The CCPA applies to any for-profit entity that does business in California, collects personal information about California consumers and meets at least one of the following threshold criteria:

• Earns annual gross revenue above $25 million,
• Annually buys, sells or, for commercial purposes, receives or shares personal information of at least 50,000 California consumers, households or devices, or
• Derives at least 50% of its annual revenue from selling California consumers’ personal information.

In addition, if a business is subject to the CCPA, its subsidiaries and affiliates may also be covered if they share common branding, including a shared name, service mark or trademark. 

Although portions of the CCPA will go into effect January 2020, the California attorney general is not permitted to enforce the CCPA until July 1, 2020, or six months after the attorney general issues regulations to implement the law, whichever is sooner. We also expect additional legislative changes and regulatory interpretation related to the CCPA prior to 2020. Companies should consider whether the CCPA applies to them, and, if so, start thinking about how to comply with the law’s mandates.

The CCPA applies to “consumers,” which is broadly defined as any natural person who is a California resident. Although the law appears to be focused on protecting individuals in the consumer context, this definition is arguably broad enough to include employees as well.

The CCPA requires greater transparency in data practices and give consumers more control over their personal information. Under the law, “personal information” means any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes obvious identifiers, such as names, addresses and email addresses, but it also covers categories of information not typically considered to be personal information in the United States, such as web browsing information and inferences drawn from other information to create a consumer profile.

The CCPA expands upon rights afforded under existing California legislation—including the California Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act (often referred to as SB 568) and the Shine the Light law—and creates some new rights for California consumers. These rights generally fall into the following categories:

• Transparency. Several provisions of the CCPA address consumers’ rights to know about a company’s data collection practices, such as the categories of personal information collected, the sources from which personal information is collected, the business or commercial purpose of such collection and categories of third parties with whom personal information is shared. Additionally, consumers have a right to know whether and to whom their personal information was sold or disclosed for a business purpose. Some of this information must be provided through notices, such as in privacy policy disclosures, whereas other disclosures must be made in response to verifiable consumer requests.
• Access. Consumers have a right to access information about the personal information a business collects about them, including a right to the specific pieces of personal information collected. Upon receipt of a verifiable consumer request, a company must provide the requesting consumer with access to the specific pieces of information collected about that consumer over the prior 12 months, sometimes in a portable format.
• Choices Related to Sale of Personal Information. In addition to requiring businesses to make disclosures about the sale of personal information, the CCPA gives consumers more control over this business activity. Like other aspects of the law, “sale” is defined broadly to include “renting, releasing, disclosing or otherwise communicating a consumer’s personal information to a third party for monetary or other valuable consideration.” Some data sharing is exempt from the definition of sale, including certain information sharing with service providers. Generally, businesses that sell personal information to other businesses or third parties must permit consumers to opt-out of such sales. Note, however, that explicit opt-in consent to the sale of personal information is required if such information relates to consumers under the age of 16. Finally, companies that sell personal information must also include a clear link on their websites’ homepage (or platform or download page for mobile apps) and in their privacy policies labeled “Do Not Sell My Personal Information” that enables consumers to exercise their opt-out rights.
• Deletion. Consumers have the right to request deletion of their personal information. Upon receipt of a verifiable request, a company must delete personal information held about a consumer unless an exception applies, such as the need to retain the information to complete a transaction, comply with a legal obligation, exercise free speech or enable internal uses that are aligned with consumer expectations, among others.
• Non-Discrimination. Consumers also enjoy a general right to equal service and price, meaning that companies generally cannot discriminate against those who have exercised their privacy rights, subject to some exceptions. The law specifically prohibits denying good or services, charging different prices, or providing different levels or quality of products or services to consumers who exercise their rights under the law, although certain exceptions may apply. At the same time, the CCPA also permits businesses to offer financial incentives in exchange for the collection or sale of personal information.

To comply with the CCPA, businesses will need to consider implementing processes and procedures to authenticate and respond to verifiable consumer requests. A business must offer at least two methods through which consumers can make requests to exercise their rights, including at a minimum, a toll-free phone number, and if the business maintains a website, a web address. In addition, companies must update disclosures in their privacy policies at least annually. Any employees or contractors that handle consumer inquiries related to the company’s privacy practices must receive training, so they are familiar with consumer rights available under the CCPA and how consumers can exercise them. The CCPA also sets forth certain provisions businesses should include in their contracts with service providers.

The California attorney general has broad enforcement authority under the CCPA. The attorney general may initiate civil actions against companies that fail to cure violations under the CCPA, with penalties reaching $2,500 per violation or up to $7,500 per intentional violation. The CCPA also contains a limited private right of action for uncured breaches of unencrypted data that are reportable under California’s breach notification law. If such breaches occur as a result of a company’s failure to implement reasonable security standards, individuals may each seek to recover the greater of actual damages or statutory damages up to $750 per violation (or such damages may be sought in a class action).