The California Consumer Privacy Act (CCPA) is a state statutory law that establishes privacy and data security standards for processing the personally identifiable information of California residents.

Applicability

The CCPA governs businesses that collect the personal information of consumers. The term “business” includes a wide range of business organizations that engage in commercial activities, which clearly excludes state and local government agencies, public utilities, and academic institutions.

Further, the businesses that are covered in the definition are limited to those that have an annual gross revenues in excess of twenty-five million dollars ($25,000,000); collects the personal information of 50,000 or more consumers, households, or devices; or derives 50% or more of its annual revenues from selling consumers’ personal information. The CCPA only places obligations on those businesses that determine the purposes and means of the processing, rather than those that collects on behalf of others.

The term “personal information” is defined by lengthy provisions that enumerate specific examples of what information is included and specific exceptions of what information is not included within the definition. Generally, personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Requirements

The CCPA extends the state constitutional and common law right of privacy to include the following Californian data subject rights:

  • to be informed about what personal information is being collected about them.
  • to be informed whether their personal information is sold or disclosed and to whom.
  • to opt-out of the sale of personal information.
  • to access their personal information.
  • to request the deletion of their personal information.
  • to equal service and price, notwithstanding if they exercise their privacy rights (non-discrimination).

Enforcement & Liability

The California Attorney General is authorized to enforce compliance with the CCPA. There is also a private right of action provided to individuals harmed by violations of the CCPA. Thus, a California resident may lodge a civil suit against a violator to recover damages resulting from non-compliance with the CCPA; however, that right is limited only to violations of the data security provisions that result in the unauthorized access, theft, or disclosure of the data subject’s personal information. A private right of action is expressly denied for any other obligations mandated by the CCPA.

Penalties

A data subject may recover in a civil lawsuit damages, injunctive and declaratory relief, and any other relief deemed proper by the court. Damages are set at $100-$750 per consumer for each incident, or the actual damages, whichever is greater.