Data privacy law: A-Z about the California Consumer Privacy Act, CCPA of 2020 

Author: Priyasha Purkayastha, Global Content Manager, TJC Group 

The ever-evolving amounts of data in today’s world undeniably raise concerns about its privacy and protection. From website cookies to social media algorithms and more, consumer data is everywhere. Fortunately, governments all across the world are putting their best foot forward to ensure that these data are protected, implementing stringent data privacy laws. At TJC Group, data protection is of utmost importance and continuing with our efforts to educate our readers about these laws, this month, we bring you the California Consumer Privacy Act (CCPA) of 2020.  

Introduction 

Data helps organisations get customer insights that further fuel new opportunities for value creation and more. Because of this, audiences receive more personalised results in their searches today. Further, this leads to more satisfactory end results for both the businesses as well as users. But, amongst everything, data privacy is a topic that often receives the spotlight. Essentially, the protection of data is of utmost importance in the digital landscape that we are in today. In fact, data protection is necessary for both consumers and organisations – as individuals, as clients, and as employees. Moreover, frequent cyber threats and cyberattacks also strengthen the core importance of data privacy.  

Spotlight on the California Consumer Privacy Act, 2020 

The spirit of protecting consumer data is consistently high across the world. From the GDPR in the EU, Loi 25 in Quebec, the PDPA in Argentina, the DPDP in India, and many others, governments are putting their best foot forward to ensure data privacy. While we have discussed these laws previously, this month, we focus on the California Consumer Privacy Act (CCPA) of 2020.  

What is the California Consumer Privacy Act 2020? 

The California Consumer Privacy Act (CCPA) is a data protection law in the state of California, the United States, that grants residents new rights pertaining to their personal information. The law also imposes several data protection regulations on organisations conducting business in California. This data privacy law was enacted in 2018; however, it came into effect on January 1, 2020.  

In fact, California is the first state in the United States of America to have a comprehensive privacy law that entails the protection and security of consumer data. The CCPA has various regulations for businesses, which are similar to those of the General Data Protection Regulation (GDPR) in the EU. Nevertheless, a business complying with any other data protection law may have additional obligations under the CCPA. Given the broad reach and intricate nature of the California Consumer Privacy Act 2020, it is imperative to understand every critical nuance of the law, not just for organisations in California but also worldwide.  

What comes under the California Consumer Privacy Act? 

To understand the law, you must first be familiar with what exactly comes under the protection of CCPA. The law provides protection and personal information rights for consumers, defined as the residents of California. Along with the customers of household goods and services, CCPA also defines consumers that are – 

• Employees, independent contractors, and other workforce members in the state of California 

• Contacts from business customers or vendors. 

The California Consumer Privacy Act defines personal information quite broadly; it may include any information that either directly or indirectly – 

• Relates, describes, or identifies to a particular consumer or household.  

• Associates or reasonably capable of being associated with or linked to a particular consumer or household. 

Moreover, the law of CCPA protects data even if it doesn’t relate to a single individual. This is because the law covers households and devices, securing the data connected to any unique identifier instead of a person’s name.  

Who must comply with the regulations of CCPA? 

Now that you have an idea of what the CCPA covers, let’s see who must comply with the regulations of this data privacy law.  

The regulations of the California Consumer Privacy Act apply to businesses that are defined as “for-profit” entities. It includes sole proprietorships, corporations, associations, limited liability companies, or other legal establishments that – 

• Collects the personal information of consumers, directly or on their behalf 

• Determines the means and purpose of data processing, alone or in collaboration with others 

• Has a business in California 

Additionally, businesses in California that meet one of the following thresholds are subject to the regulatory requirements of the CCPA – 

• any business that has an annual gross revenue exceeding $25 million (adjusted for inflation); 

• annually receives, buys, shares, or sells the personal information of more than 50,000 consumers, 

• and devices or households for commercial purposes (alone or in combination); or 

• derives 50% or more of their annual revenues from selling the personal information of consumers 

What are the exceptions to CCPA? 

The California Consumer Privacy Act provides several exceptions to its application, which are based on the following – 

• Jurisdictional concerns, when: 

• the entire commercial business takes place completely out of California,  

• a single, one-time transaction that does not retain any of the collected personal data; or 

• industry-specific privacy or data protection law covers commercial conduct, like  

• the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Fair Credit Reporting Act (FCRA), or the Gramm-Leach-Bliley Act (GLBA). 

• Requirements for common business operations, like allowing the sale of personal data as part of a larger acquisition or merger transaction. 

• Issues pertaining to legal or conflicts of laws, such as complying with other laws, defending legal claims, or cooperating with law enforcement.   

What are the rights of the consumers under CCPA? 

Data privacy laws -whether CCPA or any other- are created with consumers and their data protection in mind. So, it is only fair to bestow them with rights that make the law favourable. Under the California Consumer Privacy Act, consumers are granted the following rights –

1. Consumers have the right to know about how their data is being collected, used, and shared by businesses, including information on request: 

• Any personalised privacy notice disclosures 

• Any specific data of personal information held by businesses 

2. Consumers have the right to delete their personal information held by businesses; however, they are subject to specific exceptions. 

