matter of public concern
• The CCPA does not restrict businesses’ collection, use, sale, or disclosure of consumer information that is deidentified or in the aggregate. For example, if a business collects usage statistics for its website but pools all the users’ information together, that activity is not affected by the CCPA because there is no way to attribute the information to any particular consumer.
• Information sold to or from credit reporting agencies, e.g., credit bureaus
• Medical information collected, shared, or disclosed pursuant to the Health Insurance Portability and Accountability Act (HIPAA)
• Personal information collected, shared or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (CFIPA)
• Personal information collected, shared, or disclosed pursuant to the Driver’s Privacy Protection Act

Selling & Sharing

Many of businesses’ most important obligations under the CCPA revolve around the “selling” and "sharing" consumers’ personal information, but those terms may not mean what you think.

What Is a "Sale"?

The CCPA defines sale broadly, covering transactions that businesses often don’t even think about. The legal definition is:

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

Disclosing personal information with a third party for monetary consideration is the most obvious example. If a business exchanges consumers’ email addresses for money, few would argue that this is not a sale.

It’s the last phrase—“or other valuable consideration”—that is of key importance. This covers a variety of information transactions for which businesses do not receive any money. For example, giving access to your customers' personal information in exchange for free or discounted software, or in exchange for access to personal information from other businesses (a "data co-op") would likely be considered selling.

When a transfer of information is considered a sale, the most important consequence is that it is covered by consumers’ right to opt-out, covered in more detail below.

What Is Not a Sale?

The CCPA provides a few key categories of transactions that are not considered a sale of personal information. Disclosing consumer data to a third party is not a sale when:

• A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information
• The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose

For businesses covered by the CCPA, the exemption for service providers will take on critical importance in their compliance strategy.

What Is "Sharing"?

"Sharing" is the use or disclosure of a consumer’s personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. Cross-context behavioral advertising means targeting ads towards consumers on other sites based on their activity on your site—in other words, retargeting or interest-based advertising.

The bottom line is, if you use this type of advertising, it is considered "sharing" and will trigger opt-out rights.

What Is a "Service Provider"?

“Service providers” are mentioned throughout the CCPA and are one of the data privacy law’s most important exemptions. Businesses that are in the process of becoming CCPA compliant will need to understand what a service provider is and how they affect consumers’ privacy rights.

The CCPA gives consumers control over the sale of their personal information by businesses to “third parties” (basically anyone else). However, the law makes a major exception for the disclosure of consumer information to service providers, who are not treated as third parties. This type of activity is not a sale and thus not subject to the same CCPA requirements.

This difference between third parties and service providers in the CCPA is best illustrated by an example:

Company A is fully CCPA compliant. As part of its business, Company A collects email addresses from consumers and sells them to Company B. It also sends out a weekly newsletter, and in order to do so it shares its email list with Company C, an email marketing vendor. This is all fine and perfectly legal under the CCPA, because Company A has posted all the required privacy notices and opt-out links.

When a consumer clicks on the “Do Not Sell My Personal Information” link on Company A’s homepage and requests to opt out of the sale of their personal information, Company A must honor that request. It has to stop selling that particular consumer’s data to Company B, BUT it can continue sharing the consumer’s email address with Company C because Company C is a service provider and needs the email address in order to do its job.

Overall, it’s a common-sense exemption that recognizes the realities of modern business, but there are a few nuances and requirements that companies should be aware of.

Service Provider Defined

The CCPA defines a service provider as an entity that that processes personal information on behalf of a business, provided that the two parties have a written contract that prohibits the service provider from:

• Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract
• Selling or sharing the personal information
• Retaining, using, or disclosing the personal information outside of the direct business relationship between the business and service provider
• Combining the personal information with personal information obtained from other sources

The contract requirement means businesses have to ensure that their vendor contracts are CCPA compliant in order for those vendors to qualify as service providers. If the contract does not meet these requirements, any disclosure of information might be considered a sale.

Contractors

There is now another type of outside party, the “contractor.” A contractor qualifies for the same exemptions as a service provider, i.e., they are not affected by opt-out requests, but are defined a little differently. As opposed to a service provider who “processes information” for a business, a contractor is “a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business.” The impact of this is that businesses’ contracts with their contractors must meet similar requirements as those of service providers.

Consumer Rights

Right to Know

The CCPA gives consumers the right to know what personal information businesses are collecting and how that information is being used. For businesses, this means they have two legal responsibilities toward consumers: They must inform consumers in advance regarding data collection and respond to a consumer’s request to know what has been collected.

To meet the first of these requirements, businesses must post a CCPA-compliant privacy notice at or before the point of collection. This is known as a “notice at collection.” It tells consumers what categories of personal information are being collected and for what purposes.

Example: An online retailer is offering a discount promo code, but requires consumers to enter their email address in order to receive it. This is a data collection point. At or before this point, the retailer must include a link to a privacy notice that lets consumers know what personal data is being collected (i.e., email addresses) and for what purposes (i.e., sending marketing content, etc.).

Second, consumers can submit a request to know what personal information a business has collected from them. For the 12-month period preceding the request, businesses must disclose the following information:

• The categories of personal information it has collected about that consumer
• The categories of sources from which the personal information is collected
• The business or commercial purpose for collecting or selling personal information
• The categories of third parties with whom the business shares personal information
• The specific pieces of personal information it has collected about that consumer

They must provide this information free of charge, but only after verifying that the consumer is who they say they are. Businesses are required to respond to an individual’s requests to know no more than twice in a 12-month period.

