CCPA Cheat Sheet

[Updated 06/03/2020]

In my last blog post I drilled down on the individual privacy rights that the California Consumer Privacy Act (CCPA) gives consumers, so for this blog I will provide a “CCPA Cheat Sheet” that not only recaps these rights, but also the scope, obligations and enforcement provisions found in the CCPA. This is very much akin to the “GDPR Cheat Sheet” I created in a prior blog post. In subsequent blogs I will put these together and give a summary of the similarities and differences between the two.

CategoryTopicCCPA Provision
1ScopeEffective DateJanuary 1, 2020, with two caveats:
(1) enforcement actions taken by California AG to not occur til July 1, 2020; and
(2) collection of personal data of a job applicant and/or employee and/or contractor by a business not in scope til January 1, 2021
2ScopeWho is Regulated?A for-profit “Business” that “collects consumers’ personal information” and has the following thresholds:
(1) gross revenue greater than $25 million OR
(2) buys/sells/shares personal information on over 50,000 consumers, households or devices; OR
(3) derives 50% or more of its revenue from selling consumer personal information.

Also covers any entity that controls or is controlled by a business and “shares common branding” with the business. [§ 1798.140(c)]
3ScopeWho is Protected?A “Consumer” that is a natural person who is California resident.  [§ 1798.140(g)]  Resident defined per Cal. Rev. Code § 17014 as
(1) Every individual who is in this state for other than a temporary or transitory purpose.
(2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose.
4ScopeDo Children Get Special Protection?Yes, “a business shall not sell the personal information” of children aged from 13-16 unless the child directly “opts-in” to the sale.  For children under 13, a business requires parental consent to the sale of their child’s personal data. [§ 1798.120(c)-(d)]

Note that “the law is intended to supplement federal and state law,” so existing Federal privacy laws re: children (e.g. COPPA) still apply.  [§ 1798.196]
5ScopeCovers Employees?No, not until January 1, 2021.  [§ 1798.145(h)]  Specifically, “the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee”  and “this subdivision shall become inoperative on January 1, 2021.”
6ScopeWhat Information is Protected?“Personal information” (PI) means “information that identifies, relates to, describes, is reasonably capable of being associated with …”a particular consumer or household.  It then lists specific examples such as:
(1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number;
(2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies;
(3) Biometrics;
(4) Internet or other network activity information (e.g. browsing history);
(5) Geolocation data;
(6) Audio, electronic, visual, thermal, olfactory, or similar information;
(7) Professional or employment-related information;
(8) Education information as defined in FERPA; and
(9) Inferences drawn from any of the information above

