The CCPA Explained

Jump to Section

Need help with a legal contract?

CREATE A FREE PROJECT POSTING
Post Project Now

What Is the CCPA?

The CCPA, more officially known as the California Consumer Privacy Act or AB 375, is a state-wide data privacy law in California. It is the first law of its kind in the U.S.

Image via Unsplash by rupixen

The CCPA regulates how businesses worldwide can handle personal information, or PI, of California residents. Though the CCPA was passed by the California state legislature in 2018, it first came into effect on January 1, 2020. The law became enforceable on July 1, 2020.

Who Does the CCPA Affect?

The CCPA is similar to the General Data Protection Regulation, or GDPR, in the European Union. As with the GDPR, the CCPA deals with consumers' data privacy rights. The law forces many organizations to protect the privacy rights of their consumers.

The CCPA specifically covers consumers who are California residents. However, businesses around the world must comply with CCPA regulations if they have consumers from California. Businesses do not need to be based in California to fall under the law. Companies do not even need to have a physical presence in California or in the United States to fall under this law if they meet certain requirements.

Requirements for Businesses

Not all businesses must comply with the regulations in the CCPA. The CCPA applies if a company fits in one or more of the following categories:

  • The business buys, sells, or receives personal information of 50,000 or more devices, consumers, or households.
  • The business derives half or more of its revenue from selling personal information of consumers.
  • The business has a gross annual revenue that exceeds $25 million.

Under the CCPA, businesses that handle personal information for more than four million consumers have additional obligations as well.

Exemptions










Volume 0%























A later amendment exempts insurance institutions, agents, and organizations that already fall under similar regulation of the Insurance Information and Privacy Protection Act, or IIPPA, in California.

Additionally, the following businesses are exempt from the CCPA as they are covered under federal data security laws already:

Protections for Consumers

The CCPA allows any California consumer to:

  • Demand to see all information a company has saved about them.
  • Demand to see a full list of all third parties a company shares their data with.
  • Sue companies in cases when privacy guidelines are violated, and consumers can sue companies even if no breach occurs.

California residents, or consumers, have the right to:

  • Opt out of having data sold to third parties.
  • Request disclosure of data that has already been collected.
  • Request that data collected be deleted.
  • Be notified and receive equal prices and services — companies cannot discriminate against consumers based on a consumer's choice to exercise these rights.

What Happens When a Company Is Not in Compliance With the CCPA?

Once regulators notify a business of a violation, the company has 30 days to comply with the law. If the issue is not resolved in that time, businesses are subject to a fine per record.

Fines may be between $100 and $750 per consumer per alleged violation, or the actual damages — whichever amount is greater.

Consumers also have the right to sue businesses if they believe their privacy rights were violated. The CCPA allows for class action lawsuits as well.

Data the CCPA Covers

The CCPA covers personal information. Examples of what the law considers personal information includes:

  • Biometric information.
  • Geolocation data.
  • Characteristics of protected classifications under federal or California law.
  • Identifiers, including:
    • Driver's license number
    • Social Security number
    • Passport number
    • Account name
    • Postal address
    • Email address
    • Online identifier IP address
    • Real name
    • Alias
  • Commercial information, including:
    • Products purchased, obtained, or considered
    • Services purchased, obtained, or considered
    • Records of personal property
  • Purchasing/consuming histories/tendencies.
  • Internet/electronic network activity such as:
    • Browsing history
    • Search history
    • Information about the consumer's interaction with applications, advertisements, or websites
  • Education information, as defined in the Family Education Rights and Privacy Act (FERPA) as not publicly available PII, or personally identifiable information.
  • Audio, electronic, olfactory, thermal, visual, or similar information.

The CCPA also covers inferences drawn from the above information to create a consumer profile reflecting things such as a consumer's:

  • Abilities
  • Aptitudes
  • Attitudes
  • Behavior
  • Characteristics
  • Intelligence
  • Predispositions
  • Preferences
  • Psychological trends

Key Provisions of the CCPA

The CCPA stipulates that companies covered by the law must allow consumers to choose not to have data shared with third parties. In practical terms, that means companies now must be able to separate data they collect following their users' privacy choices.

Companies are not required to report breaches under this law. Additionally, before fines are possible, a consumer must file a complaint.

Enforcement of the CCPA

In addition to granting Californians the right to sue businesses that do not take reasonable precautions to prevent data breaches, the CCPA can be enforced. The Office of the Attorney General of California has the power to enforce the CCPA. However, the state has limited enforcement capabilities, as there are not enough resources to ensure that all companies comply with the law at the same time that they manage non-compliance cases.

What Must a Business Do to Be In Compliance With the CCPA?

If your business falls under the CCPA, you are required to:

  • Allow consumers to deal with their personal data in the business's storage in the following ways:
    • Choosing to opt-out
    • Choosing to read the data
    • Choosing to delete the data
  • Disclose financial incentives for your business to sell or retain a consumer's personal data as well as how you value the data.
  • Respond to requests from consumers within specific timeframes.
  • Verify the identity of any consumer who requests to read/delete their information; this is the case even if the consumer has a password-protected account.
  • Keep records of access requests and how your business responded for 24 months.

You must ensure that your company's website:

  • Includes a "Do Not Sell My Personal Information" link so that users may opt out of third-party data sales.
  • Informs users about categories of personal information collected (and for what purposes) at or before the point of data collection.
  • Obtains opt-in/consent before selling or disclosing personal information of minors under the age of 16; parents or legal guardians must opt in for minors under 13.
  • Updates its privacy policy to include:
    • A description of consumer's rights
    • An explanation of how to exercise rights
    • A list, updated annually, of personal information categories the company collects/sells/discloses
  • Shows consumer privacy settings that signal the choice to opt out.

