1. Preface
With the passage of the California Consumer Privacy Act (CCPA) in 2018, the face of California's privacy laws underwent a huge change. As the first comprehensive data privacy law in the United States, CCPA marked the beginning of a new era in American privacy laws and led other states to introduce similar consumer privacy laws. The introduction of CCPA means that businesses must comply with strict obligations on how they handle, sell, and share the personal information of California residents, who are granted some consumer privacy rights related to their data processing.
In 2020,California Privacy Act(CPRA) passed, imposing more obligations on businesses that sell or share personal information and granting additional rights to consumers. CPRA went into effect on January 1, 2023, and increased the requirements of the CCPA regulations already in place.
In addition to CCPA and CPRA, California has many departmental laws involving the protection of personal information and the privacy of California residents, including the Shine the Light Act and the California Invasion of Privacy Act.
In this guide, our goal is to gain a comprehensive understanding of California's privacy laws, the new rights granted to consumers by CPRA, and the interpretation of other key terms.
2. California Privacy Law Timeline
June 28, 2018: Governor Jerry Brown signed CCPA into law.
December 17, 2019: The California Attorney General (AG) released the title and summary of CPRA and opened it up for California residents to sign to qualify for the vote in November 2020.
January 1, 2020: The CCPA went into effect
July 1, 2020: The CCPA began to be implementedThe regulation deleted 'Do Not Sell My Information', changed the term 'Minor' to 'Consumer'. It is stipulated that the process for submitting an opt-out request should be easy for consumers to execute, and require the fewest steps to allow for opt-out
November 4, 2020: CPRA was passed with 56% of the votes
December 10, 2020: The AG released proposed amendments to the CCPA regulations, proposing the introduction of an image for the opt-out button and several provisions on its use
March 15, 2021: The AG announced the approval of additional regulations for CCPA, requiring the prohibition of 'dark mode' that delays or obscures the opt-out process for personal information sales, and the prohibition of language that confuses consumers or unnecessary steps that impose burdens, such as forcing them to click through multiple screens, or providing reasons why they should not opt out.
March 17, 2021: The California Attorney General announced the establishment ofCalifornia Privacy Protection Bureau(CPPA)
CPRA comes into effect on January 1, 2023. CPRA applies to personal information collected after January 1, 2022.
3. Scope of CCPA applicability
3.1 Scope of Individuals
The CCPA protects California consumers and requires businesses to fulfill certain obligations regarding the processing of personal information. A business is defined as a for-profit entity that determines the purpose and means of processing consumer personal information and conducts business in California. According to the CCPA, the business must also meet one of the following thresholds:
Annual total income exceeds 2.5 million US dollars;
Purchases, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes annually;
More than 50% of their annual income comes from the sale of consumer personal information.
3.2 Territorial Scope
The territorial scope of the CCPA applies to companies that conduct business in California.
If a company collects this information when the consumer is not in California, then the commercial activity is completely outside of California, no part of the sale of consumer personal information occurs in California, and no personal information collected in California is sold, then the commercial activity is called completely occurring outside of California.
3.3 Scope of Materials
The CCPA generally covers the processing of consumer personal information, which is defined as any operation performed on personal data, whether or not by automated means.
According to the CCPA,CollectionRefers to “any manner of purchasing, renting, collecting, obtaining, receiving, or accessing any personal information related to consumers.”
SaleIncluding “renting, disclosing, publishing, disseminating, providing, transferring, or otherwise communicating personal information in exchange for money or other valuable consideration.”
It is worth noting that when a company uses or shares consumer personal information with service providers, it does not constitute a sale of personal information as long as the following conditions are met:
The company has provided notice in its terms and conditions that the information will be used or shared;
Service providers will not further collect, sell, or use a consumer's personal information unless it is necessary for business purposes.
3.4 Exemptions
The CCPA has many exemptions, including:
Nonprofit organizations and public sector organizations
The CCPA obligations do not apply to “aggregated consumer information”, which is defined as information related to a group or category of consumers, where the identity of the individual consumer has been removed and there is no reasonable connection or cannot be reasonably connected to any consumer or household.
“Deidentified” information is also outside the scope of the CCPA. This refers to information that cannot be reasonably identified, associated, described, or linked directly or indirectly to a specific consumer. Companies using deidentified information should ensure that they take technical and organizational measures to prevent re-identification.