3. The right to prevent the sale of personal information, as per – 

• Ages 16 or older have the right to decline personal information sales 

• Ages 15 or younger have the right to decline personal information sales, along with the consent of a parent or guardian 

4. Consumers have the right to non-discrimination for exercising their rights pertaining to the CCPA data privacy law.  

5. Consumers exercising their rights under the California Consumer Privacy Act 2020 will not be penalised.  

What are the business obligations under the CCPA data protection law? 

With this data privacy regulation of California, businesses are obliged to undertake measures to ensure compliance with the law’s regulations. Not only do companies have to review their data inventory, but also their collection and sharing practices; it helps determine the sections of CCPA that apply to the businesses, primarily if the personal information of consumers is being sold.  

Businesses must adhere to the following to meet the obligations of California’s data privacy law – 

• Implement stringent and reasonable security practices to protect the personal information of all consumers.  

• Implement robust and appropriate procedures to protect consumer data from any relevant risks. 

• It is imperative that organisations make all the required CCPA notice disclosures, including: 

• Disclosure notices at data collection 

• A privacy policy on par with the CCPA 

• Notices to consumers intimating them about the right to opt out of selling their personal information 

• Notices pertaining to financial incentives, if offered.   

• Businesses must honour the CCPA rights of consumers while establishing internal procedures to receive, verify, and respond to rights requests. 

• Most importantly, businesses must review the prices, services, and quality differences relating to the collection, retention, and sale of consumers’ personal data. This ensures non-discrimination.  

• Businesses must also review their service provider and third-party personal information data-sharing contracts. This allows alignment with the requirements of the California Consumer Privacy Act of 2020. 

• Lastly, organisations must comply with employee training and record-keeping requirements.  

Are there any CCPA enforcement requirements? 

Under the California Consumer Privacy Act of 2020, the regulatory and enforcement authorities are granted to the Attorney General (AG) of California. Before initiating any action pertaining to any violation of CCPA, the California AG must provide notice of the alleged violation and at least 30 days to rectify it to the businesses. However, if the business is not able to rectify the violation within the said time frame, then the AG of California may levy penalties up to either – 

• $2,500 per violation 

• $7,500 per intentional violation 

These civil penalties are likely to extend to each affected individual, resulting in hefty aggregate fines; however, this remains unclear from the authorities.  

Case study: Carlsberg SAP Data Archiving and GDPR Compliance Case Study 

Private right of action under the California Consumer Privacy Act 

Interestingly, the CCPA goes a step further in extending stronger data privacy laws by creating a provision for private right of action. This provision helps act against unauthorised access, theft, or disclosure of non-encrypted and non-redacted personal data.  

Furthermore, the narrow subset of personal data covered under the private right of action may lead to circumstances where an individual must provide notice of a data breach. Under the CCPA private right of action, a consumer may seek the potential damages: 

• Statutory damages between $100 to $750 per resident of California and per incident, or actual damages, whichever penalty deems greater 

• Declarative or injunctive relief 

• Any other relief that a court may deem appropriate 

Bear in mind that statutory damages are available only before a data breach lawsuit is filed: 

• The consumer provides the business with a written notice stating the specific CCPA violations and a 30-day timeframe to rectify them (if possible). 

• The business is not able to rectify the alleged violations as well as doesn’t provide the consumer with a written statement within the 30-day timeframe expressing that – 

• It has rectified the violation, and 

• no further violations will occur 

• If the business continues with the alleged violations, the consumer has the right to file a lawsuit. The lawsuit can request statutory damages for the original violations as well as any new violation of the CCPA that may occur after the notice. In fact, if the business breaches its written statement, the consumer is entitled to file it as a new CCPA violation.  

Key takeaways  

• Under the California Consumer Privacy Act of 2020, consumers must be notified in advance about the collection of their personal data.  

• The data privacy law makes it necessary to respond to consumer requests within a specific time period. 

• CCPA also specifies that records of all the consumer requests and how they were responded to must be kept.  

• Under this data protection law, businesses must maintain data inventories and map data flows. 

• Businesses have to ensure that the consumers are kept informed and transparent about the data privacy policies and practices. 

• The California Consumer Privacy Act mandates that any financial incentives offered in exchange for retaining or selling personal data must be disclosed to the consumers.  

Overall, the CCPA data privacy regulation is curated with stringent rules that not just protect consumers but also offer benefits and rights to report any violation pertaining to their data. With the stronghold that data privacy has, especially in today’s world, TJC Group‘s efforts to educate audiences regarding the various laws across the world will continue.  

Stay tuned for more articles on data privacy laws.  

Data privacy series: In a glance for you 

• Data privacy: Your absolute guide to its importance, regulations, and more 

• GDPR in the EU | A comprehensive guide to knowing all about it 

• Decrypting the Digital Personal Data Protection (DPDP) Act, 2023 of India 

• Quebec’s Data Privacy Law 25: What is it and how to comply with it 

• Data protection law in Japan: a guide to understand APPI 

• Data protection laws in Argentina 

• The data privacy law of New Zealand 

• All about The New Jersey Data Protection Act (NJDPA) (coming soon) 

• All about South Korea data protection law (PIPA): Everything you need to know (coming soon) 

• Data protection laws in the Middle East (coming soon)