Learn more about responding to CCPA requests to know.

Right to Opt Out

If a business sells or shares personal information about a consumer to a third party, the CCPA gives that consumer the right to request that the business stop selling or sharing their information. This is called the right to opt out. Any business that sells or shares consumers’ personal information must include a conspicuous “Do Not Sell or Share My Personal Information” link on their homepage that informs consumers how to submit a request to opt out.

After a consumer has opted out, businesses must wait at least 12 months before asking them to opt in again.

The CCPA also addresses the sale or sharing of the personal information from minors under the age of 16. If a consumer is between the ages of 13 and 16, businesses must get their affirmative consent to sell their personal information. For children under the age of 13, the child’s parent or guardian must give their affirmative consent. These rules apply when the business has actual knowledge of the consumer’s age or willfully disregards it.

Service Providers

An important exception to the consumer’s right to opt out is where the businesses give personal information to service providers, discussed in greater detail above. Businesses may continue disclosing personal information to a service provider even after a consumer opts out, because this is not considered a sale.

Learn more about responding to CCPA requests to opt out.

Right to Delete

The right to delete is a major component of the CCPA’s attempt to give consumers more control over their personal information. It seeks to alleviate the “forever” aspect of online data by giving consumers the right to send a deletion request to businesses that have collected their information. It is not an absolute right, however, and businesses may still retain consumers’ personal information in a variety of circumstances.

The CCPA requires businesses to designate at least two methods for consumers to make a request to delete, such as an email address and a toll-free phone number. The request methods should match the way the company normally does business. For example, an online retailer can’t have exclusively offline methods to submit requests.

Once a business has received a request to delete, it has 45 days to comply. That deadline can be extended to a total of 90 days if necessary when considering the complexity and number of requests, provided the consumer is notified.

The business must also notify all service providers, contractors, and third parties who had access to the consumer's information of the request to delete.

Knowing which consumer information to delete can be tricky for businesses, especially if they do not already have a CCPA compliance system in place. They must delete “any personal information” upon request, but the law provides a number of exceptions. Businesses (and service providers) are not required to delete personal information if it is necessary to:

• Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity
• Debug to identify and repair errors that impair existing intended functionality.
• Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law
• Comply with the California Electronic Communications Privacy Act
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, if the consumer has provided informed consent
• To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business
• Comply with a legal obligation

The complexity of processing a request to delete perfectly illustrates why businesses need to already have a CCPA compliance plan in place. Otherwise, they can easily end up either failing to fully comply with a request or deleting important information that could have been retained.

Learn more about responding to CCPA requests to delete.

Right to Non-Discrimination

The right to non-discrimination helps to ensure that consumers are comfortable exercising their data privacy rights under the CCPA without fear of retaliation. The basic rule is fairly straightforward. Businesses cannot deny goods or services, provide a different level of quality of goods or services, or charge a different price to consumers who exercise their CCPA rights.

As with the other CCPA rights, there are a number of exceptions to the rule.

• Businesses may charge a different price or offer a different quality of goods or services if that difference is reasonably related to the value provided to the business by the consumer’s information.
• Businesses may offer promotions, discounts, and other financial incentives in exchange for collecting, storing, or selling personal information.
• If a consumer has requested to delete or opt out of the sale of their personal information, and that information or sale is necessary to provide a good or service, the business’s inability to complete the transaction is not discrimination.

Right to Correct Inaccurate Personal Information

A newer addition to the CCPA is the consumer’s right to correct inaccurate personal information. The law reads:

A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

Businesses are also required to inform consumers of this right in their privacy policy. The new right is a straightforward addition to the CCPA. It tries to balance consumer rights with the burden placed on businesses by only requiring businesses to use “commercially reasonable efforts” to correct the inaccurate information.

Right to Limit Use and Disclosure of Sensitive Personal Information

The CCPA now includes includes a separate category of consumer data—"sensitive personal information”—and gives consumers the right to limit its use and disclosure by businesses. This addition brings the California law closer in line with the robust privacy protections of the GDPR.

What Is Sensitive Personal Information?

As a narrower category of personal information, sensitive personal information is defined more specifically in the CCPA. It is any information that fits in these four categories.

1. Personal information that reveals
   • A consumer’s social security, driver’s license, state identification card, or passport number
   • A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
   • A consumer’s precise geolocation
   • A consumer’s racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership
   • The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
   • A consumer’s genetic data
2. The processing of biometric information for the purpose of uniquely identifying a consumer
3. Personal information collected and analyzed concerning a consumer’s health
4. Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation

Requirements for Handling Sensitive Personal Information

The overall structure of this right is similar to the right to opt out. Businesses are still allowed to collect sensitive personal information, but consumers have a say in how that information is used and disclosed. Specifically, it gives consumers the right to request that a business:

Limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.

If a business collects sensitive personal information but already restricts its use to what is necessary to perform its services (and is reasonably expected by the average consumer), that business does not need to take any action when it receives a consumer request. A business that goes beyond necessary use of sensitive personal information, e.g., selling it to a third party, is required to stop that additional use upon receiving a consumer’s request.

Businesses that use sensitive personal information for additional purposes are required to disclose that use in their privacy policy, as well as provide a conspicuous “Limit Use of My Sensitive Personal Information” link on their homepage.

Sensitive personal information collected without the purpose of inferring characteristics about a consumer is not subject to these requirements. Future regulations are expected to provide more clarity on what this means and what qualifies as necessary use.

‍