CCPA Compliance in a nutshell

The data privacy and security regime in California is undergoing revolutionary change as it is rebuilt by three new pieces of law:

  • The California Consumer Privacy Act of 2018 (CCPA)
  • The Regulations to the California Consumer Privacy Act (“the Regulations”)
  • The California Privacy Rights Act (CPRA)

Together, these three enactments will form the foundation of California’s consumer data privacy protection scheme. 

In this article we explain:

  • What the CCPA, the Regulations, and the CPRA do
  • The rights the CCPA, the CPRA, and the Regulations grant to consumers
  • The obligations they impose on businesses
  • The penalties for non-compliance with the CCPA, CPRA, and the Regulations
  • Strategies for CCPA and CPRA compliance

Continue reading below to find out whether you’re in compliance with the legislation and how to keep it that way.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act of 2018 is comprehensive privacy legislation enacted by the California legislature in 2018 to regulate the handling of the personal information of California residents by businesses around the world.

The CCPA came into force on January 1, 2020, and was intended to clarify and strengthen the privacy rights of California residents. It recognizes the increasing amounts of personal information entrusted to private companies and attempts to create a framework around the protection and use of that data.

The legislation has faced quite a bit of criticism in the years since it passed, with some critics arguing that the law doesn’t go far enough in its protection of consumers and others, including some industry groups, arguing that the burdens it imposes on businesses are unreasonable.

What are the CCPA Regulations?

The CCPA Regulations are regulations passed pursuant to the CCPA. They guide businesses on the application of the CCPA, show them how to verify the identity of people making requests under the CCPA and how to handle those requests, and explain the requirements of the CCPA with respect to minors.

The CCPA Regulations went into effect on August 14, 2020.

The regulations were later amended, with those amendments coming into force on March 15, 2021. See the amended CCPA Regulations here.

What is the California Privacy Rights Act (CPRA)?

The California Privacy Rights Act expands and clarifies the obligations and rights contained in the California Consumer Privacy Act. The CPRA was passed on November 3, 2020 and will come into force on January 1, 2023. 

The CPRA will be enforced starting July 1, 2023. However, there is a “lookback period,” meaning some violations of the Act can be penalized if they occurred any time on or after January 1, 2022.

The Act is wide-ranging, creating a new enforcement agency - the California Privacy Protection Agency - and creates new privacy rights for California residents. There are also a few changes that, arguably, weaken privacy protections in California. The most notable of these is the provision that excludes some smaller businesses from the operation of the CCPA and CPRA.

Who does the CCPA apply to?

The CCPA applies to all businesses who meet any of the following criteria:

  • Earn $25 million (or more) in annual revenue
  • Buy, sell, or receive the personal information of 50,000 or more consumers, devices, or households
  • Receive 50% or more of their annual revenue from selling the personal information of consumers

Note that a business does not need to meet all of these criteria. Satisfying only one will trigger the compliance requirements of the CCPA.

Additionally, any business that handles the personal information of 4 million consumers, or more, has additional obligations under the CCPA.

What are the CCPA rights?

The CCPA grants California residents four distinct rights. They are:

  1. The right to know about all personal information collected by a business and how it is used, shared, or sold.
  2. The right to delete most personal information collected by a business.
  3. The right to opt-out of the sale of their personal information.
  4. The right to non-discrimination for exercising their other rights under the CCPA.

What are the CPRA rights?

The CPRA will grant California residents four new rights when it comes into effect on January 1, 2023:

  1. The right to correct personal information held by businesses.
  2. The right to limit the use and disclosure of sensitive personal information held by businesses.
  3. The right to access information about algorithmic/automated decision-making conducted by businesses.
  4. The right to opt-out of algorithmic/automated decision-making conducted by businesses. 

Additionally, the CPRA modifies and strengthens the four existing rights under the CCPA as follows:

  1. The right to know is expanded to include time periods beyond the one-year lookback period in reasonable circumstances.
  2. The right to delete will require businesses who receive a deletion request to notify third parties who previously received that customer’s information about the request.
  3. The right to opt-out is expanded to include an ability to opt-out of personal information “sharing,” like in cases of cross-platform advertising.
  4. For minors, the right to opt-out is strengthened by prohibiting a business from asking for consent to share personal information for 12 months after the minor has initially declined to give it.
  5. The right to data portability, which already exists under the CCPA, is expanded to allow a consumer to request a business transfer their personal information to a third party

CCPA Notices

Pursuant to the CCPA, covered businesses must provide at least two notices to the consumers whose personal information they are collecting: 

  1. Notice at collection
  2. Privacy policy 

notice at collection is a notice a business provides to a consumer when the business collects personal information from that person. The notice must include:

  • A description of the categories of personal information collected from the consumer
  • The purposes for which the business is collecting the information
  • A link to the business’ privacy policy
  • If the personal information is to be sold, a “Do Not Sell” link that allows the consumer to opt-out of the sale of their personal information

privacy policy is more expansive than a notice at collection. At a minimum, it must include information about the four consumer rights granted by the CCPA and how to exercise each of those rights.

