Since 2018, the state of California has been through a couple of iterations of privacy laws. Even though the privacy law was enacted on January 1, 2023, the final rulemaking has been pending for a long time. Understanding the full extent of the scope, requirements and catching up on the increments and nuances of the CCPA law has been overwhelming for many businesses that handle personal information.

The online guide provides a comprehensive overview of the updated CCPA law, including its background, status, scope, and requirements. It also covers important topics such as specific business obligations, enforcement and violations. By reading through our guide, businesses can gain clarity in understanding their obligations under the law and take the necessary steps to achieve compliance. For further information, including its original text, please refer to the ‘Helpful links to more information’ section below.

Context and Background of the Law

The California Consumer Privacy Act (CCPA) was enacted in 2018 and amended by the California Privacy Rights Act (CPRA) in 2020 (collectively known as ‘CCPA amended’). The CPRA was introduced to secure additional privacy rights for California consumers and enable a stricter enforcement process. The CCPA amended was enacted on Jan 1, 2023.

This finalization is a reflection a rulemaking process that commenced in July 2022.

The recent law often referred to as the CPRA, amends the CCPA; and it is important to note that it does not create a separate, new law. As a result, the new law is referred to as “CCPA” or “CCPA, as amended.

As of March 30, 2023, the updated CCPA regulation has been approved.

The California Privacy Protection Agency announced that its first CPRA rulemaking package has been approved by the California Office of Administrative Law (OAL). No substantive changes have been made to the finalized rules since the CPPA submitted its final draft to the OAL in February.

Scope of the Law

Primary Criteria – The CCPA applies to for-profit businesses that do business in California and meet any of the following:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

An important aspect of the amendment to the CCPA is that, in addition to providing privacy rights and data protection to consumers, CCPA-regulated entities are now required to cover their employees as well from regulatory requirements. However, a few exclusions apply.

Any personal information regulated under CCPA includes a one-year lookback provision. This means any data collected on or after January 1, 2022, is subject to CPRA regulations.

Businesses operating as non-profits or government agencies – CCPA does not generally apply to nonprofit organizations or government agencies, but it is important to verify CCPA applicability across all functional areas of these entities.

Businesses located outside of California A business need not be located in California to be subject to the CCPA. A business involved in collecting and use of data with personas who resides in California are subject to the regulation if the business satisfies the primary criteria.

Entities that provide service to businesses regulated under the CCPA – The CCPA imposes separate obligations on service providers (which process personal information on behalf of regulated business) and other recipients of personal information from businesses. The law identifies three types of entities:

  1. Contractor
  2. Service Provider
  3. Third Party

Definition of Personal Information and Sensitive Personal Information

Personal information is information that identifies, relates to, or could reasonably be linked with a resident of California or their household. The law under TITLE 1.81.5. California Consumer Privacy Act, provision 1798.140(v)(1), recognizes the following as personal information identifiers.

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any personal information described in TITLE 1.81.5. California Consumer Privacy Act, provision, section 1798.80(2), which is “Personal information” means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

(L) Sensitive personal information.

Sensitive personal information is a specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership. Consumers have the right to also limit a business’s use and disclosure of their sensitive personal information.

Legal Rights of Individuals

The right to know about the personal information a business collects about them and how it is collected, used, shared or sold and the categories and specific pieces of personal information.

  • The purpose for which the business uses the personal information – why they collected, used, shared, or sold that information.
  • The categories of personal information collected.
  • Specific pieces of personal information collected.
  • The categories of sources from which the business collected personal information.
  • The categories of third parties with whom the business shares the personal information.
  • The categories of information that the business sells or discloses to third parties.

When requested, businesses are required to provide this information for the 12-month period preceding the request and free of charge.

The right to delete personal information held by businesses and by extension, a business’s service provider. However, businesses should identify any exceptions and reasoning behind those exceptions for retaining personal information.

The right to opt-out of sale or sharing of personal information. Consumers are able to direct a business that sells or shares personal information to stop selling or sharing that information through “opt-out”.

With some exceptions, businesses cannot sell or share your personal information after they receive the opt-out request unless a consumer provides authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back into the sale or sharing of your personal information.

Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.

The right to non-discrimination for exercising their CCPA right in terms of price or service. Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.

The right to correct inaccurate personal information that a business has about consumers.

The right to object to the use of sensitive personal data (for example, social security number, financial account information, precise geolocation data, or genetic data) for limited purposes, based on what consumers requested.

