The California Consumer Privacy Act (Part One of Three)

The California Consumer Privacy Act (CCPA), which becomes effective on January 1, 2020, is likely to affect almost all California businesses in one way or another.  Moreover, because of the statute’s breath and the size of the state and its economy, businesses with a California or national presence should also take note of the new statutory obligations since those businesses may very well be required to comply.   

With that in mind, here are answers to some of the Frequently Asked Questions (FAQ) about the more notable provisions of the CCPA.  This FAQ is the first of a three-part series, with Part 2 addressing consumer rights and required disclosures under the Act and Part 3 addressing reasonable security standards and other compliance considerations.   

How Does the CCPA Define Personal Information?

“Personal information” is defined as anything that identifies, relates to, describes, is capable of being associated with or could reasonably be linked directly or indirectly with a particular consumer or household.  The definition covers the traditional items that come to mind when one thinks of privacy, such as names, mailing addresses, email addresses, phone numbers, Social Security numbers and credit card numbers.  However, because the definition is so broad, it also includes things like location data, employment information, purchase history, behavior and tendencies, biometric data and search and browsing history.

How Does the CCPA Define Consumer?

Under the Act, a “consumer” is defined as a California resident, which includes every individual in the State for other than a temporary or transitory purpose and every individual domiciled in the State who is outside the state for temporary or transitory purposes.  As used in the Act, the term includes customers, job applicants, business to business partners and employees (1).

Who Is Covered by the CCPA?

The Act defines a covered business as an entity that does business in California, collects or determines processing procedures for personal information of California residents and meets one of the following criteria:

-Generates more than $25 million in gross revenues; or

-Buys, sells, receives or shares personal information from more than 50,000 California residents, households or devices per year; or

-Derives 50% or more of its annual revenues from selling consumers’ personal information.

“Collecting information” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. It includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

“Selling information” means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for money or other valuable consideration.

What Does the CCPA of Businesses?

Under the CCPA, businesses are required to make certain disclosures to consumers and to respond to certain consumer requests (2).  Additionally, businesses face civil liability under the Act when consumers’ non-encrypted or non-redacted personal information is subject to an unauthorized access or exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.

Who Enforces the CCPA and What Are the Penalties for Non-Compliance?

The California Attorney General has the sole authority to enforce the Act and can impose civil penalties of up to $2500 per violation ($7500 for an intentional violation) on covered companies for their violations.  There is no cap on the amount of penalties that the AG can imposed.

As was noted above, the Act permits consumers to bring a private cause of action against businesses that suffer a negligent data breach as a result of the violation of their duty to implement or maintain reasonable security procedures or practices to protect personal information that is  appropriate to the nature of the information.  The relief available in such a lawsuit includes injunctive relief and statutory penalties of $100 – $750 per consumer per incident or actual damages suffered, whichever is greater.   

Check this space for Part 2 and Part 3 of the series.  For questions about or assistance with the CCPA, I can be reached at kathy@kdwinger.com or 520-391-4475.

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.   

1 – HR data has been exempted from certain provisions of the Act for a period of one year, i.e., until January 1, 2021.   

2 – These topics are discussed in more detail in Part 2 of the series.