California Consumer Privacy Act (CCPA)

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a state law that can affect businesses across the country and even internationally. It’s arguably the most powerful US privacy law. It establishes and protects privacy rights for Californian residents and imposes specific requirements on the businesses it covers.

What rights do data subjects have under the CCPA?

The key to the CCPA is five rights that apply to all California consumers (that is, people rather than organizations or businesses.)

While the CCPA sets out specific measures to follow, you should always keep these rights in mind when making privacy decisions. That’s because the rights may affect any interpretation of, or ambiguity in, the rest of the legislation. The CCPA specifically says its text “shall be liberally construed to effectuate its purpose.”

The rights, detailed in sections 2 through 6 of the CCPA, are as follows:

To know what personal information a business collects about you.
To know if the business sells or shares your personal information with a third party and, if so, who that is.
To refuse to let the business sell your personal information.
To see the personal information a business holds on you.
To exercise these rights without the business discriminating on service availability or price as a result.

What is the Scope of the CCPA?

Material Scope

The CCPA applies if you at least any one of the following three criteria:

Your annual gross revenue is more than $25 million. (This is worldwide revenue, not just revenue for California.)
Your buy, share or sell personal information relating to at least 50,000 Californian consumers, households or devices in a 12-month period.
You make at least half of your annual revenue from selling personal information relating to Californian consumers.

Territorial Scope

If you meet at least one of the criteria, the CCPA applies if you serve customers in California. This applies regardless of where this service takes place (in person, through the mail, or online) or where your business is located or registered.

Does my organization need to comply with the CCPA?

As long as you meet one of the three criteria and serve California consumers, you must comply with the CCPA if you are a for-profit entity. This includes both traditional businesses and charities that are legally classed as a for-profit corporation.

What are the consent management requirements under the CCPA?

Unlike some privacy laws, most notably Europe’s GDPR, the CCPA does not require advance consent to process the personal data of adults. Instead, the law is primarily about consumers' right to know if and when you do the processing, and their right to opt-out of data sales.

Note that the rules are different for children aged under 16: you must get consent before collecting or using personal information. For somebody aged 13 to 16, you must get their consent. For somebody aged under 13, you must get consent from a parent or guardian. These rules apply either if you know the person is aged under 16, or if you “willfully disregard” your duty to check people’s ages.

Definition of consent

From 1 January 2022, an amendment to the CCPA (AB 694) takes effect. It defines consent as a “freely given, specific, informed, and unambiguous indication.”

For now, this revised definition doesn’t change when you must get consent. However, it may affect the way you collect consent from a child, parent, or guardian. You should make sure:

The consent request includes a clear link to details of what information you collect and how you use it.
You don’t make the provision of services or their pricing dependent on the person consenting to data use (unless that use is necessary to provide the service.)
You require an active and intentional signal of consent such as ticking a box or changing a toggle setting. (Don’t use pre-ticked boxes or say that you’ll assume consent unless told otherwise.)

Right to opt-out

The CCPA’s right to opt-out, detailed in section 8 of the legislation, is arguably a case of implied consent. The law says you can sell somebody’s data unless and until they exercise their opt-out right and make clear they do not consent to the sale.

Note that the right only covers you selling their data. The opt-out doesn’t apply to you sharing data or disclosing it in return for something other than money.

The CCPA says you must have a web page that lets people contact you and exercise the opt-out. You must have a text link on your home page that points to the opt-out page. This link must use the text “Do Not Sell My Personal Information.”

If somebody exercises their opt-out right, you must comply within 10 days. You must then wait 12 months before you ask for permission to begin selling their data again. You can only start selling the data again if the person gives this permission, and they can withdraw this permission later on by opting-out again.

After an opt-out, you have 90 days to contact anyone to whom you have sold the person’s data. They must then act as if they had received a direct opt-out from the consumer, meaning they stop selling the data themselves and contact anyone they have sold it to.

What are the penalties for noncompliance?

Unlike in some privacy laws, sections 11 and 12 of the CCPA set out multiple routes to punishment for failing to comply.

Attorney General

The state Attorney General is responsible for policing unintentional breaches of the CCPA. In such cases, the Attorney General can tell you to correct the breach within 30 days. If you don’t meet this deadline, you face a fine of $2,500 per violation under the state’s Business and Professions Code.

Criminal Penalties

If you intentionally breach the CCPA, the state Attorney General can levy a fine of up to $7,500 for each individual violation.

Private Action

If your business is hit by a data breach and the personal information involved wasn’t encrypted or redacted, the affected individuals can take private legal action against you. A court can award damages of up to $750 per consumer or the actual losses suffered, whichever is greater. The court can also issue penalties on top of these damages.