California Consumer Privacy Act (CCPA) Overview

California residents have more control over personal data that businesses collect through the California Consumer Privacy Act (CCPA). CCPA is only applicable to for-profit companies that conduct business in California, regardless of where you are headquartered.

  • A gross annual revenue exceeding $25 million
  • Purchase, receive, and sell personal information from 50,000 California residents, households, and devices.
  • California residents’ personal data can be used to generate 50% or more of the company’s annual revenue.

It does not apply to government agencies or non-profit businesses.

What personal information is required under CCPA?

Personal information refers to any information that can be used to identify, relate to, or could reasonably be linked to you or your household. Some common examples include:

– A Name

– Social Security Number

– Email Address

– Products purchased

– Internet Browsing History

– Geolocation Data

– Fingerprints

What information is not personal under the CCPA?

Public information does not include personal information. This includes information from the federal, state, or local governments. It also includes professional licenses, public real estate/property and other records.

CCPA Consumer Rights

California residents have a variety of rights under the CCPA that allow them to better control how businesses use their personal data.

Right to Opt Out of Sale

California residents have the right of objection to their personal data being sold. Businesses cannot sell your personal data again unless you have made an opt-out request. Businesses must also wait for the request to be withdrawn within 12 months. Some of the

  • If the sale is required for the business’ compliance with legal obligations, to exercise or defend legal rights

  • Personal information that is not exempted from the CCPA may include medical information, consumer credit report information or other types of information.

These requests must be responded to within 15 days. However, acknowledgement is not required at this time.

Get right now

California residents have the right of access to detailed information about the personal data that was collected, used, shared, or sold by a company. They can also request information about the reasons for which that information was collected.

  • The types of personal data collected
  • Certain pieces of personal data are collected
  • What sources does the business use to collect personal information?
  • What purposes does the company use personal information?
  • The types of third parties with which the business shares personal information
  • What categories of information the business discloses to third parties?

This must be provided by businesses for the twelve months preceding the request. It is free of charge. The CCPA requires that businesses acknowledge receipt of the request within 10 days and give information to the requester about how it will be handled. After that, you have 35 days to provide the requested information (totalling 45 days after receiving the request). If the requester is notified and informed, businesses can extend the time by up to 90 days. Residents must have at least two options for filling out this request: email or phone.

Exceptions include:

The business is unable to verify your request. 

The request is unfounded or excessive or the business already has personal information about you more than once in a 12-month span

While businesses cannot divulge sensitive information such as your social security number or financial account number, they must inform you if they are collecting this type of information.

The disclosure would limit the ability of the business to comply with legal obligations, exercise or defend legal rights, and/or meet legal obligations. Personal information that is not exempted from the CCPA may include medical information, consumer credit report information or other types of information. 

The business you contact will not be able fill your request if they are a service provider for the business that collected the information.

Consumer requests are not the responsibility of service providers. In that case, you will need to contact the company that employed the service provider to make your request. Sometimes, the service provider may not be able to give you that information. In these cases, you will need to look for other ways to identify that business. Without the right resources, this can be difficult or nearly impossible.

Notification

The CCPA requires businesses to give notice to consumers before collecting their personal information.

Right to Delete

You have the right of requesting that companies delete personal information they have collected from you and that their service providers comply with your request.

Non-discrimination

For exercising their CCPA rights, consumers have the right to not be discriminated against.

Data Brokers

CCPA also covers data brokers, which is a business that sells personal information. Data brokers can collect information from consumers from many sources. These include websites and public records. The CCPA holds them responsible to some degree. The CCPA doesn’t consider personal information that is obtained from public records. This is a common source for data brokers. However, information that they get from other sources will be included in the CCPA’s definition. You can also exercise your right to have your data deleted. California’s data broker law requires that they register on the website of the Attorney General for data brokers.

What should I do if a company violates my CCPA rights

Unless there is a data breach or your information has been leaked, you can’t sue a company directly for violating CCPA. The business must have allowed your information to be exposed in an unencrypted form and not redacted because it failed to follow reasonable security practices and procedures to protect it. You can sue the business for the monetary damages you sustained or statutory damages up to $750 each incident.

In any other case, only the Attorney General may file an action against a company for violating CCPA. California’s attorney general does not represent individuals, but they can use consumer complaints and other information in order to identify patterns/history and take action for all Californians. You can file a complaint against a business if you believe they have violated CCPA. The Office will assist them in building their case and ultimately take action. However, the Office cannot either represent you or provide legal advice about how to resolve your individual complaint.

Summary

The CCPA privacy regulation is designed to give California residents more control of their personal data. It applies to California-based for-profit businesses and requires that they comply with its requirements.

  • Give people the opportunity to opt-out of the sale of personal information
  • Companies must provide information to consumers about the data they have collected on them, if requested by the consumer
  • Businesses must inform consumers about the information being collected and why before they collect it.
  • Give consumers the ability to request that their personal data be deleted.
    Businesses should have at least two channels for consumers to submit their requests. They should also respond promptly to requests (usually within 45-days) and not discriminate towards consumers when exercising any of these rights. This regulation can be found at the CCPA Website .