The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA), enacted in 2018, set a new standard for consumer privacy rights in the United States. Building on this foundation, the California Privacy Rights Act (CPRA) further strengthens these protections. Together, these laws give California residents more control over their personal information and hold businesses accountable for transparent and responsible data practices.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a law passed in 2018 that grants California residents significant rights regarding their personal information. These rights include the ability to know what personal information is collected, request deletion of personal information, opt-out of the sale of their data, and receive equal service and price even if they exercise their privacy rights.

Key Milestones

The CCPA marked a significant step forward for data privacy in California. In 2020, the California Privacy Rights Act (CPRA) was introduced, further expanding consumer rights under the CCPA.

Data Sovereignty and Transparency

A core principle of the CCPA is data sovereignty, which means you have control over your personal information. The CCPA also emphasizes consumer transparency, requiring businesses to be clear about what data they collect and how it’s used (source: CA Attorney General).

Who Does the CCPA Apply To?

The CCPA applies to businesses that meet certain criteria regarding their annual revenue, data collection practices, and operations within California. Here’s a table summarizing the key requirements:

Criteria Description
Gross Revenue Exceeds $25 million annually.
Data Collection Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices annually.
Derives Revenue from Selling Data Obtains 50% or more of its annual revenue from selling California residents’ personal information.

Exemptions

The CCPA exempts certain entities and types of information, including:

Entities:

  • Non-profit organizations (that are not business associations)
  • Government agencies

Types of Information:

  • Personal information collected in connection with employment benefits
  • Publicly available information from government records
  • Financial information regulated by other laws (e.g., Fair Credit Reporting Act)
  • Health information protected by HIPAA

While the CCPA doesn’t apply to these entities and types of information, consumers may have other privacy rights under different laws.

Consumer Rights Under the CCPA

The CCPA empowers California residents with a range of rights regarding their personal information, including the following:

Right to Know

The Right to Know allows you to request and receive information about the following:

  • The categories and specific pieces of personal information a business has collected about you in the past 12 months.
  • The sources from which the information was collected.
  • The purposes for which the information is used and disclosed.
  • The third-party businesses with whom your information has been shared.

Right to Delete

The Right to Delete grants you the power to request a business to delete your personal information, subject to certain exceptions. These exceptions typically involve information necessary for:

  • Completing transactions with you.
  • Providing customer service.
  • Complying with legal obligations.
  • Using the information for internal purposes that are reasonably aligned with your expectations, such as security or fraud prevention.

Right to Opt-Out

The Right to Opt-Out allows you to prevent the sale of your personal information by businesses. Note that “sale” under the CCPA is broadly defined and may include situations where data is exchanged for valuable consideration, even if no money is involved.

Right to Non-Discrimination

The CCPA prohibits businesses from discriminating against you for exercising your CCPA rights. This means they cannot deny service, charge different prices, or provide a different level of service because you requested to know, delete, or opt-out of the sale of your personal information.

Right to Correct Inaccurate Information

The Right to Correct Inaccurate Information allows you to request that a business fix any inaccurate personal information about you in their records. Businesses are obligated to use commercially reasonable methods to verify your request and make the correction.

Right to Access

The Right to Access allows you to obtain a copy of the specific pieces of personal information a business has collected about you. You can request details about the categories of information collected, the specific data pieces, sources, purposes for collection, and third-party sharing. To make a request, follow the business’s specified process, usually available on their website. Verification of your identity will usually be required to ensure privacy, typically involving matching personal details with their records.

Generally, businesses must respond to your request within 45 days, with a possible extension of an additional 45 days if needed. The information provided must be in a usable format, often electronically. While businesses cannot charge a fee for standard requests, they may charge for those deemed manifestly unfounded or excessive.

How to Exercise Your CCPA Rights

The CCPA empowers you, but knowing how to exercise your rights is crucial. Here’s a breakdown of the steps you can take:

Submitting CCPA Requests

  1. Identify the Business: Determine the business whose data practices you wish to address.
  2. Review the Business’ CCPA Procedures: Most businesses are required to have a designated web page outlining their CCPA compliance procedures, including how to submit requests. Look for links titled “Do Not Sell My Personal Information” or “Your California Privacy Choices.”
  3. Submit Your Request: Businesses must provide various methods for submitting CCPA requests, such as an online form, email address, or toll-free number. Utilize the method designated by the business.
  4. Verification: Businesses may request verification of your identity to ensure you are the authorized person making the request. This typically involves providing information that can be matched with their existing data about you.
  5. Response Timeline: Businesses generally have 45 days to respond to your CCPA request.

