Get to Know the CCPA
Learning Objectives
After completing this unit, you’ll be able to:
- Describe the US privacy law landscape and how the CCPA is a critical component of privacy regulation in the US.
- Define common terms of the CCPA.
- Identify who is covered and who must comply with the CCPA
Privacy Laws in the United States
Privacy has always been an important legal concept in the United States. While a right to privacy is not explicitly included in the US Constitution, the US Supreme Court recognized an implied constitutional right to privacy in 1965 in a case called Griswold v. Connecticut. In 1974, the US Congress further developed the right to privacy by passing the Privacy Act. The Privacy Act restricts federal agencies in their collection, use, and disclosure of personal information of US citizens. With the Privacy Act restricting the federal government, the US became one of the first countries in the world to adopt a major privacy law.
The federal government isn’t alone in regulating privacy in the US. Individual states can and have passed their own laws governing the use of their residents’ personal information. California is one state that’s leading in privacy regulation, not just in the US, but globally. Just after Europe’s General Data Protection Regulation (GDPR) went into effect, California passed its own comprehensive privacy law called the California Consumer Privacy Act (CCPA). The CCPA has quickly become a focus of privacy compliance for organizations collecting and processing the Personal Information of Californians.
Creation of the CCPA
The CCPA began as a grassroots movement by Californians themselves. Registered voters in California signed a ballot initiative petition to put the CCPA up for a statewide vote, bypass the legislature, and enact it into law by referendum. With increasing public interest in privacy, the California legislature decided to work with the initiative's authors, the private sector, and civil society to draft a negotiated bill to replace the ballot initiative. On June 28, 2018, the ballot initiative was withdrawn, and the CCPA was passed by the legislature and signed into law by the governor.
The CCPA went into effect on January 1, 2020, and was a significant expansion of privacy law in the United States. The law gave California residents broad new rights, such as:
- The right to know what categories of Personal Information businesses are collecting about them
- The right to know whether businesses are Selling their Personal Information and to whom
- The right to prohibit businesses from Selling their Personal Information
- The right to access their Personal Information
- The right to request that a business delete their Personal Information
- The right to equal services and pricing when exercising rights under the CCPA
Even though the CCPA applies to all California residents, requirements related to employee Personal Information were postponed until January 1, 2023. Currently, California is the only state to include protections for employee Personal Information in its privacy law.
Common Terms in the CCPA
You may have noticed that Personal Information is capitalized in a few places. The CCPA introduces several defined terms that have a specific meaning under the law. These terms are important to understand because they are a bit more nuanced than the common meaning of the words as you’d typically use them in ordinary conversation.
The following table describes some important terms you need to know when discussing the CCPA. Throughout this Trailhead module, the terms in the table will be capitalized when intended to be interpreted as they are defined in the CCPA and not by their ordinary meaning.
Defined Term |
Legal Definition |
Example |
---|---|---|
Business |
An organization doing business in California that either: (1) has an annual revenue of $25 million or more; (2) collects the Personal Information of 100,000 individuals; or (3) earns more than half of its annual revenue from Selling Personal Information. |
Acme Industries had an annual revenue of $40 billion last year and has its headquarters in San Francisco. |
Consumer |
A natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier. |
John lives in San Francisco with his family. |
Personal Information |
Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information includes identifiers, characteristics of protected classifications under California or federal law, commercial information, biometric information, internet or other electronic network activity information, geolocation data, audio, electric, visual, thermal, olfactory or similar information, professional or employment-related information, education information, and inferences drawn from the above information. |
If Acme Industries collects a consumer’s name, email address, and their driver’s license, it has collected the Personal Information of that consumer. |
Processing |
Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means. |
Acme Industries collects, stores, and uses personal data in its customer relations management software to provide services to follow up on sales leads. |
Sell, Selling, Sale, or Sold, (of Personal Information) |
Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Information by the Business to another Business or a third party for monetary or other valuable consideration. |
Acme Industries agreed to share a list of its customers with another company, Beta Industries, in exchange for a payment of $100. Beta Industries uses the list to find new customers. Acme Industries’ sharing of its list is considered a Sale. |
Service Provider |
Processes information on behalf of a Business and to which the Business discloses a consumer's Personal Information for a business purpose pursuant to a written contract. |
Acme Industries has a vendor called Storage Services that Acme Industries signed a contract with last year. Acme Industries stores the contact details of its customers in Storage Service’s systems. |
Who Is Covered by CCPA?
The CCPA protects the privacy of Consumers. Because of how Consumer is defined in the CCPA, the law applies to the processing of Personal Information about all California residents, including employees, customers, vendors, and contractors.
The definition of Personal Information in the CCPA is very broad (by design) to include lots of categories of data under the protection of the law. Under the CCPA, Personal Information includes much of the usual data we think of as personal, such as social security numbers, email addresses, and telephone numbers. Additionally, the CCPA definition of Personal Information includes probabilistic identifiers (for example, purchasing and consuming histories) and characteristics of protected classifications (for example, disability status, genetic status, race, veteran status) under California or US federal law.
Not only does the CCPA introduce several new rights for Consumers and expand the meaning of Personal Information, it introduces specific requirements and penalties for Businesses who fail to comply with the law. Therefore, in addition to understanding what the CCPA rules are, it is important to understand who is required to comply with the CCPA.
Who Must Comply with CCPA?
A Business, as defined in the CCPA, must comply with the law. As you read above, the definition of Business is very broad. That means any organization anywhere in the world that meets one or more of the criteria listed in the definition of Business must comply with the CCPA. Let’s break it down in detail to make it easier to understand.
Any for-profit company doing business in California that receives the Personal Information of a California resident (a Consumer) and meets any of the following must comply with the CCPA.
- Has an annual revenue of $25 million dollars
- Annually buys, Sells, or Shares the Personal Information of 100,000 or more Consumers or households
- Derives 50% or more of its revenue from Selling or Sharing Personal Information
It’s important to note that there is no requirement that a Business actually use the Personal Information it collects for the CCPA to apply. If a Business meets the requirements in the definition of Business and receives Personal Information about a California Consumer, the CCPA will apply even if the Personal Information is not used further.
Additionally, there is no requirement that a company maintains physical locations in California to be treated as a Business under the CCPA. While the CCPA does not define doing business in California, physical presence is only one of the factors typically used to determine whether a company does business in California.
Finally, it is important to be aware that a Business does not have to collect Personal Information directly from Consumers for the CCPA to apply. The CCPA will apply if a company meets the definition of Business even if it has no direct contact with Consumers, if it receives data from other sources.
Now that you’ve learned how the CCPA came to be, the key rights it grants to Californians, some unique terms of the law, and who the CCPA protects and regulates, you’re ready to learn about some CCPA key requirements.