The CCPA explicitly excludes the collection and sharing of certain categories of personal information, including:
Employee data, including information collected from individuals during the process of being an employee or job seeker;
Medical information and protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Medical Information Privacy Law;
Information collected as part of a clinical trial;
Selling information to consumer reporting agencies or buying information from consumer reporting agencies;
Personal information under the Gramm-Leach-Bliley Act (GLBA);
Personal information protected by the Driver Privacy Protection Act (DPPA);
Personal information publicly available, defined as information legally provided from federal, state, or local government records.
CCPA also excludes some specific processing activities from the definition of 'sale', including:
Consumers use or instruct businesses to intentionally disclose personal information to third parties through interaction. 'Hovering, muting, pausing, or closing given content does not constitute the intention of consumers to interact with third parties';
Share an identifier indicating that the consumer has chosen to opt out of the sale of data to third parties;
Businesses share personal information necessary for the 'business purpose' defined by CCPA with service providers;
Businesses transfer personal information as part of an asset transfer in mergers, acquisitions, bankruptcy, or similar transactions to third parties. However, the right to opt out still applies if the third party changes the way it uses personal information in a manner inconsistent with the commitments made at the time of collection.
4. How does CCPA define personal information
CCPA broadly defines personal information as any information that 'identifies, associates, describes, or is reasonably capable of being associated directly or indirectly with a specific consumer or household'.
CCPA provides a definition of personal information that can be considered as a specific category, including but not limited to:
Identifiers, such as real name, alias, postal address, IP address, email address, social security number, driver's license number, passport number, or other similar identifiers;
Commercial information, such as records of personal property, products, or services purchased, obtained, or considered, or other purchase or consumption history;
Biometric information, such as DNA, fingerprints, and iris scans;
Internet information, such as browsing history, search history, and information about consumer interactions with websites;
Geolocation data;
Audio, electronic, visual, thermal, or similar information;
Professional or employment-related information;
Educational information, provided that it is not publicly available;
Inferences drawn from any of the above information to create consumer profiles that reflect consumer preferences, characteristics, psychological trends, tendencies, behaviors, attitudes, intelligence, abilities, and inclinations.
5. What are the businesses and service providers in CCPA
The businesses covered under CCPA are for-profit entities operating in California, which determine the purposes and means of processing consumers' personal information and have similarities to the definition of controllers under GDPR.
The service provider is a for-profit entity that represents the businesses covered by CCPA in handling information. If the service provider violates CCPA by using personal information received from the business, the service provider will be subject to civil penalties.
6. How does CCPA define children
The CCPA stipulates that minors aged 16 to 13 must consent to the sale of their personal information by businesses. In addition, parents or guardians must explicitly authorize the sale of personal information of minors under the age of 13.
7. What consumer rights does CCPA cover
The CCPA outlines several consumer rights that help raise awareness and better control how businesses handle, share, or sell their data. The CCPA provides California residents with the followingConsumer Rights;
Right to知情/Access
Right to deletion
Right to opt-out of the sale of personal information
Right to non-discrimination
Businesses should closely monitor these rights and the specific requirements for exercising them. For example, businesses should provide consumers with a 'Do Not Sell My Personal Information' link on their website.
8. Will businesses be fined for violating CCPA
Businesses found to be non-compliant with CCPA will be subject to fines. The fines range from 2,500 US dollars per unintentional violation to 7,500 US dollars per intentional violation, with no cap on the maximum penalty specified by law. Penalties for violations of CCPA will be assessed and recovered through civil lawsuits filed by the California Attorney General and published in court.
Also provides individuals with the right to seek damages for violations of CCPA through litigation, but only for violations of security measures or data breaches. Each consumer is entitled to between 100 US dollars and 750 US dollars per event or actual damages, whichever is higher. It should be noted that civil remedies are permitted only when unencrypted or unedited personal information is accessed and disclosed, stolen, or disclosed without authorization due to a business violating security obligations.
March 17, 2021,California Privacy Protection Bureau(CPPA) announced the establishment of a five-person committee. This committee will supervise, implement, and enforce the CCPA and CPRA, a responsibility previously held by the California Attorney General.
