TL;DR

The California Consumer Privacy Act (CCPA) is a data privacy law granting California residents rights over personal information, including rights to know, delete, and opt-out. (CCPA Bill)

The California Consumer Privacy Act (CCPA) was the first comprehensive data privacy law in California, enacted in 2018. The California Privacy Rights Act (CPRA), passed in 2020, amended and expanded the CCPA. The CPRA was responsible for creating the California Privacy Protection Agency (CPPA), a California state government agency that enforces both the CCPA and the CPRA. The CPPA is also the first dedicated privacy regulator in the United States.

The CCPA aims to provide individuals covered by the law:

1. Knowledge – about what personal data is collected about them
2. Knowledge – about relevant sales and disclosures of their personal data
3. Right – to opt-out of the sale of their personal data
4. Right – to access their personal data
5. Right – to request a business to delete any personal information collected from them
6. Right – to not be discriminated against for exercising their rights

In November of 2020, California voters approved the CPRA, which amended the CCPA and added new additional privacy protections and requirements for businesses that began on January 1, 2023. Importantly, the CPRA only amends the CCPA: it does not create a separate, new law. The CPRA adds to the CCPA:

1. Right – to correct inaccurate personal information that a business has about them; and
2. Right – to limit the use and disclosure of sensitive personal information collected about them.

Any business that falls into one of the following 3 categories is subject to CCPA:

1. $25 million+ in gross revenue
2. 100,000+ consumer’s/household’s data bought, received, or sold
3. 50%+ annual revenue from selling personal information

Additionally, unlike regulations like GDPR, CCPA has clear geographical instructions that stipulate any business conducting business in California is considered under the CCPA. Importantly, this includes online transactions. Practically, this means if a business has customers which they serve in California, they are most likely beholden to CCPA if one of the 3 conditions above are met.

For more information on the CCPA and consumer rights, visit the California Attorney General Site here.

Compliance Requirements

Requirement	Code	Possible Implementation
Have a process to obtain parental/guardian consent for minors under 13, and affirmative consent for minors between 13 and 16 for data sharing purposes	Cal. Civ. Code § 1798.120(c)	This often involves setting up a consent form accessible via your website or app, typically during account creation or before collecting any data.
“Do Not Sell My Personal Information” link on the home page directing users to a page that enables them or opt-out of the sale of their personal information	Cal. Civ. Code § 1798.135(a)(1)	Place a prominent “Do Not Sell My Personal Information” link on your homepage. This link should lead to a dedicated page where users can opt-out of the sale of their personal information.
Designate methods for submitting data access requests, at minimum a phone number	Cal. Civ. Code § 1798.130(a)	Provide multiple channels for consumers to submit data access requests. At a minimum, offer a phone number, but consider adding options such as a chatbot, email address, mailing address, or online form to accommodate user preferences.
Update privacy policies with newly required information, including a description of California residents’ rights	Cal. Civ. Code § 1798.135(a)(2)	Revise your privacy policy to include detailed descriptions of California residents’ rights under the CCPA. Ensure the policy is clear, concise, and easily accessible to users, with any new information prominently highlighted.
A delay of at least 12 months before requesting opt-in consent after a California resident opts out	Cal. Civ. Code § 1798.135(a)(5)	Implement a system to track opt-out requests. Ensure that no opt-in consent requests are sent to users for at least 12 months after they have opted out, which can be automated through your customer relationship management (CRM) or consent management system.

Best practices include offering easy straightforward opt-outs and information to end users.

What’s not covered

Personal Health Information (PHI) and Financial information a business collects are subject to HIPAA and the California Financial Information Privacy act or the Gramm-Leach-Bliley Act depending on the circumstances.

Additional Information

The California Privacy Rights Act was the catalyst for the CCPA. In addition to prompting the creation of the CCPA, the CPRA also was responsible for creating The California Privacy Protection Agency (CPPA). The CPPA is a California state government agency that enforces both the CPRA and the CCPA. The CPPA is also the first dedicated privacy regulator in the United States.

Relevant Cases

1. BARNES V. HANNA ANDERSSON, LLC AND SALESFORCE.COM, INC. (2020)

• Overview: One of the first lawsuits filed under the CCPA. The case involved a data breach that exposed customer information, and the plaintiffs alleged that the defendants failed to implement reasonable security measures as required by the CCPA.
• Outcome: The case was settled for $400,000, with a portion of the settlement allocated to affected consumers.
• Read about this case in On the Docket

2. THE PEOPLE OF THE STATE OF CALIFORNIA v. DOORDASH, INC., (2024)

• Overview: DoorDash was accused of selling the personal information of its customers without providing notice or the opportunity to opt-out, in violation of the CCPA.
• Outcome: DoorDash, Inc., in a stipulated judgment, agreed to pay $375,000 to resolve allegations. This case underscores the need for transparency in data collection and sharing practices.
• Read about this case in On the Docket

3. PEOPLE OF THE STATE OF CALIFORNIA v. GOOGLE, LLC. (2023)

• Overview: Google was accused of collecting personal information through its Chrome browser without users’ consent, violating the CCPA.
• Outcome: The court denied Google’s motion to dismiss, allowing the case to proceed.
• Read about this case in On the Docket

Further Resources

• California DOJ Attorney General Website