The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act of 2018 (“CCPA” or “the Act”) became effective on January 1, 2020, and is codified at §§1798.100-199 of the Civil Code. The Act offers new and wide-ranging privacy rights for California residents, including a right to be informed about personal data collected by a business and rights to access and delete that information, a right to prevent personal information from being sold to third parties, and a right to data portability. The law applies to all business that collect or use this personal information, not just those companies operating in California. The California Attorney General may bring actions for civil penalties of up to $7,500 per violation and there is a limited private right of action for individual victims of data breaches for penalties ranging between $100-750 per violation.
In September of 2018, then-California Governor Jerry Brown signed into law S.B. 1121, which amended the CCPA by correcting grammatical and spelling errors, clarifying some aspects of the law, and making several substantive changes. Aspects that were clarified include:
- Information that nominally falls under one or more of the categories of “personal information” cited
in §140(o)(A)-(K) is only personal information if it “identifies, relates to, describes, is capable of being
associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or
household” - The consumer private right of action only applies to violations of §150(a), which addresses security
procedures and practices - The Act does not apply if it is conflict to with the U.S. Constitution
Substantive changes include:
- Allowing a business to disclose the consumer’s right to deletion of his/her personal information in a form that is “reasonably accessible to consumers”; previously, the Act required such information to be listed on a business’s website or in its privacy policy
- Exempting personal information collected under the California Financial Information Privacy Act; this is in addition to personal information subject to the Gramm-Leach-Bliley Act, which was already exempt under the CCPA
- Exempting health care providers and covered entities “to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information” as it does under the Confidentiality of Medical Information Act (California’s HIPAA analog) or under HIPAA
In October of 2019, California Governor Gavin Newsom signed into law several bills passed by the California legislature that address data protection and most of which were directed at the CCPA. Overall, the substance and strength of the Act remains the same but there are some additions and caveats that merit review by data protection professionals:
- A.B. 1202. Data brokers. Data brokers must now register with the California Attorney General’s
office. - A.B. 25. CCPA amendment. One-year exemption for “employee” data.
- A.B. 874. CCPA amendment. Adds “reasonably” to the definition of “personal information.”
- A.B. 1355. CCPA amendment. One-year exemption for “business-to-business” data; numerous drafting errors corrected.
- A.B. 1146. CCPA amendment. Exemption for certain information related to motor vehicle repairs
and recalls. - A.B. 1130. Breach notification. Adds new types of personal data subject to the state breach notification statute.
Below is an unofficial version of the Act that incorporates all previous amendments.