The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents (“Consumers”). It is a law that gives consumers more control over the personal information that businesses collect about them.
In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.
The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to Jan. 2022.
Who does it apply to?
The CCPA will apply to for-profit businesses that collect and control California residents’ (“Consumers”) PI, do business in the state of California, and meet at least one of the below conditions.
- Buys, sells or shares personal information of 50,000 consumers or devices
- Annual gross revenue is greater than $25 million
- Derives 50% of its annual revenue from the sale of its customers’ personal information
CCPA Specific Definitions
- Consumer — Consumer is any natural person who is a California resident.
- Processing – Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
- Collector – A “collector” is someone who buys, rents, gather, obtain, receive, or access any personal information pertaining to a California resident by any means.
- Seller – A “seller” is someone who sells, rents, releases, discloses, disseminates, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.
While not all “collectors” are “sellers,” a seller is most likely a collector.
- Service Provider – Service Provider is a for-profit entity that processes information on behalf of a CCPA-covered business. Note – CCPA differentiates between third parties and service providers.
- An organization is a “third party” unless
- it is the “business” that collects PI from consumers, or
- it enters into a contract with a “business” that requires such organization to follow “service provider”–type restrictions.
Consumer Rights
Right to Know/Access – Right to access specific pieces of personal information the business has collected from consumers and the categories set forth (twice annually, free of charge)
Right to Deletion – Right to request the business to delete any personal information collected of Consumer. The CPRA also requires businesses to send the request to delete to third parties so that all parties are aware that it must be deleted, subject to some exceptions.
Right to Opt-in and Opt-out – Right to opt-out (i.e. stop selling) of the sale of personal information to third parties and business provide a mandated opt-in for the sale of children’s personal information under the age of 16. Opt-out request can be submitted through “Do Not Sell My Personal Information” button on the homepage of organization’s website.
Right to Opt-in: The CPRA expands this right to include sharing of minor consumer’s personal information as an additional basis requiring affirmative authorization (“opt-in”). The CPRA states that an organization cannot sell or share the personal information of a consumer who is less than 16 years old (“minor”) unless the business has received “opt-in” consent i.e., affirmative authorization for the sale or sharing of that information.
Right to Opt-out: The CPRA expands this right to include sharing of personal information about the consumer to third parties as well. Additionally, the CPRA provides consumers access and opt-out rights with respect to the processing of their personal information that is based on automated decision making, including profiling.
Right to Non-discrimination (also called “Right to Equal Services”) – Right to receive equal services and pricing from business even after consumer exercises their privacy rights.umer Rights
Rights to Disclosure – Right to request business that sell personal information provide information related to specific aspects of the business data practices. The CPRA expands this right to include sharing of personal information as an additional basis for disclosure of the information specified under the CCPA to the consumer upon receipt of a verifiable consumer request.
Exceptions to the opt-out right –
- If a sale is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
- If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA
Rights to Rectification – A consumer has the right to request an organization that maintains inaccurate personal information about the consumer to correct that information, taking into account the nature and purposes of the processing of the information.
Rights to Limit Use and Disclosure of Sensitive Personal Information – Consumers have the right to restrict the usage of their sensitive personal information collected. The business must also ensure the user has easily visible access to a link on every webpage that makes the invocation of this right more convenient. This must be done by having a prominent “Limit the Use of My Sensitive Personal Information (SPI)” link on their homepage. SPI is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals: a consumer’s social security, driver’s license, state identification card, or passport number, account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, etc.
Under “Right of Know/Access”, a Consumer may request that business disclose the below:
- The categories of personal information collected
- Specific pieces of personal information collected
- The categories of sources from which the business collected personal information
- The purposes for which the business uses the personal information
- The categories of third parties with whom the business shares the personal information
- The categories of information that the business sells or discloses to third parties
Additionally, CCPA also provides consumers with a private right of action and statutory damages, if certain unencrypted and unredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure (refer subsequent slides).
How can Socium Security help?
Socium Security can help companies design security programs to meet the CCPA requirements and provide virtual DPO services to manage the ongoing operational aspects of the requirements.