Preparing for the California Consumer Privacy Act (CCPA)
FAQ for CCPA
What is the California Consumer Privacy Act?
The California Consumer Privacy Act of 2018 (CCPA) is a data privacy law passed by the state of California on June 28, 2018. It outlines new standards for data collection, new consequences for businesses that fail to protect user data and new rights that California consumers can exercise over their data.
When is the California Consumer Privacy Act effective date?
The CCPA becomes effective on January 1, 2020.
Who must comply with the CCPA?
The CCPA applies to a “business” that collects the personal information of “consumers” that are California residents.
A “Consumer” is deﬁned under the CCPA as a California resident.
- The California Code of Regulations deﬁnes a resident as follows: “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”
A “Business” is deﬁned by the CCPA as a for-proﬁt entity that collects “consumer” data and also meets one of the following criteria:
- Has at least $25 Million in annual gross revenue;
- Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes;
- Derives 50% or more of its annual revenue from selling consumer personal information.
A “Service Provider” is deﬁned by the CCPA as any entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.
Notably, the CCPA applies to all businesses, as deﬁned above, that collect data from California residents — regardless of the location of the headquarters of the business itself. In other words, it applies to businesses that are physically located outside of California.
What is “Personal Information” under the CCPA?
“Personal information” (“PI”) is broadly defined to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- The CCPA specifies that Personal Information includes, but is not limited to:
- Identifiers, such as names, aliases, addresses and IP addresses
- Characteristics of protected classifications under California or federal law
- Commercial information, including records of personal property, products or services purchased, or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information, such as browsing history
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
- Any inferences drawn from any of the information identified to create a profile about a consumer
What information is excluded from the CCPA’s deﬁnition of “Personal Information”?
The CCPA excludes:
- “Aggregate consumer information,” which is defined as data that is “not linked or reasonably linkable to any consumer or household, including via a device.”
- Information that is publicly available from federal, state or local government records is similarly excluded.
What rights do California consumers have regarding their personal information under the CCPA?
For the purposes of this White paper, California Consumers have four main rights.
- The right to notice and transparency about the personal data collected about the consumer – which includes the right to request that a business disclose what personal information it has collected about them.
- The right to opt out of the sale of their personal information by a business.
- The right to have their personal information deleted.
- The right not to be discriminated against because they opt out of the sale or their personal information.