California Consumer Privacy Act (CCPA) Overview

California Consumer Privacy Act (CCPA) Overview
California Privacy Rights Act (CPRA) *effective January 1, 2023, with a lookback period starting from January 1, 2022*

The CCPA applies to:

• For-profit entities doing business in California that control the collection or processing of California residents’ personal information that meet one of the following thresholds: 
  • Have annual gross revenues in excess of $25 million; or
  • Annually process the personal information of 50,000 or more California consumers, households, or devices; or
    [effective January 1, 2023: the CPRA changes this element to raise the threshold to 100,000 or more California consumers or households.
  • Derive 50 percent or more of annual revenues from selling consumers’ personal information.[effective January 1, 2023: the CPRA changes this element to include revenues derived from sharing or selling personal information].
• Consumer rights under the CCPA, except as they relate to the private right of action for unauthorized access or disclosure, do not apply to transactions between a covered business and a consumer where the consumer is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit where the person is acting in that role for purposes of the transaction. [Effective January 1, 2023]
• Consumer rights under the CCPA, except as they relate to the private right of action for unauthorized access or disclosure, do not apply to personal information collected by a business from a person acting as a job applicant to, or an employee , owner director, officer, medical staff member, or contactor of that business, if the information  collected relates to that relationship. This exception also applies to third person’s emergency contact information and information collected about third persons for purposes of administering benefits. [Effective January 1, 2023]

Key Definitions:

• “Personal information” is broadly defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household including:
  • Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  • Personal information listed in the California data breach notification statute (Cal. Civ. Code 1798.80)
  • [Effective January 1, 2023: The CPRA creates an additional category of “sensitive personal information,” defined to include government-issued identifiers, account login credentials, financial account information, precise geolocation, contents of certain types of messages, genetic data, racial or ethnic origin, religious beliefs, biometrics, health data, and data concerning sex life or sexual orientation.]
  • Characteristics of protected classifications, commercial information, biometric information, internet activity, geolocation data; audio electronic, visual, thermal, olfactory, or similar information; professional or employment-related information, education information, and consumer profile information.
  • The CCPA excludes certain categories of information and/or entities governed by other statutory regimes, e.g., HIPAA, FCRA, GLBA.
  • Personal information does not include publicly available information or consumer information that is deidentified or aggregate consumer information.
• “Collection” includes buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.
• “Processing” includes any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
• “Consumer” means a natural person who is a California resident. 
• “Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating, by any means, a consumer’s personal information by a business to another business or third party for monetary or other valuable consideration. A business does not sell personal information when the business uses or shares with a service provider personal information if (i) the business has provided notice that information being used or shared in its terms and conditions is consistent with Sec. 1798.135, and (ii) the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
• [Effective January 1, 2023: “Profiling” under the CPRA means automated processing of personal information to evaluate aspects of an individual and make predictions about that individual’s performance at work, economic status, health, interests, behavior, location, movements, reliability, or preferences.]
• [Effective January 1, 2023: “Share” means sharing of data by a business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.]
• “Service Provider” means for-profit legal entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
• [Effective January 1, 2023: “Contractor” means an entity to whom a business makes available a consumer’s personal information for a business purpose pursuant to a written contract.]

Consumer’s rights under the CCPA:

• Right to disclosure of information relating to collection of personal information.
• Right to request deletion of personal information.
• Right to opt-out of the sale of personal information.
• Right to prohibit sales of minors’ personal information without opt-in consent.
• Right of non-discrimination for exercise of rights under the CCPA.

[Effective January 1, 2023: 

• Right to limit the use and disclosure of sensitive personal information
• Right to data portability: a customer can request that a business transfer specific personal information to another entity to the extent feasible in a commonly used format.
• Right to request information about automated decision making.]

Covered entities’ obligations under the CCPA:

• Facilitate consumers’ exercise of their rights under the CCPA including maintaining at least two methods, including a toll free phone number, for receiving consumer requests under the CCPA. Subject to exceptions, organizations must respond to consumer requests within 45 days. 
• Provide consumers with clear and transparent information regarding data collection, sale, and use practices prior to the collection, use, or sale thereof. Implement and maintain reasonable security procedures to protect personal information.
  • An entity’s failure to establish and follow such procedures may subject the entity to a private right of action by an individual whose personal information is compromised while in the entity’s possession due to a security breach.
• The CCPA provides the California Attorney general with authority to enforce and provide regulations further clarifying organizations obligations under the CCPA.