9. What are the differences between CCPA and CPRA
The CPRA was passed on November 3, 2020, and will take effect on January 1, 2023. Many of its provisions will apply to personal information collected from January 1, 2022 onwards. There are several key differences between the CCPA and CPRA regulations, and the CPRA also redefines consent:
(1) Free provision, (2) Specific, and (3) Clearly indicates the consumer's intent, for example through statements or explicit positive actions.
The table below highlights some of the key differences side by side.
9.1 Eligibility Conditions
| CCPA | CPRA |
|---|---|
| For-profit businesses that collect personal information from California residents, determine the purpose in California, and meet any of the following conditions: • Annual total income exceeding 25 million US dollars; • Purchasing, receiving, or selling the personal information of 50,000 or more California residents, households, or devices; or either • Obtaining 50% or more of their annual income from the sale of California residents' personal information; | For-profit businesses that collect personal information from California residents, determine the purpose in California, and meet any of the following conditions: • Annual total income exceeding 25 million US dollars; • Purchasing, selling, or sharing the personal information of 100,000 or more California residents or households; or either • Obtain 50% or more of the annual income from the sale or sharing of California residents' personal information. |
9.2 Consumer Rights
| CCPA | CPRA |
|---|---|
| CCPA grants consumers the following rights; • The right to know/information access • The right to deletion • The right to opt out of the sale • The right to be free from discrimination | All rights under CCPA, plus: • The right to correction • The right to limit the use and disclosure of sensitive personal information |
9.3 Covered Personal Information
| CCPA | CPRA |
|---|---|
| ‘Personal information’ refers to information that identifies, involves, describes, or can reasonably be associated with a specific consumer or household directly or indirectly, or can reasonably be associated with such information. | Personal information, as well as ‘sensitive personal information’, including SSN, driver's license number, biometric information, precise geographical location, and information about race and ethnic origin, etc. |
9.4 Third-Party Service Providers
| CCPA | CPRA |
|---|---|
| ‘Service Providers’—entities that represent enterprises in processing personal information under written contracts. | Also includes ‘Contractors’—entities that provide consumer personal information to enterprises for commercial purposes under written contracts. |
9.5 Enforcement Requirements
| CCPA | CPRA |
|---|---|
| • The Attorney General can pursue violations • Consumers have private litigation rights against certain violations • Enterprises have a 30-day corrective period before being fined by the AG | • Establishment of the California Privacy Protection Agency for law enforcement and guidance • Consumers have private litigation rights against certain violations • Enterprises no longer have a 30-day corrective period before being fined by the CPPA |
9.6 Selling and Sharing
| CCPA | CPRA |
|---|---|
| ‘Selling’—for money or other valuable considerations | ‘Selling’—for money or other valuable considerations ‘Sharing’—by enterprises shared with third parties for precise advertising to obtain benefits without financial exchange |
9.7 Private Litigation Rights
| CCPA | CPRA |
|---|---|
| Available when the unedited or unencrypted personal information of consumers is compromised due to the lack or maintenance of reasonable security measures. | Private litigation rights can be used if the email address and password or security questions and answers of the account accessed are compromised, except for unedited and unencrypted personal information. |
9.8 Use Limitation
| CCPA | CPRA |
|---|---|
| Not applicable | Collection, retention, and use should be limited to the scope necessary to provide goods or services. |
9.9 Personal Information of Minors
| CCPA | CPRA |
|---|---|
| Not applicable | Unauthorized acts involving the personal information of minors are automatically fined $7,500 |
9.10 Cybersecurity Audit
| CCPA | CPRA |
|---|---|
| Not applicable | Enterprises whose processing poses a significant risk to consumer privacy or security must undergo annual cybersecurity audits |
9.11 Risk Assessment
| CCPA | CPRA |
|---|---|
| Not applicable | Enterprises whose processing poses a significant risk to consumer privacy or security must submit risk assessments to the CPPA on a regular basis |
9.12 User Profiling and Automated Decision-Making
| CCPA | CPRA |
|---|---|
| Not applicable | • 'User Profiling (Profiling)'—any form of automated processing of personal information to assess certain personal aspects related to natural persons, such as work performance, health condition, reliability, etc. • The regulations are expected to provide more information on access and opt-out rights related to the use of automated decision-making. |
10. Other California privacy-related bills
10.1 Data Breach Law
In California, data breach notification regulations have been passed requiring organizations to notify affected individuals of any unauthorized access to unencrypted data containing personal information of California residents.