If your company gets a verifiable request from a consumer requesting disclosure of personal information your business has collected, you must provide records of personal information that have been collected in the past 12 months. You must do this free of charge. These records include:

  • Categories of third parties that have received the records
  • Commercial purposes
  • Sources

Your company must not discriminate based on a consumer's decision to exercise the right to:

  • Opt out
  • Request disclosure
  • Request deletion

The CCPA laws are now in effect, and will change the way businesses deal with data across the country. As almost all bigger businesses have some customers based in California, the CCPA has tremendous implications for data privacy laws. For more help with privacy policies and contracts, contact us .

Explore Our Network of Lawyers

We recruit and onboard great lawyers so you can find and hire them easily.

Browse Lawyers Now

Meet some of our Lawyers

ContractsCounsel verified
Principal
9 years practicing
Free Consultation

Brad is a business attorney with experience helping startup and growing companies in a variety of industries. He has served as general counsel for innovative companies and has developed a broad knowledge base that allows for a complete understanding of business needs.

ContractsCounsel verified
Attorney
14 years practicing
Free Consultation

I am an attorney located in Denver, Colorado with 13 years of experience working with individuals and businesses of all sizes. My primary areas of practice are general corporate/business law, real estate, commercial transactions and agreements, and M&A. I strive to provide exceptional representation at a reasonable price.

ContractsCounsel verified
Partner
4 years practicing
Free Consultation

Chris Sawan is a JD/CPA who practices in the area of business law, contracts and franchising in the State of Ohio.

ContractsCounsel verified
Contracts Specialist
12 years practicing
Free Consultation

As an experienced contracts professional, I offer an affordable method to have your contracts reviewed! With my review of your contract, you can understand and reduce risks, negotiate better terms, and be your own advocate. I am an Attorney, Board Member, and Freelance Writer with a Bachelor of Arts degree, magna cum laude, in Film, Television and Theatre (“FTT”) from The University of Notre Dame. I was awarded The Catherine Hicks Award for outstanding work in FTT as voted on by the faculty. I graduated, cum laude, from Quinnipiac University School of Law, where I earned several awards for academics and for my work in the Mock Trial and Moot Court Honor Societies. Additionally, in my career, I have had much success as an in-house Corporate Attorney with a broad range of generalist experience and experience in handling a wide variety of legal matters of moderate to high exposure and complexity. My main focus in my legal career has been contract drafting, review, and negotiation. I also have a background in real estate, hospitality, sales, and sports and entertainment, among other things.

ContractsCounsel verified
Attorney
10 years practicing
Free Consultation

Elizabeth is an experienced attorney with a demonstrated history of handling transactional legal matters for a wide range of small businesses and entrepreneurs, with a distinct understanding of dental and medical practices. Elizabeth also earned a BBA in Accounting, giving her unique perspective about the financial considerations her clients encounter regularly while navigating the legal and business environments. Elizabeth is highly responsive, personable and has great attention to detail. She is also fluent in Spanish.

ContractsCounsel verified
President
14 years practicing
Free Consultation

Abby is an attorney and public policy specialist who has fused together her experience as an advocate, education in economics and public health, and passion for working with animals to create healthier communities for people and animals alike. At Opening Doors PLLC, she helps housing providers ensure the integrity of animal accommodation requests, comply with fair housing requirements, and implement safer pet policies. Abby also assists residents with their pet-related housing problems and works with community stakeholders to increase housing stability in underserved communities. She is a nationally-recognized expert in animal accommodation laws and her work has been featured in The Washington Post, USA Today, Bloomberg, and Cosmopolitan magazine.

ContractsCounsel verified
General Counsel
7 years practicing
Free Consultation

First in-house counsel for small TX-based company operating in the Middle East. Experienced with drafting, revising, and editing a variety of domestic and international contracts.

ContractsCounsel verified
Attorney
8 years practicing
Free Consultation

Matan is an experienced M&A, corporate, tax and real estate attorney advising closely held businesses, technology start ups, service businesses, and manufacturers in purchases, sales, and other exit strategies. Matan works with founders and first-and-second generation owners to strategically transition businesses.

ContractsCounsel verified
Attorney
14 years practicing
Free Consultation

I am a business law attorney with over 10 years’ experience and a strong background in information technology. I am a graduate of the University of California Berkeley, a member of the Illinois bar and a licensed lawyer (Solicitor) of England and Wales. I actively partner directly with my clients or indirectly, as Of Counsel, to boutique law firms to streamline business practices and manage legal risks by focusing on essentials such as - business contracts, corporate structure, employment/independent contractor agreements, website terms and policies, IP, technology, and commercial related agreements as well as business risk and compliance guidance.

ContractsCounsel verified
Transactions Attorney
23 years practicing
Free Consultation

Engaging Transactions Attorney with extensive experience in commercial real estate / project finance that possesses a winning blend of subject matter expertise, skill in client relationship management, and practical experience. Leverages a unique mix of legal, strategic, and analytical expertise, consistently meeting and surpassing client expectations. Specialties: Commercial Real Estate Law, Contract Negotiation, Procurement, Lease/Buy/Sell Transactions, Business Consultations, Team Leadership, and Economic Development

ContractsCounsel verified
Principal
3 years practicing
Free Consultation

Miami-based duly licensed attorney and customs broker with significant experience in various types of supply chain business agreements, as well as experience in entertainment law.

Find the best lawyer for your project

Browse Lawyers Now

Want to speak to someone?

Get in touch below and we will schedule a time to connect!

Request a call