CCPA Enforcement

Enforcement of the CCPA comes in two flavors. Enforcement by the Office of the Attorney General (OAG) of California and a private right of action.

CCPA enforcement by the OAG

In California, the Office of the Attorney General enforces the CCPA. The CCPA empowers the OAG to levy fines of up to $2,500 per individual violation of the act. So, for example, if a data breach results in the unauthorized disclosure of 100,000 consumers’ personal information, the ultimate fine could rise to $250 million.

The OAG also has the ability to impose fines of up to $7,500 per individual intentional breach of the CCPA.

CCPA enforcement by private right of action

The CCPA offers California residents a private right of action anytime a covered business breaches their rights under the Act. However, this is not a general private right of action. Instead, a plaintiff must establish that the violation of the Act resulted from a personal information security breach. (See the paragraph on McCoy v. Alphabet Inc. below)

The Act does not require that a plaintiff show they incurred actual damages as a result of the breach. The CCPA offers a remedy of between $100 to $750 per violation simply upon proof that a breach occurred.

However, if a plaintiff does suffer damages, and those damages exceed the statutory amounts described above, the business is liable for the full amount of damages suffered.

3 Active Cases involving alleged CCPA non-compliance

CCPA litigation is already winding its way through the California courts.

McCoy v. Alphabet

In McCoy v. Alphabet, Inc. et al., No. 5:20-cv-05427 (N.D. Cal.), the plaintiff alleged that Alphabet and Google collected and monitored the Android device usage of consumers without consent.

On February 2, 2021, the court dismissed the plaintiff’s claims. It pointed out that the suit did not allege a personal information security breach resulting in a violation of the CCPA. Since the Act explicitly requires that such a breach be made out before an action for CCPA breaches can succeed, the case was dismissed.

In plain English, this case stands for the fact that a consumer can only sue for a violation of the CCPA where it arises out of a data security incident. Whether other courts will come to the same conclusion remains to be seen.

Atkinson et al v. Minted, Inc.

In Atkinson et al v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal.), the plaintiffs allege the defendant, Minted.com, failed to prevent the “unauthorized access and exfiltration, theft, or disclosure of class members’ non-encrypted PII.” This allegedly resulted in a violation of the CCPA.

The plaintiffs seek an injunction requiring Minted.com to take steps to secure their personal information and statutory damages if the breach can’t be cured within thirty days.

The case remains at the pleadings stage.

In Re: Zoom Video Communications, Inc. Privacy Litigation

In In Re: Zoom Video Communications, Inc. Privacy Litigation, No. 5:20cv2155 (N.D. Cal.), the plaintiffs allege that Zoom collected and shared personal information without consent. Interestingly, the plaintiffs characterize this behavior as a data breach or “exfiltration” of data, which would bring it under the purview of the CCPA.

As the case remains at the pleadings stage, time will tell whether the court will agree with that characterization or if the case will meet the same fate as McCoy v. Alphabet.

(Information obtained from O’Melveny CCPA Case Tracker.)

Active Case Summary

The cases tell us very little about the current state of CCPA litigation, other than the fact that we obviously remain at the introductory stages of this new and important legislation. 

That said, the limitation of the private right of action to cases of data breach incidents seems to be an important bottleneck to what might otherwise be a flood of litigation directed at remedying CCPA breaches.

The relative paucity of cases and CCPA fines also stands in stark contrast to the record-breaking GDPR fines and penalties meted out over the last few years. This too may change as the enforcement regime matures under the upcoming CPRA and the new Regulations.