Assembly Bill 1130 ("AB1130") was passed on September 6, 2019, expanding the definition of personal information under California's data breach notification laws to include unique biometric data generated from human feature measurements or technical analysis, such as fingerprints, retinal or iris images, and used to verify a person's identity.
AB1130 also encourages organizations that encounter biometric data breaches to provide explanations to affected individuals on how to notify other entities that use the same biometric data as an authentication factor that they no longer rely on it for authentication.
10.2 California Online Privacy Protection Act - CalOPPA
CalOPPA provides some protections for consumers residing in California to protect their personal data collected online. CalOPPA requires commercial websites and online service operators that collect personal identity information of California residentsPublish their privacy policy in a prominent manner on their website. Operators of online services may adopt any other reasonably accessible means to provide privacy policies to consumers of online services.
Although CalOPPA does not prohibit online tracking, it includes disclosure requirements for 'do not track' mechanisms and online behavior tracking across third-party websites. CalOPPA also applies to a broad interpretation of online services, includingMobile applicationsThe Attorney General of California states that the term 'includes any service available on the Internet or connected to the Internet, including gaming platforms that support the Internet, network voice services, cloud services, and mobile applications.'
According to CalOPPA, personal identity information includes any information collected by operators from individuals and maintained in an accessible form about individual consumers, including any of the following:
Name;
Home address or other actual address, including street name and city or town name;
Email address;
Phone number;
Social Security number;
Any other identifiers that allow physical or online contact with a specific individual;
Any information about users collected online by websites or online services and maintained in a personally identifiable form, combined with any identifiers;
10.3 Shine the Light Law
Shine the Light Law involves the practice of enterprises sharing personal information for direct marketing purposes with third parties, and the scope is broad enough to include businesses in other states in the United States and other countries/regions. Certain companies are not subject to the 'Shine the Light Law', such as businesses with fewer than 20 employees and financial institutions subject to the 'California Financial Information Privacy Act' (CFIPA).
The Shine the Light Law broadly defines 'personal information' as any information that can identify, describe, or be associated with an individual, including but not limited to names and addresses, email addresses, and birth dates.
The Shine the Light Law requires that if a California resident requests that a business inform them:
Categories of personal information disclosed;
The names and addresses of all third parties to whom the business disclosed the customer's personal information for direct marketing purposes in the previous calendar year. If it is not possible to reasonably determine the nature of the third party's business based on the name of the third party, the business must provide the marketing products or services to reasonably indicate the nature of the third party's business
Requests must be responded to within 30 days, but businesses do not need to meet multiple requests from customers in each calendar year.
Alternatively, businesses can comply with the Shine the Light Law by adopting a strategy of disclosing personal information to third parties for purposes other than direct marketing: (i) unless the customer first explicitly agrees to the disclosure; (ii) if the customer has exercised the right to prevent the disclosure of information to third parties.
According to the Shine the Light Law, businesses must also at least perform the following actions:
Notify all designated contacts, and customers may submit requests through this contact; or
Add a description of customer rights and designated contact information for exercising these rights on a separate page in the privacy policy or website link; or
Provide designated contact information to customers at each business location where the company regularly communicates with customers in California
10.4 California Invasion of Privacy Act - California Invasion of Privacy Act
California's Invasion of Privacy Act (CIPA) grants California individuals certain protections for telephone communications, including fixed and mobile phones, and prohibits companies, individuals, and government agencies from the following acts:
Tapping
Tapping and recording confidential communications without the consent of all parties
Recording mobile phone communications without the consent of all parties
Monitoring or recording conversations within subscribers' residential premises, or sharing personal identity information or other personal information about subscribers' viewing habits, without the written consent of the cable and satellite television operators
Use of electronic tracking devices
The CIPA applies to telephone calls made to or from California residents, regardless of whether the caller is located in California, by businesses and individuals.
The enforcement of CIPA is achieved through criminal penalties, whether for minor or major offenses, depending on the number of previous crimes (if any). For first-time offenders, the fine is $2,500, but for repeat offenders, the maximum fine is $10,000. Any violator, whether a first-time or repeat offender, may face imprisonment. CIPA also provides for private rights of action in civil lawsuits, with a penalty of $5,000 for each violation or three times the actual damages, whichever is greater.
评论已关闭