View All Blog Posts

CCPA – What is it and does this apply to my organization?

As many in the U.S. were ringing in the New Year on January 1, 2020, the long-anticipated California Consumer Privacy Act (CCPA) became effective. This statute’s main intent is to protect the privacy of California residents and many in the field of data protection and privacy have compared it to the EU General Data Protection Act (GDPR) which took effect May 25, 2018. In protecting the privacy of California residents, the CCPA grants them specific rights around their personal data and imposes duties on businesses who may collect, interact, sale or share personal data of California residents.  

What rights are granted to California residents under the CCPA? California residents have the right to opt-out of personal information sales; request disclosure of their personal information and to receive details around the personal information a business collects and its use (including third parties to whom the business has transferred the personal data); data portability; right to deletion of personal information a business has collected; and the right to not be discriminated against for exercising their privacy rights. Personal information is broadly defined in the CCPA and includes information that identifies, relates to, describes, is capable of being associated with or may reasonably be linked, directly or indirectly, with a particular consumer or household. Cal. Civ. Code §1798. 140(o)(1). Not only does CCPA include names, addresses, email addresses and social security numbers as personal information, but it also includes records of products or services purchased, biometric information, IP addresses, browsing history and information regarding a consumer’s interaction with a website.  

What if a business is not located in California? Can this statute be ignored? Emphatically NO! CCPA applies to any for-profit organization doing business in California that satisfies at least one of the following criteria:

1. Has a gross revenue greater than $25 million;
2. Annually buys, receives, sells or shares the personal information of more than 50,000 consumers, households or devices for commercial purposes; or
3. Earns at least 50% of its annual revenue from selling consumers’ personal information.

Businesses not located in California should pay close attention to the second criteria above. If a business’s website collects IP addresses or utilizes cookies which track a consumer’s browsing history, the threshold of 50,000 might be reached rather quickly.  

The CCPA does include several exemptions. Non-profits which do not operate for “profit or financial benefit” are exempt from the CCPA’s provisions. Furthermore, health care providers who are regulated by the Health Insurance Portability and Accountability ACT (HIPAA), consumer reporting agencies regulated under the Fair Credit Reporting Act and financial institutions regulated under the Gramm-Leach-Bliley Act are exempt but only for data regulated under the aforementioned regulations. If an exempted business collects information outside of these narrow exemptions, CCPA would be applicable and the business should implement CCPA-compliance measures. Businesses, which may be exempt now, should also keep track of any associated regulations or amendments to the CCPA to ensure they remain exempt. 

If you have any questions surrounding the applicability of CCPA to your business or need assistance with CCPA compliance measures, please feel free to comment below, email me or connect with me on LinkedIn.