CCPA vs GDPRv2-Overlapping-rights-CCPA-CPRA-and-GDPR

The differences between the CCPA and the GDPR are more than superficial. They include differences in:

  • Territorial scope: The GDPR is much broader, covering all of the EU,  although both the GDPR and CCPA operate extraterritorially.
  • Parties regulated: The GDPR regulates more businesses, while the CCPA is more restrictive.
  • Parties protected: The GDPR and the CCPA define protected parties differently.
  • Information protected: The GDPR only protects personal data, while the CCPA includes household and device data.
  • Informational rights: The GDPR and the CCPA both require similar disclosures, but there are differences in the information that must be offered.
  • Opt-out right: The CCPA contains an explicit sale opt-out right, while the GDPR does not.
  • Treatment of minors: Unlike the GDPR, the CCPA’s special protection of minors extends mostly to the sale of personal information, not processing.
  • Right of rectification: Unlike the GDPR, the CCPA does not currently include a right of rectification, although one will be added by the CPRA.
  • Right to restrict processing: The GDPR contains a right to restrict processing in some circumstances while the CCPA does not.
  • Right to avoid algorithmic decision-making: The GDPR contains this right while the CCPA does not, although one will be added to the CCPA by the CPRA.
  • Right of action: The GDPR grants a right of action for damages while the CCPA grants a limited right of action in certain circumstances, with or without damages.

Businesses governed by the CCPA and the GDPR must make specific efforts to comply with each piece of legislation, as compliance with one does not guarantee compliance with the other. The countries that apply the GDPR may also have national legislation that differs from the GDPR. 

What Responsibilities Do You Have Under the CCPA?

All businesses to whom the CCPA applies must enable and facilitate the rights granted to California consumers under the act. More specifically, businesses must:

Proactively disclose practices involving Personal Information

Prior to collecting Personal Information, businesses must disclose to consumers, usually in the form of a Privacy Notice, the categories of Personal Information they collect and the purposes for which it will be used.

This disclosure must also:

  • Describe the rights held by California residents under the CCPA
  • Explain the process by which a California resident can submit a consumer request to the business
  • List the categories of Personal Information the business has collected, sold, and/or disclosed in the preceding 12 months

Create and publicize a process for consumers to submit CCPA requests

Since the CCPA grants consumers the right to make several requests of businesses, every business covered by the CCPA must establish and implement a procedure for the receipt and processing of these requests. These requests may be for disclosure or deletion of Personal Information. Your business’ data governance policies must be capable of complying with both types of requests.

Create a sale opt-out capability

The CCPA grants consumers the right to opt-out of the sale of their Personal Information. Every covered business must include a clear link on their homepage entitled, “Do not sell my personal information” that directs consumers to a page enabling them to opt-out of the sale of their PI.

A note about the CPRA

As discussed above in “What are the CPRA rights?,” the CPRA will create new rights and expand existing ones. This will create new obligations on the part of businesses covered by the CCPA and impose new compliance burdens.

Since that act will only fully take effect on January 1, 2023, businesses have some time to comply with the new legislation. However, you should take note that there is a “lookback period,” for some of the newly created and expanded rights. This means a business could be prosecuted or sued for violations of the act starting on January 1, 2022 (in some cases).

CCPA Compliance Strategies and Tips

There are several strategies you can use to comply with the obligations imposed by California’s data privacy regime.

Cookie management

While the CCPA does not currently require businesses to gather specific consents with respect to cookies, the use of these unique identifiers may implicate one or more of the rights granted to consumers under the CCPA.

Therefore, you should carefully consider how, when, and where your organization uses cookies and incorporate those data collection processes into your Privacy Policy, data governance policies and procedures, and consumer consent requests.

Privacy policies

A coherent and comprehensive privacy policy must be readily accessible to consumers at all times and, in any event, prior to or during the collection of Personal Information. As with the GDPR, there is no standard form for privacy policies under the CCPA. Each one must be customized for your business and how your business collects, uses, sells, and/or discloses Personal Information.

At a bare minimum, your privacy policy should disclose:

  • The specific types of Personal Information you collect
  • Why you collect Personal Information
  • Who you will share Personal Information with
  • How you will collect the Personal Information
  • Who the consumer can contact if they wish to exercise their rights to disclosure or deletion under the CCPA

Additionally, you may wish to consider the guidance offered by the European Union on GDPR-compliant privacy policies at GDPR.eu, as well as decided cases involving privacy policies under the GDPR. While the two regimes are significantly different in many respects, there is more case law and judicial treatment of the requirements for privacy policies under the GDPR, and some of the principles are similar to those found in the CCPA legislation. 

Finally, remember that your privacy policy must be both fulsome and understandable. The guiding principle should be that your policy enables a consumer to easily exercise informed consent.

Data and Information Governance

While a full discussion of data and information governance is outside the scope of this article, it’s becoming increasingly clear that no business will be able to comply with the tangle of requirements found in the CCPA, CPRA, GDPR, and the privacy regimes of other nations without a comprehensive and well-designed data governance framework.

If you still haven’t wrapped your arms around how your business collects, uses, shares, and sells data, now is the time.

