To ensure compliance with the California Consumer Privacy Act (CCPA), it is first important to understand the defined terms within it. These definitions are often different to everyday usage of the terms, and also to similar terminology used in other data protection and privacy laws.

In particular, each of the US state privacy laws has different applicability thresholds. We maintain a list of these – as of the date of this article, they consist of: California, Connecticut, Colorado, Delaware, Florida (not considered comprehensive), Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Rhode Island, Tennessee, Texas, Oregon, Utah and Virginia – along with the variances across each of the laws, so please contact us for further details.

The CCPA was amended in 2020 by the California Privacy Rights Act, and the law is elaborated on by the extensive Regulations published by the California Privacy Protection Agency (recently updated, including with respect to requirements for privacy risk assessments).

Determining Whether the CCPA Applies

The CCPA applies to organizations which fulfil the threshold criteria as a business, or (to a lesser extent) those which are operating as a service provider, contractor or third party with respect to personal information of consumers.

• A business is a company or other legal entity organised for the profit or financial benefit of shareholders or other owners, doing business in California, that collects consumers’ personal information (or has another party collect this on its behalf), and that determines the purposes and means of the processing of such personal information, and which satisfies one or more of the thresholds:
  1. annual gross revenues in excess of $25 million in the preceding calendar year (as of 1 January);
  2. alone or in combination, annually buys, sells or shares personal information of 100,000 or more consumers or households; and/or
  3. derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
• A third party in this context is anyone who is not either a service provider (processing personal information on behalf of the business) or a contractor (receiving personal information from the business subject to certain contractual restrictions).
• A consumer is an individual resident in California.

Personal information

There are various overlapping definitions of personal data, personal information, personally identifiable information, etc. across data protection laws. The CCPA definition is unusual in that it includes households as well as individuals:

• Personal information is information identifying, relating to, describing, reasonably capable of being associated with, or which could reasonably be linked (directly or indirectly) with a particular consumer or household. There is a long, non-exhaustive list of information which the definition covers, from names, IP addresses and social security numbers to employment-related information to internet browsing history and inferences drawn from other personal information to create profiles reflecting consumers’ preferences.

Unlike the General Data Protection Regulation (GDPR), personal information under the CCPA does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern.

It is also worth noting that the definition of sensitive personal information also includes information which would not be covered by “special category” personal data under the GDPR, for example:

• social security numbers, driver’s licenses, state ID cards and passport numbers.
• account log-ins, financial accounts, debit or credit card numbers in combination with any required security or access code, password or credentials allowing access to such accounts.
• the contents of consumers’ mail, email and text messages (unless the business is the intended recipient).

Selling and Sharing Under the CCPA

In particular, the definitions of selling and sharing with respect to personal information are quite different from the common usage of these terms:

• Selling means disclosure of a consumer’s personal information to a third party, in return for money or some other valuable consideration (for example, exchanging data for services).
• Sharing means disclosure of a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not money or some other valuable consideration is exchanged. The definition expressly includes transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

It is easy for processing of personal information to be caught by these definitions without being aware of it. For example, the use of analytics and marketing cookies will generally fall within these definitions; these are frequently the basis of enforcement actions under the CCPA.

Under the CCPA, if a business is selling or sharing personal information, it is obliged to:

1. provide a clear and conspicuous link on its internet homepages (located either in the header or footer) titled “Do Not Sell or Share My Personal Information” or “Your [California] Privacy Choices” that enables the consumer (or someone authorised by them) to opt out of the sale or sharing of their personal information. The purpose of this link is to immediately effectuate the consumer’s right to opt-out, or to direct the consumer to the Notice of Right to Opt-out of Sale/Sharing, where they can learn about and make the choice to opt-out.

OR

2. allow consumers to opt out of the sale or sharing of their personal information through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism (based on certain technical specifications) to the business indicating the consumer’s intent to opt out of the selling or sharing of their personal information.

Organisations will often combine these requirements with their cookie banners as part of their consent management platforms. However, this will generally only deal automatically with the selling and sharing of personal information via cookies, so organisations selling or sharing personal information by other methods will need to take this into account when setting up their “Do Not Sell or Share My Personal Information” links.

Need help navigating CCPA compliance obligations?

To discuss how this requirement may apply to your organisation, please contact Benjamin Ross (Global Head of Privacy & Cybersecurity) or Jessica Vautier (Senior Associate) in Bortstein Legal Group’s Privacy team.