In Part 1 of this three-part series, I discussed the background and context of the CCPA, and how it eventually was voted into California law in 2020. This part of the series discusses the definitions, scope, and rights provided to California residents by the CCPA.
Definitions, and Scope
The primary purpose of CCPA is to give California residents increased transparency and control over how their personal information is collected, used, shared, and/or sold by businesses. It establishes the right for consumers to have their data deleted, to forbid the sale of their personal data, and it establishes protections for children who are 13 years and under. All of this is to be provided to consumers without penalty, be it in the form of higher prices or reduced levels of service[1].
Who and What is Protected
In California, “personal information” is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and includes identifiers such as “real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers”*. A “consumer” is defined as “a natural person who is a California resident”†. CCPA also protects a person’s geolocation, biometric, commercial, professional, and educational information[2].
The CCPA also strengthens protections for children under the age of 13, requiring that businesses get authorization from a child’s parent or guardian before they are allowed to sell the child’s personal information. This “opt-in” requirement for children is the opposite of the “opt-out” right given to adults, who must specifically request not to have their data sold or shared[3].
Who is Affected
Although CCPA is primarily aimed at commercial businesses, there are situations in which a non-profit organization, or even an individual, might be impacted by it, as well. Specifically, CCPA applies to for-profit businesses that meet or exceed one of the following thresholds:
- Has annual gross revenues over $25 million
- Annually buys, sells, or shares the personal information of 50,000[‡] or more consumers or households
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information[2].
In the event that a non-profit controls or is controlled by a business that meets the above criteria, is a co-branded corporate foundation, has entered into a joint venture with a business subject to the act, or has contracts or agreements with a business that require CCPA compliance, that non-profit organization would also be affected by CCPA[4].
Another critical aspect of CCPA is that it applies to businesses that collect, buy, rent, gather, or otherwise obtain the personal information of California residents, regardless of whether said data is acquired actively or passively, so long as the organization in question does business within the State of California[2]. For this reason, businesses established or based in states other than California, or even in countries other than the United States, are also impacted by this legislation[5].
Rights Provided by the Act
Like the General Data Protection Regulation (GDPR) in the European Union (EU), CCPA defines and establishes several privacy rights for California consumers that they have never had before under the law. These rights are significant, if only because they represent a significant change in both tone and intention when compared to both federal and state privacy laws in the United States.
Right to Know
The Right to Know means that consumers have the right to request that a business disclose what information about them has been collected, used, shared, or sold. Businesses are required to provide this information for the 12-month period prior to the request, and they must do so free of charge[3].
Right to Delete
While on the surface the Right to Delete sounds like an amazing improvement in personal privacy wherein consumers can request that a business delete their information from the business’ systems, there are a lot of loopholes that allow a business to keep personal information that has been collected or otherwise obtained. For example, certain medical information is exempt, as is consumer credit reporting information, information related to legal claims, or other information the business deems necessary for “security practices”[3].
Right to Opt-Out
The Right to Opt-Out is another right that sounds impressive at first glance, but has limitations that leave privacy advocates squirming. First of all, consumers must request that a business stop selling their information to non-affiliated third parties. Following such a request, a business must wait at least 12 months before asking you to opt back in. And, as was seen with the Right to Delete, there are numerous exceptions that may apply[2][3].
Right to Non-Discrimination
The Right to Non-Discrimination states that businesses cannot deny goods or services, charge a different price, or provide a different level or quality of goods or services just because a consumer exercised their rights under the CCPA. That said, they can offer promotions, discounts, or other incentives for allowing consumers to collect, keep, or sell personal information[3]. Some privacy advocates believe that these “incentives” amount to the same thing as discrimination, and some feel it is likely the ambiguity will eventually be tested in court[6].
Part 3, the third and final installment of this series, will discuss enforcement of CCPA, how it compares to GDPR, and some final thoughts.
References
[1] M. Kolakowski, “What Is the California Consumer Privacy Act (CCPA)?,” Investopedia, Dec. 31, 2021. https://www.investopedia.com/what-is-the-california-consumer-privacy-act-4780212.
[2] “Cal. Civ. Code § 1798.100 – 1798.199.100,” California Legislative Information. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.
[3] “California Consumer Privacy Act (CCPA),” State of California – Department of Justice – Office of the Attorney General, Oct. 15, 2018. https://oag.ca.gov/privacy/ccpa.
[4] N. Garhart, “Nonprofits and the California Consumer Privacy Act,” Farella Braun + Martel LLP, Jun. 20, 2019. https://www.fbm.com/publications/nonprofits-and-the-california-consumer-privacy-act/.
[5] L. Hautala, “CCPA is here: California’s privacy law gives you new rights,” CNET, Jan. 03, 2020. https://www.cnet.com/news/privacy/ccpa-is-here-californias-privacy-law-gives-you-new-rights/.
[6] G. Edelman, “The Fight Over the Fight Over California’s Privacy Future,” Wired, Sep. 21, 2020. https://www.wired.com/story/california-prop-24-fight-over-privacy-future/.
* Cal. Civ. Code § 1798.140(o)(1) and Cal. Civ. Code § 1798.140(o)(1)(A), specifically.
† Cal. Civ. Code § 1798.140(g)
‡ There is some disagreement within the text of Cal. Civ. Code § 1798.140 regarding this number. In one place it says 50,000, and in another it says 100,000. The CCPA information page from the California Attorney General, however, says 50,000 (“California Consumer Privacy Act (CCPA),” 2018). Other published articles and guidelines also use the lower number.