Overview of the CCPA

The California Consumer Privacy Act (CCPA) provides consumers in California rights to information processed online. In this article, we discuss:

• the threshold for coverage by the CCPA,
• the key rights outlined by the act, and
• amendments to the CCPA since it was signed into law on June 28th, 2018.

The threshold for coverage lets you know if your company will fall under the CCPA's jurisdiction. The key rights give you an idea of the CCPA's focus on transparency. The CCPA's focus on transparency is quite a different approach than the European Union's focus on consent in the General Data Protection Regulation (GDPR). Finally, we'll discuss amendments to the CCPA, which have generally tended toward expanding exemptions to the CCPA.

Threshold for coverage by the CCPA

The CCPA is not extra-territorial in scope, and has thresholds for application that exempt many small to medium-sized businesses. The thresholds for coverage by the CCPA are a gating item to application of the CCPA and an important distinction to the GDPR, which is more extra-territorial in its approach. 

The CCPA covers for-profit businesses that do business in California and meet any of the following: 

• have a gross revenue of over $25 million; 
• buy, receive or sell the personal information of 50,000 or more California residents, households, or devices; or
• derive 50% or more of their annual revenue from selling California residents' personal information.

The threshold rules out small businesses that aren't in the business of buying or selling personal information. Companies that are in the business of buying or selling personal information have special obligations under the CCPA and are more likely to meet the threshold for coverage. Businesses that don't do business in California are outside the scope of the CCPA, and only residents of California have the standing to sue under the CCPA.

Key rights for California consumers

The CCPA covers four key rights for California's consumers, which are the basis of California's transparency approach to the use of consumer data. The four key rights for consumers are as follows:

• The right to know about the personal information a business collects on them and how it is used and shared; 
• The right to delete personal information collected from them (with some exceptions);
• the right to opt-out of the sale of their personal information; and
• the right to non-discrimination for exercising their CCPA rights.

The right to know means that businesses are required to disclose to California consumers what personal information they have collected, used, shared or sold about that California consumer, and why they did so. California consumers can demand:

• the categories of personal information collected,
• the specific pieces of personal information collected,
• the categories of sources from which the business collected personal information,
• the purposes for which the business uses the personal information,
• the categories of third parties with whom the business shares the personal information, and
• the categories of information that the business sells or discloses to third parties. 

Businesses are required to provide the information above for the 12-month period preceding the California consumer's request, free of charge. The right to know requires a business to understand exactly how they use a California consumer's information, and, more importantly, be able to retrieve it. 

The right to delete provides California consumers the right to require that businesses delete their personal information, and tell their service providers to do the same. There are important exceptions to the right to delete, which are that:

• the business cannot verify the California consumer's request
• the business requires the California consumer's information to complete the California consumer's transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes
• For certain business security practices
• For certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided
• To comply with legal obligations, exercise legal claims or rights, or defend legal claims
• If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

Several of those exemptions are large, and the practice for applying those exemptions is developing quickly.

The right to opt out provides California consumers with the right to demand that businesses stop selling their personal information. With some exceptions, the right to opt out means the California consumer's information cannot be sold unless the California consumer opts back in again. Businesses must wait at least 12 months before asking the California consumer to opt in again. In some circumstances, businesses can refuse to allow the California consumer to opt out, such as:

• If a sale of information is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
• If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

The right to non-discrimination means that businesses cannot deny a California consumer goods or services, charge a different price, or provide a different level or quality of goods or services just because a California consumer exercised rights under the CCPA. The right to non-discrimination doesn't cover instances where a business is kept from completing a transaction because of the information that is being withheld by the California consumer, or instances where a business provides a good or service in exchange for information.  

Amendments to the CCPA

Since the CCPA was passed into law, there have been several amendments. There is a good overview of the CCPA's amendments here. Apart from a requirement for data brokers to register with the California attorney general, the amendments have made it easier to comply with the CCPA. For instance, in September, an amendment expanded exemptions for health information, such as an exemption for "identifiable private information" which is gathered in the context of medical research. This exemption expanded the already existing exemption for information for medical research gathered in clinical trials to observational or pre-existing data, which was advocated for by public health experts to further research related to COVID-19. The research still must be conducted according to the same medical research standards applied to clinical trials. The September amendment also codified a harmonized standard for "deidentifying" or anonymizing patient data and set standards for deidentified information. Altogether, the September amendment significantly expanded an existing exemption to the CCPA in a way that makes it easier for medical research in California. Other exemptions have expanded the ability of tech companies to differentiate between users, for instance, which has also made it easier for business. The important point of our discussion of the amendments to the CCPA are that changes to the CCPA are happening relatively quickly, and it is important to monitor them.