The right to opt-out of auto decisioning and behavioral profiling – TITLE 1.81.5. California Consumer Privacy Act, provision section 1798.186(a)(16) outlines the state of California’s position in the use automated decision-making technology, including profiling. On February 10, 2023, the California Privacy Protection Agency issued an Invitation for Preliminary Comments on Proposed Rulemaking on the following topics: Cybersecurity Audits, Risk Assessments, and Automated Decision Making. The public may provide preliminary written comments to the Agency from February 10, 2023 through March 27, 2023. In summary, this right remains to be confirmed.

Business Obligations

Businesses regulated under CCPA have several obligations, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers. A data broker is defined under California law as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Privacy policy

An organization is required to display an externally visible privacy policy describing how it collects, uses, shares, and sells consumers’ personal information as part of the CPPA. The policy should include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale, the Right to Correct, the Right to Limit, and the Right to Non-Discrimination. The policy should be visible and accessible as a link at the bottom of the homepage and other webpages under title “Privacy Policy” or “California Privacy Rights.”

Privacy Disclosure

A business collecting personal information should provide a notice to consumers at or before data collection. A privacy notice must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. 

On online webpages where data collection is enabled, consumers should have access to a privacy disclosure at the point of data collection.

Updated CCPA introduces new Privacy Principles

CPRA adopts a few GDPR-like principles, including:

  • Purpose limitation – how much personal information a business can collect
  • Lawful basis of processing – the purpose for which the business will use that personal information
  • Data retention – how long the businesses may retain or store that personal information based on jurisdictional requirements

Other obligations

  • Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete.
  • For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
  • Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
  • Businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
  • Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business. If a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
  • Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
  • Businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
  • Businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.
  • Businesses much ensure reasonable security controls and measures are in place.

Enforcement and Violations

Under the amended law, the state of California established the California Privacy Protection Agency to protect Californians’ consumer privacy. The key responsibilities of this agency include:

  • Promoting public awareness of consumers’ rights and businesses’ responsibilities under the CCPA.
  • Adopting regulations in maintenance of the CCPA.
  • Most importantly, enforcement of the CCPA. Beginning July 1, 2023, the Agency is tasked with enforcing the CCPA through administrative enforcement actions. It has the ability to investigate possible violations, provide businesses with an opportunity to cure, and take enforcement actions.

The CCPA authorizes a private cause of action against a covered business if its failure to implement reasonable security safeguards results in a data breach affecting personal information.

After July 1, 2023, penalties for noncompliance with the CPRA could be significant: up to $2,500 per violation (triple files for violations that are intentional or involve children), with each impacted consumer potentially giving rise to a separate “violation.” These penalties can be levied with or without a cure period.

The CCPA empowers the California Attorney General to enforce violations.

Helpful Links to further Information

  1. California Privacy Rights Act Resource Center – Text of the CPRA | CPRA Resource Center (caprivacy.org)
  2. ca.gov FAQ (from consumer standpoint)- Frequently Asked Questions (FAQs) – California Privacy Protection Agency (CPPA)
  3. TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100] – Codes Display Text (ca.gov)
  4. Final Regulation Text – California Privacy Protection Agency – Final Regulations Text

CCPA Compliance Recommendations in light of evolving Regulatory Landscape

As businesses work towards achieving compliance with the CCPA, it is important to consider a range of actions to meet the requirements of the law. The next steps for businesses will vary depending on their level of preparedness and specific situation.

In today’s rapidly disruptive technology and regulatory landscape, it is critical for organization to have defensible privacy posture that align with compliance-driven and ethical-driven privacy principles.

To transform, manage and future-proof privacy requirements, the optimal approach to data management and protecting personal information is proactive, privacy-by-design management rather than reactive, compliance-checkbox management. The reactive, compliance-fit approach most businesses take is an inefficient and costly use of enterprise resources, resulting in a patchwork of technical and organizational controls vulnerable to data compromise and immature operations.

Privacy regulations are complex and evolving. Our expertise in global privacy laws and trends is to ensure you ahead of emerging privacy requirements. Our use of industry standards such as the NIST and ISO privacy frameworks ensures objective, measurable, and future-proof privacy programs. We specialize in crosswalks between sectoral and non-sectoral regulations for streamlined management of controls, repeatable model for ensuring compliance with regulatory obligations across multiple jurisdictions.