CCPA Cheat Sheet
[Updated 06/03/2020]
In my last blog post I drilled down on the individual privacy rights that the California Consumer Privacy Act (CCPA) gives consumers, so for this blog I will provide a "CCPA Cheat Sheet" that not only recaps these rights, but also the scope, obligations and enforcement provisions found in the CCPA. This is very much akin to the "GDPR Cheat Sheet" I created in a prior blog post. In subsequent blogs I will put these together and give a summary of the similarities and differences between the two.
Category
Topic
CCPA Provision
1
Scope
Effective Date
January 1, 2020, with two caveats:
(1) enforcement actions taken by California AG to not occur til July 1, 2020; and
(2) collection of personal data of a job applicant and/or employee and/or contractor by a business not in scope til January 1, 2021
2
Scope
Who is Regulated?
A for-profit “Business” that "collects consumers' personal information" and has the following thresholds:
(1) gross revenue greater than $25 million OR
(2) buys/sells/shares personal information on over 50,000 consumers, households or devices; OR
(3) derives 50% or more of its revenue from selling consumer personal information.
Also covers any entity that controls or is controlled by a business and "shares common branding" with the business. [§ 1798.140(c)]
3
Scope
Who is Protected?
A "Consumer" that is a natural person who is California resident. [§ 1798.140(g)] Resident defined per Cal. Rev. Code § 17014 as
(1) Every individual who is in this state for other than a temporary or transitory purpose.
(2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose.
4
Scope
Do Children Get Special Protection?
Yes, "a business shall not sell the personal information" of children aged from 13-16 unless the child directly "opts-in" to the sale. For children under 13, a business requires parental consent to the sale of their child's personal data. [§ 1798.120(c)-(d)]
Note that "the law is intended to supplement federal and state law," so existing Federal privacy laws re: children (e.g. COPPA) still apply. [§ 1798.196]
5
Scope
Covers Employees?
No, not until January 1, 2021. [§ 1798.145(h)] Specifically, "the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee" and "this subdivision shall become inoperative on January 1, 2021."
6
Scope
What Information is Protected?
“Personal information” (PI) means "information that identifies, relates to, describes, is reasonably capable of being associated with ..."a particular consumer or household. It then lists specific examples such as:
(1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number;
(2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies;
(3) Biometrics;
(4) Internet or other network activity information (e.g. browsing history);
(5) Geolocation data;
(6) Audio, electronic, visual, thermal, olfactory, or similar information;
(7) Professional or employment-related information;
(8) Education information as defined in FERPA; and
(9) Inferences drawn from any of the information above
It does not include publicly available information or information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA. [§§ 1798.140(o) and 1798.145(c)-(f).]
7
Scope
Additional Restrictions on Sensitive Data?
N/A
8
Scope
Exemptions?
There are several exemptions for both businesses and types of personal data collected.
For businesses:
(1) Businesses that are non-profits and/or small businesses under $25m and/or don't collect the requisite amount of personal data (per "Who is Regulated?" above) [§ 1798.140(c)]
(2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)]
For types of personal data:
(1) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California's Confidential Medical Information (CMI) Act [§ 1798.145(c)-(f)]
(2) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)]
(3) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(h)]
(4) Personal data that is deidentified or aggregate data [§ 1798.145(a)]
(5) Personal data collected as part of a clinical trial [§ 1798.145(c)]
(6) Personal data collected outside of California involving non-California residents [§ 1798.145(a)]
9
Scope
Lawful Bases to Process Personal Data?
No. The US Constitution's 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.). But the CCPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don't opt out (or opt-in in the case of minors), the business can collect. But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1).
10
Scope
Law is Protected from Watering Down?
N/A.
11
Individual Rights
Right to be Informed (aka Right to Know or Right to be Notified)
“A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.” [§ 1798.100(b)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)]
12
Individual Rights
Right to Access
"A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.” [§ 1798.100(a)] This includes any third-parties the business has shared the personal data with. And that the business shall provide that information once they verified the consumer request. [§ 1798.100(c)] Furthermore, a business shall “promptly take steps to disclose and deliver, free of charge to the consumer, the personal information.” But "a business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period." [§ 1798.100(d)]
13
Individual Rights
Right to Correct (aka Right to Rectification)
N/A
14
Individual Rights
Right to Delete (aka Right to Erasure or Right to be Forgotten)
“A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” [§ 1798.105(a)] The business must also direct any service providers that the business utilizes to also delete the consumer’s personal information from their records. [§ 1798.105(c)] There are 9 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, for security purposes, debugging, the exercise of free speech, and engage in research in the public interest.