Cross Border Publisher: Data Protection by Clifford Chance

A new data protection and data privacy compliance tool from Clifford Chance offers businesses of all sizes the opportunity to identify and remedy potential breaches of both the GDPR and the CCPA before an enforcement action. A link to the California module is here.

The product offers simple and actionable guidance in a question-and-answer format and highlights your data protection and privacy obligations based on where you are in the world, where you do business, where your consumers are, and the manner in which you collect and use data.

The Latest CCPA Updates (as of April 7, 2021)

The data privacy regime is in a state of ongoing flux as the CCPA is augmented by new regulations and the requirements found in the CPRA.

Effective March 15, 2021: Chapter 20 of the California Consumer Privacy Act Regulations

The latest round of revisions of the CCPA Regulations (at the time of this writing) took effect on March 15, 2021. The most significant changes included:

  1. The addition of a requirement for businesses to provide an offline notice when they collect PI offline
  2. The express permission for businesses to use an Opt-Out button, but not in lieu of a “Do not sell my personal information” link
  3. Requiring businesses to ensure that a “Do not sell” request is “easy” and requires only “minimal steps” for the consumer to implement

Effective Jan 1, 2022 and 2023: The California Consumer Privacy Rights Act

This expansive new legislation comes into force in stages between November of 2020 (when voters passed it) to Jan 1, 2023 when it will be fully in effect. A lookback period allows for the prosecution of some violations that occur as early as Jan 1, 2022.

A new agency, called the California Privacy Protection Agency, will be created to enforce the CCPA and CPRA. As discussed above, the Act will create new rights and expand existing ones under the CCPA.

CCPA Frequently Asked Questions

How is the CCPA different from the GDPR?

The CCPA and the GDPR are significantly different with respect to jurisdiction, scope, restrictiveness, and the rights and obligations involved.

What is CCPA compliance?

CCPA compliance usually refers to the efforts businesses make to adhere to the informational and substantive requirements imposed on them by the CCPA.

What data is covered by CCPA?

All data characterized as “Personal Information” is covered by the CCPA. Personal Information is defined in the Act as, “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Who is subject to the CCPA?

All businesses who meet any of the following criteria are subject to the CCPA:

  • Earn $25 million (or more) in annual revenue
  • Buy, sell, or receive the personal information of 50,000 or more consumers, devices, or households
  • Receive 50% or more of their annual revenue from selling the personal information of consumers

Who enforces the CCPA?

As of April 7, 2021, the California Office of the Attorney General enforces the CCPA. However, on January 1, 2023, a new agency called the California Privacy Protection Agency will enforce the Act.

Who is covered by the CCPA?

All persons who are resident in California are covered and protected by the CCPA.

v3-Personal-Information-under-the-CCPA

What are the CCPA Personal Information categories?

11 categories of Personal Information currently exist under the CCPA and its Regulations. They are: 

  1. Identifiers
  2. Customer records information
  3. Characteristics of protected classifications under California or federal law
  4. Commercial information
  5. Biometric information
  6. Internet or other electronic network activity information
  7. Geolocation data
  8. Audio, electronic, visual, thermal, olfactory, or similar information
  9. Professional or employment-related information
  10. Education information
  11. Inferences

Cross-Border Publisher: Data Protection

When you're thinking about how to manage your obligations under the CCPA, it's worth considering Cross-Border Publisher: Data Protection. Clifford Chance Applied Solutions has built Cross-Border Publisher: Data Protection to provide easy access to information on data protection obligations in California and 17 countries in the European Union. Users can find answers to 78 questions on data protection in a simple Q&A format. Companies can decide which country modules they would like to purchase and build a custom subscription. The California module is here, or you can choose your jurisdiction from the list below.

 

Further Resources

Click here for an Overview of the CCPA.

Click here for an article on expanding Cross-Border Publisher: Data Protection to California.

Click here for a detailed Review of Cross-Border Publisher: Data Protection.

Click here for the Topics covered by Cross-Border Publisher: Data Protection.

Click here for an article on Record-breaking GDPR Fines and Penalties.

Click here for an article on the Clifford Chance Applied Solutions launch on PartnerVine with Cross-Border Publisher: Data Protection.

Click here for an overview of Data Protection Regulations in Europe.

Click here for an overview of what's required for a data protection impact assessment under the EU's GDPR.

Legal Information

Finally, a note on how you can use this article. This article is not to be considered legal advice and is not a substitute for advice from qualified legal counsel. You may not rely on the information in this article. Material aspects of the discussions in this article may change at any time and without further notice.

Please enter these characters in the following text field.

The fields marked with * are required.