The State Law Affecting the Nation: A Quick Dive into the CCPA

By Yinan Guo.Maybe you have noticed that, for the past month or so, companies have been sending out emails regarding their updated privacy policy. Chances are you ignored them without taking a look, like every time before when you checked the “I agree” box. What’s interesting is that this wave of updates is a response to a California statute—the California Consumer Privacy Act (CCPA)—which took effect on January 1, 2020. Although this is a state statute, it is already having a nationwide impact, and has the potential to shape the future of data privacy laws in the United States.

I Don’t Live in California, Why Am I Receiving These Emails?

A business with a presence in California is required to comply with the CCPA if it has an annual gross revenue of over $25 million, handles personal information of over 500,000 consumers/households/devices, or derives at least half of its annual revenue from selling personal information. This is not a high threshold. One report estimates that all businesses with more than 500 employees and 37.5% of businesses with less than 500 employees will meet the $25 million annual revenue threshold. It is very likely that many businesses with smaller revenue are covered by the other two thresholds.

Once a business is subject to the CCPA, it has to comply with certain standards when it comes to handling consumer personal information, regardless of whether the consumer lives in California or not. So, it is easy to see that the CCPA is not just for Californians.

Companies Had Privacy Policies in the Past. What’s Different This Time?

The name of the statute is somewhat misleading. The concept of privacy usually refers to something not generally known by others. By contrast, in the realm of data privacy laws, what’s being protected is simply personal information. The CCPA broadly defines personal information as information that “identifies, relates to, describes, is capable of being associated with” an individual or a household. The statute then provides a non-exhaustive list of information that constitutes personal information. Notably, some information that does not necessarily contain personal identifiers is also covered under this definition; for instance, browsing history, search history, and geolocation data.

The CCPA places emphasis on disclosure and providing notice prior to collecting personal information, hence the wave of privacy policy updates you received. A business is obligated to disclose in its privacy policy the categories of information collected, the categories of sources, the purposes for collecting the information, the categories of third parties that are shared with such information, the specific pieces of information, and a description of consumers’ rights.

The statute pays special attention to the sale of consumer personal information. For the purpose of this statute, “sale” essentially means making available consumers’ personal information to another business for monetary or other valuable consideration. If a business sells personal information, it is required to disclose in its online privacy policy a description on consumers’ rights, a list of the categories of information sold or disclosed for business purpose in the past 12 months.

What Does the Statute Mean to Me?

If you are a California citizen, the CCPA gives you certain rights to help you gain more control over your own personal information. Consumers can require further disclosure of the specific personal information businesses have collected about themselves and the categories of personal information collected about themselves in the past 12 months. The law mandates deleting a consumer’s personal information once a business receives a request from this consumer. If the business sells personal information, consumers have the right to opt-out from any future sales.

In general, the California Attorney General is tasked with enforcement of the statute; businesses will be fined for each intentional or unintentional violation. The statute also creates a private right of action for victims of data breach, in which case a business can be ordered to pay either statutory damages of $100 to $750 per consumer per incident, or the actual damages, whichever is greater. This avoids the usual difficulty of proving damages for individual victims.