Sample Templates and Resources

Several resources offer sample CCPA request templates to help you craft clear and concise requests. Here are a few reputable sources:

Documenting Interactions

It’s important to maintain a record of your interactions with businesses regarding CCPA requests, which can be helpful if you encounter any issues or need to file a complaint. This includes:

  • Keeping copies of your requests.
  • Noting the date and time of your request submission.
  • Recording any communication with the business about your request.

Legal Recourse for CCPA Violations

The CCPA is enforced by two primary agencies in California:

  • California Attorney General (DOJ): The DOJ has played a key role in enforcing the CCPA since its implementation in 2020. They can investigate potential violations, issue fines, and pursue civil lawsuits against businesses found to be non-compliant.
  • California Privacy Protection Agency (CPPA): Established in 2020 and operational since 2023, the CPPA is a new state agency responsible for overseeing and enforcing the CCPA and its amendments, including the California Privacy Rights Act (CPRA).

Private Right of Action

In certain circumstances, California residents may have the right to sue businesses for specific violations of the CCPA. This “private right of action” applies to data breaches affecting a California resident’s personal information, as defined by the CCPA. However, before filing a lawsuit, consumers must follow specific steps mandated by the CA DOJ’s Office of the Attorney General:

  1. Provide the Business with a 30-Day Notice: This notice should detail the specific violation of your CCPA rights and provide the business with an opportunity to cure the violation.
  2. Wait for the Business’ Response: Businesses have 30 days to respond to your notice and take steps to address the violation.

If, after following these steps, the business fails to cure the violation, then you may be eligible to file a lawsuit.

Enforcement Actions

There are numerous enforcement actions against businesses for CCPA violations. These actions have resulted in settlements and fines, sending a strong message about the importance of CCPA compliance. Some examples include:

  • A settlement with Sephora for failing to disclose the sale of personal information and for not processing user requests to opt-out of such sales through global privacy controls.
  • A settlement with Tilting Point Media for collecting and sharing children’s data without obtaining parental consent, in violation of the CCPA and the Children’s Online Privacy Protection Act (COPPA).

These are just a few examples, and you can find more information about CCPA enforcement actions at https://oag.ca.gov/privacy/ccpa/enforcement.

Enforcing Your CCPA Rights: When to Hire a Consumer Protection Attorney

The CCPA empowers California residents, but understanding its provisions and enforcing your rights can be challenging. A consumer protection attorney with expertise in CCPA can provide valuable legal services and support specifically for consumers.

Types of Legal Services for Consumers

Consumer protection attorneys can offer a variety of legal services related to the CCPA, tailored to consumers’ needs, including:

  • Consultations: An initial consultation allows you to discuss your specific CCPA concerns with an attorney. They can assess the situation, advise you of your rights as a consumer, and explore potential legal options.
  • Representation: If you choose to pursue legal action against a business for alleged CCPA violations, an attorney can represent you throughout the process. This may involve drafting legal documents, negotiating with the business on your behalf, and potentially filing a lawsuit.

Benefits of Legal Representation for Consumers

An experienced attorney can be a valuable asset in several ways for consumers:

  • Understanding the CCPA: The CCPA can be complex, and an attorney can help you understand your rights and obligations under the law as a consumer. They can interpret legal jargon and explain the nuances of different provisions in a way that’s easy to understand.
  • Crafting Effective CCPA Requests: Attorneys can assist you in drafting clear and well-supported requests to exercise your CCPA rights, such as requests to know, delete, or opt-out of the sale of your personal information.
  • Maximizing the Chances of Success: An attorney can guide you through the CCPA enforcement process and increase your chances of a successful outcome. They can help ensure you meet all legal requirements and deadlines as a consumer.
  • Negotiating with Businesses: Businesses may not always readily comply with CCPA requests. An attorney can negotiate with the business on your behalf and advocate for your rights as a consumer.
  • Litigation Expertise: If necessary, an attorney can represent you in court if you choose to sue a business for CCPA violations. They can handle the complexities of litigation and fight for the compensation you deserve as a consumer.

