Get to Know the CCPA
After completing this unit, you’ll be able to:
- Describe the US privacy law landscape and how CCPA is a critical component of privacy regulation in the US.
- Define common terms of the CCPA.
- Identify who is covered and who must comply with the CCPA.
Privacy Laws in the United States
Privacy has always been an important legal concept in the United States. While a right to privacy is not explicitly included in the US Constitution, in 1965, the US Supreme Court in a case called Griswold v. Connecticut recognized an implied constitutional right to privacy. The US Congress further developed the right to privacy in 1974 when it passed the Privacy Act, which restricts federal agencies in their collection, use, and disclosure of personal information of US citizens. With the Privacy Act restricting the federal government, the US became one of the first countries in the world to adopt a major privacy law.
The federal government isn’t alone in regulating privacy in the US. Individual states can and have passed their own laws governing the use of their residents’ personal information. California is one state that is leading in privacy regulation, not just in the US, but globally. Just after the enactment of the General Data Protection Regulation (GDPR), California passed its own all-inclusive privacy law called the California Consumer Privacy Act (CCPA). The CCPA has quickly become a focus of privacy compliance for organizations collecting and processing the Personal Information of Californians.
Creation of the CCPA
The CCPA began as a grassroots movement by Californians themselves. Registered voters in California signed a ballot initiative petition to put the CCPA up for a statewide vote, bypass the legislature, and enact it into law by referendum. With increasing public interest in privacy, the California legislature decided to work with the initiative's authors, the private sector, and civil society to draft a negotiated bill to replace the ballot initiative. On June 28, the ballot initiative was withdrawn and the CCPA was passed by the legislature and signed into law by the governor.
Since then, several amendments have been added to the CCPA and the attorney general of California is responsible for providing regulations interpreting the law and explaining how it will be enforced.
The CCPA went into effect on January 1, 2020. There are a couple of things to consider as enforcement begins.
First, the CCPA is a significant expansion of privacy law in the United States. The CCPA gives California residents broad new rights such as:
- The right to know what categories of Personal Information businesses are collecting about them
- The right to know whether businesses are Selling or sharing their Personal Information and to whom
- The right to prohibit businesses from Selling their Personal Information
- The right to access their Personal Information
- The right to request that a business delete their Personal Information
- The right to equal services and pricing when exercising rights under CCPA
Second, enforcement of many of the CCPA requirements related to employee Personal Information will be postponed for a one-year period. (The exact term used was that those clauses would be inoperative.) While many organizations are glad to have the additional time for this category of Personal Information, it’s important to note that there are two components of the law that affect employee Personal Information that will be enforced beginning January 1, 2020:
- Providing notice to employees about what categories of Personal Information are collected and the purposes for which the Personal Information is used, and
- The security breach rules related to employee Personal Information.
Common Terms in the CCPA
You may have noticed that Personal Information is capitalized in a few places. The CCPA introduces several defined terms that have a specific meaning under the law. These terms are important to understand because they are a bit more nuanced than the common meaning of the words as we’d use them in ordinary conversation.
The following table describes some of the most important terms you need to know when discussing the CCPA. Throughout this Trailhead module, the terms in the table will be capitalized when intended to be interpreted as they are defined in the CCPA and not by their ordinary meaning.
|Defined Term||Legal Definition||Example|
||An organization doing business in California that either: (1) has an annual revenue of $25 million or more; (2) collects the Personal Information of 50,000 individuals; or (3) earns more than half of their annual revenue from Selling Personal
||Acme Industries had an annual revenue of $40 billion last year and has its headquarters in San Francisco.
||A natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
||John lives in San Francisco with his family.
||Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or
Personal Information includes identifiers, characteristics of protected classifications under California or federal law, commercial information, biometric information, internet or other electronic network activity information, geolocation data, audio, electric, visual, thermal, olfactory or similar information, professional or employment-related information, education information, and inferences drawn from the above information.
|If Acme Industries collects a consumer’s name, email address, and their driver’s license, it has collected the Personal Information of that consumer.
||Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
||Acme Industries collects, stores, and uses personal data in its customer relations management software to provide services to follow up on sales leads.
Sell, Selling, Sale, or Sold, (of Personal Information)
||Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Information by the Business to another Business or a
third party for monetary or other valuable consideration.
||Acme Industries agreed to share a list of its customers with another company, Beta Industries, in exchange for a payment of $100. Beta Industries uses the list to find new customers. Acme Industries’ sharing of its list is considered a Sale.
||Processes information on behalf of a Business and to which the Business discloses a consumer's Personal Information for a business purpose pursuant to a written contract.
||Acme Industries has a vendor called Storage Services that Acme Industries signed a contract with last year. Acme Industries stores the contact details of its customers in Storage Service’s systems.
Who Is Covered by CCPA?
The CCPA protects the privacy of Consumers. Because of how Consumer is defined in the CCPA, the law applies to the processing of Personal Information about all California residents, including employees, customers, vendors, and contractors.
The definition of Personal Information in the CCPA is very broad (by design) to include lots of categories of data under the protection of the law. Under the CCPA, Personal Information includes much of the usual data we think of as personal, such as social security numbers, email addresses, and telephone numbers. Additionally, the CCPA definition of Personal Information includes probabilistic identifiers (for example, purchasing and consuming histories) and characteristics of protected classifications (for example, disability status, genetic status, race, veteran status) under California or US federal law.
Not only does the CCPA introduce several new rights for Consumers and expand the meaning of Personal Information, it introduces specific requirements and penalties for Businesses who fail to comply with the law. Therefore, in addition to understanding what the CCPA rules are, it is important to understand who is required to comply with the CCPA.
Who Must Comply with CCPA?
A Business, as defined in the CCPA, must comply with the law. As you read above, the definition of Business is very broad. That means that, any organization anywhere in the world that meets one or more of the criteria listed in the definition of Business must comply with the CCPA. Let’s break it down in detail to make it easier to understand.
Any for-profit company that receives the Personal Information of a California resident (a Consumer ) and meets any of the following must comply with the CCPA:
- Has an annual revenue of $25 million dollars
- Handles the data of 50,000 California consumers or devices
- Derives 50% or more of its revenue from Selling Personal Information
It’s important to note that there is no requirement that a Business actually use the Personal Information it collects for the CCPA to apply. If a Business meets the requirements in the definition of Business and receives Personal Information about a California Consumer, the CCPA will apply (even if the Personal Information is not used further).
Also notice that there is no requirement that a company maintains physical locations in California to be treated as a Business under the CCPA. While the CCPA does not define doing business in California, physical presence is only one of the factors typically used to determine whether a company does business in California.
Finally, it is important to be aware that a Business does not have to collect Personal Information directly from Consumers for the CCPA to apply. In fact, the CCPA will apply if a company meets the definition of Business even if it has no direct contact with Consumers and receives data from other Businesses or sources.
Now that you’ve learned how the CCPA came to be, the key rights it grants to Californians, some of the unique terms of the law, and who it protects and regulates, you’re ready to learn about some of the CCPA’s key requirements.