In the context of CCPA, Businesses are entities that meet certain specified thresholds and determine the purposes and means of the processing of consumer’s personal data and Service Providers are individuals or entities that process information on behalf of a Business pursuant to a written contract that contains certain specified language. These are broadly synonymous to the terms ‘Controllers’ and ‘Processors’ used in GDPR.
The definition of “sale” of personal information under the CCPA is defined broadly to include “selling, renting,releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the Personal Information of a Consumer to another business or third party “for monetary or other valuable consideration.” Where a consumer has elected to “opt-out”, the business will be required to turn off the flow of personal information to any third party to which it “sells” personal information.
The CCPA does provide a number of exceptions to opt-out of sale right”, including for example, transfers (i) to a Service Provider or(ii) at the direction of the consumer. Even if a consumer has elected to “opt-out”, personal information can continue to transfer to third parties who fit into those carve-outs.
In order to take advantage of the Service Provider exemption, businesses will have to ensure that the transfers are governed by written contracts containing the specific terms required by the CCPA.
The CCPA is enforceable by the California Attorney General with the ability to levy a civil penalty up to $2,500 for each violation or $7,500 per each intentional violation. Enforcement will begin on July 1, 2020.
The CCPA also includes a private right of action that is limited to the context of data security breaches under California’s breach notification law. Under this private right of action, Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per incident.
Courts may also impose injunctive or declaratory relief.
In general, the CCPA defines personal information broadly to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CCPA provides a non-exhaustive list of categories of personal information, including:
Name, alias, postal or email address, online identifier, account name, Social Security number, driver’s license number, passport number, or other similar identifiers;
Signature, physical characteristics or description, state identification card number, insurance policy number, education, bank account number, credit card number, debit card number, and other financial information, medical information, and health insurance information
Unique personal identifiers (e.g., IP address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers);
Characteristics of protected classifications under California or federal law;
Commercial information (e.g., purchase history and “tendencies”);
Internet activity (e.g., browsing and search history);
Audio, electronic, visual, thermal, olfactory, or similar information;
Professional or employment-related information; and
Education information (as defined in the Family Educational Rights and Privacy Act (FERPA).
Personal information does not include certain publicly available government records de-identified or aggregate consumer information. Certain personal information covered by other sector-specific legislation (e.g., HIPAA) is exempt from the scope of the law.
The CCPA will apply to a business if it, or an entity it controls or that controls it and that shares common branding with it, collects or receives personal information from California residents, either directly or indirectly, determines the purposes and means of the processing of that information, does business in California, and meets one or more of the following criteria:
Has annual gross revenue that exceeds US $25 Million;
The entity annually receives, buys, sells or shares, directly or indirectly, the personal information of 50,000 or more California residents, devices, or households;
50% or more of its annual revenue is derived from the sale of personal information about California consumers.
The CCPA offers certain rights to consumers, defined as natural persons who are California residents. There are a number of exceptions in the CCPA, including for personal information collected about a business’s personnel and business-to-business representatives. The precise scope of these exceptions is context-dependent.
The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA provides California “consumers” the following privacy rights:
Right to access
Right to delete
Right to opt out of sale
Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an “opt-out” for certain disclosures of personal information and an “opt-in” requirement for minors.