It does not include publicly available information or information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA.  [§§ 1798.140(o) and 1798.145(c)-(f).]
7ScopeAdditional Restrictions on Sensitive Data?N/A
8ScopeExemptions?There are several exemptions for both businesses and types of personal data collected. 
For businesses:
(1) Businesses that are non-profits and/or small businesses under $25m and/or don’t collect the requisite amount of personal data (per “Who is Regulated?” above) [§ 1798.140(c)]
(2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)]
For types of personal data:
(1) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California’s Confidential Medical Information (CMI) Act [§ 1798.145(c)-(f)]
(2) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)]
(3) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(h)]
(4) Personal data that is deidentified or aggregate data [§ 1798.145(a)]
(5) Personal data collected as part of a clinical trial [§ 1798.145(c)]
(6) Personal data collected outside of California involving non-California residents [§ 1798.145(a)]
9ScopeLawful Bases to Process Personal Data?No.  The US Constitution’s 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.).  But the CCPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don’t opt out (or opt-in in the case of minors), the business can collect.   But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1).
10ScopeLaw is Protected from Watering Down?N/A.  
11Individual RightsRight to be Informed (aka Right to Know or Right to be Notified)“A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”  [§ 1798.100(b)]   Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data.  [§ 1798.105(b)]
12Individual RightsRight to Access“A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.”  [§ 1798.100(a)]   This includes any third-parties the business has shared the personal data with.  And that the business shall provide that information once they verified the consumer request.   [§ 1798.100(c)]  Furthermore, a business shall “promptly take steps to disclose and deliver, free of charge to the consumer, the personal information.”   But “a business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.”  [§ 1798.100(d)]
13Individual RightsRight to Correct (aka Right to Rectification)N/A
14Individual RightsRight to Delete (aka Right to Erasure or Right to be Forgotten)“A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”   [§ 1798.105(a)]   The business must also direct any service providers that the business utilizes to also delete the consumer’s personal information from their records.  [§ 1798.105(c)]   There are 9 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, for security purposes, debugging, the exercise of free speech, and engage in research in the public interest.
15Individual RightsRight to Restrict ProcessingN/A, with exception of the right to opt-out of the selling of personal information (see below).
16Individual RightsRight to Data PortabilityOnce a consumer requests access to their personal data from a business, and that request is verified, the “information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit the information to another entity without hindrance.”  [§ 1798.100(d)]
17Individual RightsRight to Object to ProcessingN/A, with exception of the right to opt-out of the selling of personal information (see below).
18Individual RightsRight to “Opt Out” of Sale and Sharing of Personal Information (aka Right to Say No)“A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.”  [§ 1798.120(a)]
19Individual RightsRight to Limit Use of Sensitive Personal Information (including Precise Geolocation)N/A
20Individual RightsRight to Reject Automated Decision Making and ProfilingN/A
21Individual RightsRight of No Retaliation (aka Right to not be Discriminated Against)The CCPA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against.  Examples include (and directly quoted from [§ 1798.125(a)]):
(1) Denying goods or services to the consumer.
(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(3) Providing a different level or quality of goods or services to the consumer.
(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
22ObligationsPrivacy Policy DisclosureA business that collects a consumer’s personal information shall “disclose to that consumer the categories and specific pieces of personal information the business has collected.”  This needs to be done “at or before the point of collection.”   [§§ 1798.100(a)-(b)]  A business must also disclose the consumer’s rights, e.g. “the consumer’s rights to request the deletion of the consumer’s personal information.” [§ 1798.105(a)]  Privacy policies must be updated “at least once every 12 months.” [§ 1798.130(a)]
23ObligationsData Protection by Design and DefaultN/A, with the exception that  a business must identify what data is personal in the design of their systems and apps so as to provide proper notification. 
24ObligationsWritten Contracts with Processors / Service Providers / Contractors / Third PartiesThis is implied that a contract is in place with a service provider given the definition of “service provider” that is an entity that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.”  [§ 1798.140(v)]
25ObligationsMaintain Records of Processing ActivitiesNot really.  The proposed CCPA regulations that are drafted as of March 2020 do assume there will be some documentation of consumer requests re: their personal information.
26ObligationsRespond to Rights RequestsA business must respond to a “verifiable consumer request.” [§ 1798.140(y)]. The proposed CCPA regulations document how these requests should be logged. Furthermore, a business must “disclose and deliver the required information to a consumer free of charge within 45 days” and can extend the 45 days once. [§ 1798.130(a)]  This information must be provided “free of charge to the consumer” but “shall not be required to provide personal information to a consumer more than twice in a 12-month period.” [§ 1798.100(c)]  Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)]
27ObligationsNew Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information)A business must “provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.”  [§ 1798.135(a)]
28ObligationsImplement Appropriate Security MeasuresNot a direct obligation found in the CCPA.  Per the private right of action section [§ 1798.150(a)] it states that “any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.”  Furthermore, existing California law states that “a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” [§ 1798.81.5]
29ObligationsSecurity Breach NotificationN/A, but California has an existing (and separate) data breach notification law § 1798.82. 
30ObligationsData Protection Impact AnalysisN/A
31ObligationsData Protection OfficersN/A
32ObligationsAdhere to the Rules of Cross-Border Data TransfersN/A
33EnforcementDedicated Supervisory AuthorityThe CCPA did not create a dedicated agency to enforce the CCPA.  The California Attorney General (AG) is tasked with adopting regulations re: the CCPA based on public participation. [§ 1798.185] “Any business or third party may seek the opinion of the AG for guidance on how to comply with the provisions of this title.” [§ 1798.185] The AG can issue civil fines (see below). Any proceeds from civil actions will go into the Consumer Privacy Fund.  This Fund is “created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature to offset any costs incurred by the state courts in connection with actions brought to enforce this title and any costs incurred by the Attorney General in carrying out the Attorney General’s duties.” [§ 1798.160]  The AG “shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” [§ 1798.185]
34EnforcementPenalties (Civil Fines)“A business shall be in violation … if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.” [§ 1798.155 (b)]
35EnforcementPenalties (Private Rights of Action)CCPA enables a consumer’s private right of action only in the narrow context of their “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”  Damages may be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.”  [§ 1798.150(a)]  There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request).  Furthermore, the definition of “personal information” is from a narrower definition of personal information found in [§ 1798.81.5].  Note that “actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” [§ 1798.150(b)]

Here are some other executive summaries of CCPA from some law firms that compare CCPA to GDPR that you also may find helpful:

8 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s