Situations When an Attorney is Especially Beneficial for Consumers

While you can navigate some CCPA issues independently, here are some situations where seeking legal help from a consumer protection attorney might be particularly beneficial:

  • Complex CCPA Violations: If you believe a business has violated your CCPA rights in a complex way, an attorney can help you understand the specific nature of the violation and determine the best course of action as a consumer.
  • Denial of CCPA Requests: If a business denies your CCPA request to know, delete, or opt-out, an attorney can advise you on your legal options as a consumer and help you challenge the denial.
  • Data Breach Concerns: If you believe your personal information has been compromised in a data breach, an attorney can advise you on your rights and potential legal claims as a consumer.

California Privacy Rights Act (CPRA)

Introduction and Relationship to CCPA

The California Privacy Rights Act (CPRA) is an expansion of the California Consumer Privacy Act (CCPA). Passed in 2020, the CPRA builds upon the rights established by the CCPA and introduces new protections for California residents. The CPRA aims to enhance consumer privacy by tightening regulations on how businesses handle personal information and giving consumers greater control over their data.

Key Consumer Rights Enhancements under CPRA

The CPRA introduced several important rights for consumers:

  • Right to Correct Inaccurate Information: Consumers can request businesses to correct any inaccurate personal information they hold.
  • Right to Limit Use of Sensitive Personal Information: Consumers have the right to restrict the use of their sensitive personal information, such as racial or ethnic origin, health data, and precise geolocation.
  • Expanded Right to Know: The CPRA enhances the Right to Know by allowing consumers to request information beyond just the past 12 months. Consumers can now inquire about any personal information collected starting January 1, 2022.
  • Right to Opt-Out of Sharing Personal Information: In addition to the existing right to opt-out of the sale of personal information, the CPRA allows consumers to opt-out of the sharing of their personal information for cross-context behavioral advertising.
  • Right to Access Information about Automated Decision-Making: Consumers can request access to information about the logic involved in automated decision-making processes and the potential outcomes.
  • Greater Protections for Children’s Data: The CPRA introduced increased penalties for violations involving children’s data.

Increased Obligations on Businesses under CPRA

The CPRA imposes several new requirements on businesses:

  • Data Minimization and Retention: Businesses must limit the collection of personal information to what is necessary for the disclosed purposes and must establish and disclose retention periods for each category of personal information.
  • Creation of the California Privacy Protection Agency (CPPA): The CPRA establishes the CPPA, a new agency responsible for enforcing privacy laws and protecting consumer rights.
  • Enhanced Data Breach Liability: The CPRA increases the penalties for data breaches involving sensitive personal information. Businesses are now held to higher standards to ensure data security and can face significant fines for non-compliance.
  • Contractual Requirements with Third Parties: Businesses must ensure that any third parties, service providers, or contractors with whom they share personal information are contractually obligated to provide the same level of privacy protection required under the CPRA.

Comparisons: CCPA vs. GDPR

For those familiar with the General Data Protection Regulation (GDPR) in Europe, here are some key differences and similarities:

  • Scope and Coverage: Both the CCPA/CPRA and GDPR aim to protect personal information, but the GDPR applies to all individuals within the European Union, whereas the CCPA/CPRA specifically targets California residents.
  • Consumer Rights: The rights granted under the CPRA and GDPR are similar, including the right to access, correct, delete, and restrict the use of personal information. However, the GDPR includes additional rights, such as the right to data portability and the right to object to data processing.
  • Data Protection Authorities: The GDPR established Data Protection Authorities (DPAs) in each EU member state to oversee compliance, while the CPRA establishes the CPPA to perform a similar role in California.
  • Penalties and Enforcement: The GDPR imposes higher fines for non-compliance, with penalties reaching up to 4% of a company’s global annual revenue. The CPRA also introduces significant fines but typically focuses on penalties specific to data breaches and violations of California’s privacy laws.

Final Thoughts

The CCPA and CPRA transform data privacy in California. These laws give consumers more control over their personal information and require businesses to adopt stricter data protection practices. Exercising these rights helps safeguard privacy in an increasingly digital world.

For businesses, compliance builds consumer trust. Transparent data practices and strong security measures enhance reputation and foster loyalty. The California Privacy Protection Agency (CPPA) ensures active monitoring and enforcement of these rights.

Looking ahead, the CCPA and CPRA set a precedent for other states, reflecting the growing importance of protecting personal information in a connected world.

Resources:

https://oag.ca.gov/privacy/ccpa
https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
https://oag.ca.gov/privacy/ccpa/enforcement
https://thecpra.org/
https://cppa.ca.gov/

June 10, 2024