California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020, with some exceptions (Cal. Civ. Code §§ 1798.100-1798.199). Given their comprehensiveness and broad reaches, each law may have significant impact on entities that collect and process personal data.
The CCPA grants California resident’s new rights regarding their personal information and imposes various data protection duties on certain entities conducting business in California. While it incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the CCPA requirements are more specific than those of the GDPR or where the GDPR goes beyond the CCPA requirements.
The CCPA gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.
The CCPA has a long list of defined terms (Cal. Civ. Code 1798.140).
- Ownership of or the power to vote more than 50 percent of the outstanding shares of any class of voting security of a business.
- Control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
- The power to exercise a controlling influence over the management of a company. (Cal. Civ. Code 1798.140(c)(2).) Common branding means a shared name, service mark, or trademark. (Cal. Civ. Code 1798.140(c)(2).)
Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that:
- Processes information on behalf of a business.
- Receives personal information from a business;
- for a business purpose only; and
- under a written contract, which prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than for performing the services specified in the contract or as otherwise permitted by this title.
(Cal. Civ. Code 1798.140(v).)
Third party means a person or entity other than the business collecting personal information from consumers under the CCPA. However, the third party definition excludes personal information recipients who obtain the data:
- Directly from the business.
- For a business purpose.
- Under a written contract that contains specific clauses. To qualify for the exclusion, the business’s written contract with the recipient must:
- Prohibit the recipient from:
- selling the personal information;
- retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract; and
- retaining, using, or disclosing the information outside of the direct business relationship between the recipient and the business.
- Include a certification that the recipient understands the restrictions and will comply with them.
(Cal. Civ. Code 1798.140(w).)
Another California law, Civil Code section 1798.99.80, defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This law exempts certain businesses that are regulated by other laws from this definition. Exempted businesses include consumer reporting agencies (commonly known as credit bureaus) and certain financial institutions and insurance companies.
Data brokers collect information about consumers from many sources including websites, other businesses, and public records. The data broker analyzes and packages the data for sale to other businesses.
Personal Information Categories Under The CCPA
The CCPA defines personal information (PII) more broadly than California’s other laws. It includes any information that directly or indirectly identifies, describes, relates to, is capable of being associated with, or can reasonably link to a particular consumer or household. The statutory definition includes eleven specific categories that businesses must use when providing their required disclosures. Those categories are:
- Identifiers, such as:
- real name;
- an alias;
- postal address;
- email address;
- unique personal or online identifier;
- internet protocol (IP) address;
- account name;
- social security number (SSN);
- driver’s license or passport
- other similar identifiers.
- Personal information categories described in the California
Customer Records statute (Cal. Civ. Code 1798.80(e)), which
in addition to the identifiers described above, also lists a
- physical characteristics or description;
- state identification card number;
- insurance policy number.
- employment or employment history.
- bank account number, credit card number, debit card number, or any other financial information.
- medical information or health insurance information.
- Characteristics of protected classifications under California or federal law, like race, religion, gender, national origin, or sexual orientation (see State Q&A, Anti-Discrimination Laws: California).
- Commercial information, including records of:
- personal property;
- products or services purchased, obtained, or considered; or
- other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information,
- browsing history;
- search history; or
- information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as nonpublic personally identifiable information under the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g and 34 C.F.R. Part 99).
- Inferences drawn from any of these personal information
categories to create a profile about a consumer reflecting the
- psychological trends;
- abilities; or