15
Individual Rights
Right to Restrict Processing
N/A, with exception of the right to opt-out of the selling of personal information (see below).
16
Individual Rights
Right to Data Portability
Once a consumer requests access to their personal data from a business, and that request is verified, the “information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit the information to another entity without hindrance.” [§ 1798.100(d)]
17
Individual Rights
Right to Object to Processing
N/A, with exception of the right to opt-out of the selling of personal information (see below).
18
Individual Rights
Right to "Opt Out" of Sale and Sharing of Personal Information (aka Right to Say No)
"A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.” [§ 1798.120(a)]
19
Individual Rights
Right to Limit Use of Sensitive Personal Information (including Precise Geolocation)
N/A
20
Individual Rights
Right to Reject Automated Decision Making and Profiling
N/A
21
Individual Rights
Right of No Retaliation (aka Right to not be Discriminated Against)
The CCPA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against. Examples include (and directly quoted from [§ 1798.125(a)]):
(1) Denying goods or services to the consumer.
(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(3) Providing a different level or quality of goods or services to the consumer.
(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
22
Obligations
Privacy Policy Disclosure
A business that collects a consumer’s personal information shall "disclose to that consumer the categories and specific pieces of personal information the business has collected." This needs to be done "at or before the point of collection." [§§ 1798.100(a)-(b)] A business must also disclose the consumer's rights, e.g. "the consumer’s rights to request the deletion of the consumer’s personal information." [§ 1798.105(a)] Privacy policies must be updated "at least once every 12 months." [§ 1798.130(a)]
23
Obligations
Data Protection by Design and Default
N/A, with the exception that a business must identify what data is personal in the design of their systems and apps so as to provide proper notification.
24
Obligations
Written Contracts with Processors / Service Providers / Contractors / Third Parties
This is implied that a contract is in place with a service provider given the definition of "service provider" that is an entity that "processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business." [§ 1798.140(v)]
25
Obligations
Maintain Records of Processing Activities
Not really. The proposed CCPA regulations that are drafted as of March 2020 do assume there will be some documentation of consumer requests re: their personal information.
26
Obligations
Respond to Rights Requests
A business must respond to a "verifiable consumer request." [§ 1798.140(y)]. The proposed CCPA regulations document how these requests should be logged. Furthermore, a business must "disclose and deliver the required information to a consumer free of charge within 45 days" and can extend the 45 days once. [§ 1798.130(a)] This information must be provided "free of charge to the consumer" but "shall not be required to provide personal information to a consumer more than twice in a 12-month period." [§ 1798.100(c)] Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)]
27
Obligations
New Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information)
A business must "provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information." [§ 1798.135(a)]
28
Obligations
Implement Appropriate Security Measures
Not a direct obligation found in the CCPA. Per the private right of action section [§ 1798.150(a)] it states that "any consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action." Furthermore, existing California law states that "a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." [§ 1798.81.5]
29
Obligations
Security Breach Notification
N/A, but California has an existing (and separate) data breach notification law § 1798.82.
30
Obligations
Data Protection Impact Analysis
N/A
31
Obligations
Data Protection Officers
N/A
32
Obligations
Adhere to the Rules of Cross-Border Data Transfers
N/A
33
Enforcement
Dedicated Supervisory Authority
The CCPA did not create a dedicated agency to enforce the CCPA. The California Attorney General (AG) is tasked with adopting regulations re: the CCPA based on public participation. [§ 1798.185] "Any business or third party may seek the opinion of the AG for guidance on how to comply with the provisions of this title." [§ 1798.185] The AG can issue civil fines (see below). Any proceeds from civil actions will go into the Consumer Privacy Fund. This Fund is "created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature to offset any costs incurred by the state courts in connection with actions brought to enforce this title and any costs incurred by the Attorney General in carrying out the Attorney General’s duties." [§ 1798.160] The AG "shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner." [§ 1798.185]
34
Enforcement
Penalties (Civil Fines)
"A business shall be in violation ... if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General." [§ 1798.155 (b)]
35
Enforcement
Penalties (Private Rights of Action)
CCPA enables a consumer's private right of action only in the narrow context of their "nonencrypted and nonredacted personal information" was "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices." Damages may be "not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater." [§ 1798.150(a)] There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request). Furthermore, the definition of "personal information" is from a narrower definition of personal information found in [§ 1798.81.5]. Note that "actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business." [§ 1798.150(b)]
Here are some other executive summaries of CCPA from some law firms that compare CCPA to GDPR that you also may find helpful: