California Consumer Privacy Act
One of the first comprehensive data privacy laws in the United States, the California Consumer Privacy Act (CCPA) empowers California residents with greater control over their personal information, mandating transparency from businesses regarding data collection practices and granting consumers the right to access, delete, and opt out of the sale of their data. The CCPA imposes significant restrictions on the collection and sale of consumers’ personal information, while also granting consumers new and extensive rights regarding their data.
Definition of Personal Information Under the CCPA
The CCPA defines personal information as any data that identifies, relates to, describes, or can be reasonably linked, either directly or indirectly, to a specific consumer or household. This includes:
- Identifiers such as real names, aliases, postal addresses, unique personal identifiers, online identifiers, IP addresses, email addresses, account names, social security numbers, driver’s license numbers, passport numbers, and other similar identifiers.
- Characteristics of protected classifications as defined by California or federal law.
- Commercial information, which encompasses records of personal property, products, or services purchased, obtained, or considered, as well as other purchasing or consumption histories and tendencies.
- Biometric data.
- Information related to internet or electronic network activity, including browsing history, search history, and details about a consumer’s interactions with websites, applications, or advertisements.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Educational information, which is defined as non-publicly available personally identifiable information as outlined in the Family Educational Rights and Privacy Act (FERPA). It is important to note that personal information does not include publicly available data sourced from federal, state, or local government records, such as professional licenses and public real estate or property records, which are excluded from the CCPA’s definition of personal information.
Scope of the CCPA
The California Consumer Privacy Act applies to for-profit businesses operating in California that meet any of the following criteria:
- Annual Revenue: Businesses with annual gross revenue exceeding $25 million. The California Attorney General has clarified that this revenue threshold is not limited to income generated within California or from California residents. The California Privacy Rights Act (CPRA) further specifies that a business must assess its eligibility based on the annual gross revenue from the previous calendar year as of January 1st each year.
- Data Volume: Businesses that, either alone or in combination, annually buy, receive, sell, or share the personal information of at least 50,000 consumers, households, or devices for commercial purposes. The CPRA has updated this requirement to state that businesses must handle the personal information of 100,000 or more consumers or households.
- Revenue from Data Sales: Businesses that derive at least 50 percent of their annual revenue from selling consumers’ personal information. Under the CPRA, the “sharing” of personal information also counts towards this revenue threshold.
Applicability to Out-of-State Businesses
The CCPA/CPRA’s reach extends beyond California’s borders. A business does not need to be physically located in California to be subject to the CCPA/CPRA. A business may be considered “doing business” in California if it engages in online transactions with California residents, employs individuals in the state, or has other significant connections to California, even without a physical presence.
Notice at Collection
Businesses that collect (or “control the collection of”) consumers’ personal information must inform consumers at or before the point of collection. This notice must include (i) the categories of personal information collected, including sensitive personal information, and (ii) the purposes for which these categories will be used. The CPRA mandates that the notice also specify whether the information will be sold or “shared” and how long each category of personal information will be retained. Once the notice is provided, businesses are prohibited from collecting additional categories of personal information or using the collected data (including sensitive personal information) for purposes that are incompatible with those disclosed in the notice, unless they provide renewed notice to the consumer.
Consumer Rights
The CCPA grants consumers the right to request information regarding:
- The categories of personal information collected about them.
- The sources from which their personal information was obtained (e.g., directly from the consumer, advertising networks, internet service providers, data analytics providers, government entities, data brokers, etc.).
- The business or commercial purposes for which their personal information was collected or sold (e.g., fraud prevention, marketing, improving customer experience).
- The categories of third parties to whom their personal information was disclosed (e.g., advertising networks, internet service providers, government entities, social networks, etc.).
- The “specific pieces” of personal information collected. Consumers also have the right to request additional details from businesses that sell or share their personal information or disclose it for business purposes, including:
- The categories of personal information sold about the consumer and the categories of third parties to whom this information was sold, organized by category.
- The categories of personal information disclosed about the consumer for business purposes and, according to the CPRA, the categories of individuals to whom it was disclosed for such purposes.
In summary, the California Consumer Privacy Act (CCPA) represents a significant step forward in data privacy in the United States, empowering consumers with greater control over their personal information.
As we move forward, ongoing dialogue between consumers, businesses, and lawmakers will be essential to ensure that privacy rights continue to evolve and meet the needs of all stakeholders.