By: Cody J. Cocanig, Esq.

In June 2018, the California legislature passed AB 375, known as the California Consumer Privacy Act of 2018 (CCPA or the Act), and it goes into effect on January 1, 2020. This article is intended to give a brief and high-level overview of the CCPA. Before its effective date the Act will also be subject to implementing regulations adopted by the California Attorney General, and possibly one or more of the proposed amendments currently working their way through the California legislature. Stay tuned for further updates on this first-in-the-nation personal data privacy law.

What is the purpose of the CCPA? The CCPA gives new rights to California residents with regard to their personal information, including the right to learn what categories of information are collected, whether that information has been shared with third-parties, and to request that the information be deleted. It also imposes new data protection duties on certain entities that conduct business in California, including an implied obligation to implement and maintain reasonable security procedures and practices to protect consumers’ personal information.

What businesses are covered? The CCPA applies to businesses (including sole proprietorships, partnerships, limited liability companies, corporations, associations, and other legal entities) that collect, share, or sell California residents’ personal data. It is worth noting that it does not require that the business be located in California–thus it reaches business worldwide so long as their consumers are California residents. Its obligations are only imposed on for profit entities—or their parent company or subsidiaries—that do business in California and also meet one of the following thresholds:

  1. Has annual gross revenues in excess of twenty-five million dollars (adjusted for inflation); or
  2. Annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices (alone or in combination); or
  3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.[1]

Although the text of the statute does not specifically mention whether its broad definition encompasses employers and their employees, if a business meets one of the three thresholds above, coupled with the CCPA’s definition of consumers as “any California resident,” it could suggest that the CCPA applies to an employee’s personal information. But, there is hope for employers. The California Assembly has passed AB 25. If passed by the California Senate, and signed by the Governor, AB 25 would exclude job applicants, employees, agents, and contractors from the definition of “consumer.” Stand by to see if this bill becomes law.

Nonetheless, even if Assembly Bill 25 does become law, employers still need to comply with the CCPA for employees that are also consumers under the Act. Think of package shipping companies, banks, and large restaurant chains, for example, where their employees may also be their consumers. If the individual is both an employee and also a customer, any information collected from the individual in their capacity as a customer will remain subject to the CCPA.

What is personal information? The CCPA defines “personal information” into eleven categories including, but not limited to, the following:

  1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  2. Any categories of personal information described in subdivision (e) of Section 1798.80.
  3. Characteristics of protected classifications under California or federal law (e.g. race, religion, age, medical condition, disability, sex, sexual orientation, veteran or military status, etc.).
  4. Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
  5. Biometric information.
  6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory, or similar information.
  9. Professional or employment-related information.
  10. Education information, defined as information that is not publicly-available, personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
  11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

What rights does the CCPA give to consumers? The CCPA requires businesses to provide a general notice about the business’s overall activities, at or before the point of collection, informing consumers as to the categories of personal information it collects, and its intended purposes for which the personal information will be used. It also gives consumers the ability to submit a request to a business to disclose categories and specific pieces of personal information that the business has collected from that individual in the past 12 months, and also to request that a business delete any personal information about the consumer which the business has collected. The CCPA also prohibits businesses from discriminating against consumers for exercising their rights under the Act (for example, by denying goods or services, or providing a different quality of goods or services).

How do businesses comply? Businesses will be best served if they start making necessary changes in advance of the January 1, 2020 effective date, particularly because, as the law is currently written, consumers are permitted to ask for informant collected or shared in the past 12 months—meaning a request served on January 1, 2020 could require a business to provide information dating back to January 1, 2019. Businesses should start by updating or creating privacy notices that comply with the CCPA, to generally notify consumers as to the categories of personal information it collects, and its intended purposes for which the personal information will be used—including whether that information will be shared with, or sold to, third-parties.

Next, implement policies and procedures to respond to consumer requests for their specific information. This requires making available to consumers two or more designated methods for submitting requests for their information, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address. Businesses that receive a request for information must provide the requested information free of charge within 45 days, but can extend the deadline by up to another 45 days if certain exceptions are met.

Importantly, businesses must provide a clear and conspicuous link (titled “Do Not Sell My Personal Information”) on the business’ Internet homepage that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business cannot require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.

What happens if businesses do not comply? Consumers must first provide businesses with 30 days’ written notice identifying specific violations of the CCPA. If the business is able to cure the violation, it should respond to the consumer in writing letting them know that the violation has been cured, and that no further violations will occur. If the business does not, or cannot correct the violations within 30 days, then the business could be subject to civil penalties ranging between $100 and $7,500 per incident, and actual damages suffered by consumers. Under some circumstances, such as a consumer suffering pecuniary damages as a result of a violation of the CCPA, the 30-day notice requirement is suspended.

As with most laws, there are exceptions and nuances making navigation of the CCPA technical and difficult. If you would like help understanding whether the CCPA applies to your business entity, please feel free to reach out to Brown Law Group for advice.


[1] There are additional exclusions, such as entities covered by the Confidentially of Medical Information Act, consumer reporting agencies, and business that have information collected or sold under the federal Gramm-Leach-Bliley Act, as well as others.

This entry was posted in Articles, Newsletter Archives. Bookmark the permalink.