surfer background with lock shape and CCPA overlay

California's Privacy Law Summary

David Gibson

Privacy has grown into a defining issue of our current digital era. And for good reason. According to Norton, in just the first six months of 2019 there were over 4 billion records breached in the US. Governments around the globe have been reacting to the demands of citizens for greater control of their personal information and privacy. In the US, as of Jan 1, 2020, California Consumer Privacy Act (CCPA) will provide protections that will greatly affect many businesses and digital marketers. 

Businesses that have already complied with GDPR are in good shape, but not out of the woods. For example under GDPR a business does not necessarily need the individual's consent to collect and use data, in which case the individual does not have a general opt-out right. But CCPA grants individuals an absolute right to opt out of the sale of their personal information and obligates businesses to add a "Do Not Sell My Personal Information" link on websites and mobile apps.

The law goes into effect Jan 1, 2020, but enforcement is delayed until July 1, 2020. The law is quite extensive, and regulations have not been finalized. As such, the following is a summary of where it now stands. 

CCPA - What Businesses Must Comply?

CCPA applies to all US businesses that collects consumers’ personal information, doing business in California, and meet at least one of the following criteria:

  • Has annual gross revenues in excess of $25 million;
  • Buys or sells the personal information of 50,000 or more consumers or households; or
  • Earns more than half of its annual revenue from selling consumers' personal information.

Potential Cost of Failure Affecting California Residents

The California Attorney General can impose fines up to $7,500 for each intentional violation or $2,500 for each unintentional violation.

Civil class actions in the case of data theft or breaches can sue for damages between $100-$700 per resident and incident, or actual damages, whichever is greater. Taking a modest breach affecting 100K residents could cost between $10M-$75M.

Defining “Personal Information”

“The bill… would define ‘personal information’ with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information.” It’s very broad and the bill covers a long list of specific data types that include

  • Biometric data
  • Household purchase data
  • Family information (e.g., how many children)
  • Geolocation
  • Financial information
  • Email address
  • Unique personal identifier
  • IP address

Key Provisions

  • Businesses must inform consumers of their intent to collect personal information.
  • Consumers have the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it’s shared.
  • Consumers have the right to prevent businesses from selling their personal information to third parties.
  • Consumers can request businesses to remove the personal information that the business has on them.
  • Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer exercised their privacy rights.
  • Forbids businesses from selling the personal information of children under age 16 unless the parent (of children under age 13) or the child (age 13 to 16) opt in to the sale.
  • Allows consumers to sue companies that allow your personal information to be accessed or stolen through a data breach. 

In sum, businesses that are already compliant with GDPR will be in good shape but will need to take additional steps to meet CCPA.