The Who, What, Where, Why, and When of the CCPA

By Drift


Businesses love acronyms. Lawyers love acronyms.

In 2018, the acronym of the year was GDPR.

As for 2019’s acronym of the year? That’s easy. The CCPA, otherwise known as the California Consumer Privacy Act. Okay, technically the CCPA was signed into law on June 28, 2018, but that means all the prep (and maybe a little bit of panicking) has taken place in 2019.

Let me back-up for a second. I’m Sarah Gatti, Associate Corporate Counsel for Drift, and I’ll be taking you through the “5 Ws” of the CCPA. Just like what we saw with the European Union’s GDPR (General Data Protection Regulation), the CCPA is a complex regulation that has a lot of people and businesses on edge, to say the least. But with a solid understanding of what it means for your business and the preparation required, you can be well on your way to compliance too.

Now, onto the 5 Ws…

Who does the CCPA cover?

In short, people in California and businesses operating in California.

The CCPA is state law (see here for the fine print) and, as such, it applies only to consumers in California and to businesses that are collecting or selling personal information data (PI) in California. Because it is only state law, the CCPA does not apply to everyone in the US or doing business in the US. In other words, the CPPA does not apply to PI collected wholly outside of California – it does not apply to PI collected outside of CA from people outside of CA.

What is the CCPA?

The CCPA is the U.S.’s first data regulation law on the books! The CCPA may be thought of as California’s version of a data regulation, much like the EU’s infamous GDPR. The CCPA is a law geared toward consumer data protection and privacy. It allows people to control what happens with their PI and gives them methods of recourse if a company does not follow their requests.

The primary rights the CCPA gives consumers are:

  • Consumers may request that a business collecting PI disclose the categories of PI it collects, as well as the specific PI the business has collected on that individual and the purpose of the PI collection.
  • Consumers may request that a business collecting PI delete any PI it collected on them.
  • Consumers may request that a company disclose the categories of PI it sells and the purpose of any such sale, as well as their PI that the business has sold.
  • Consumers may opt-out of having their PI sold by a business.

Any of these requests can be exercised by an individual consumer no more than twice per year.

Businesses must comply with these requests free of charge and within no more than 45 days following receipt of each request. Businesses must also disclose whether or not they sell the PI they collect and provide a clear and accessible way (generally a telephone number, email, or website) for a consumer to make any of the requests above, as well as opt-out of the business’s sale of their PI. Additionally, businesses must provide a clear description of a consumer’s rights with respect to the collection and sale of their PI, typically on their website.

Additionally, a consumer’s opt-out or request cannot adversely affect their dealings with that business. A business must respect any opt-outs for a period of at least one year before going back to the consumer and asking if they would like to opt-in or remain opted out. For example, a business cannot charge more for the same services because the consumer opted out of the sale of their PI. A business can, however, offer incentives to customers to opt-in and allow the sale of their PI.

Businesses have a duty under the CCPA to “maintain reasonable security procedures and practices” to protect the PI in a manner proportionate to the nature and sensitivity of the PI. If a consumer’s PI is compromised or disclosed, either by unauthorized access, theft or otherwise, because of a Business’s failure to reasonably protect the PI, the consumer can sue the business for monetary damages, an injunction, or any other appropriate redress. But, the consumer must notify the business and allow 30 days for the business to cure the issue. The consumer must also notify the California Attorney General of the suit, who can further pursue the lawsuit against the business.

A sale of PI under the CCPA is not just a typical sale as we’d ordinarily think of it. A sale is construed very broadly as any activity that involves sharing the PI with a third party where that third party adds value for the business sharing the PI.

Where does the CCPA apply?

California. The CCPA applies to people who are in California when their data is collected. It also applies to the collection or sale of data that occurs in California, regardless of where the individual providing the data is located when they provide their data to the business.

In other words, the CCPA does not apply to the collection or sale of data wholly outside of California from a person who is providing that data from outside of California.

Why was the CCPA passed?

The right of privacy is protected under California’s Constitution. The right of privacy gives individuals the right to control what information about them is collected, where it goes and what is done with it.

The aim of the CCPA is for people to know if their information is collected and sold. Along with that, it’s for people to know what information companies have about them, to understand what companies are doing with their information, and to give people a form of recourse if companies collect or sell their data against their wishes.

When does the CCPA go into effect?

The CCPA goes into effect on January 1, 2020. So, there are less than three months left in 2019 until compliance becomes mandatory for businesses operating in California or collecting data from people in California.

*Nothing in this article is intended to be, nor should it be, construed as legal advice from Drift or Drift’s legal team.