CCPA (California Consumer Privacy Act)
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including: The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers. These FAQs provide general consumer information about the CCPA and how you can exercise your rights under the CCPA.
A. GENERAL INFORMATION ABOUT THE CCPA
1. What rights do I have under the CCPA?
If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information and not to sell your personal information. You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.
2. What if I am not a California resident?
Only California residents have rights under the CCPA. A California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state.
3. What is considered personal information under the CCPA?
Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.
4. What is not considered personal information under the CCPA?
Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records.
5. What businesses does the CCPA apply to?
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or
devices; or - Derive 50% or more of their annual revenue from selling California residents’ personal information.
6. Does the CCPA apply to nonprofits or government agencies?
No. The CCPA does not apply to nonprofit organizations or government agencies.
7. What can I do if I think a business violated the CCPA?
You cannot sue businesses for most CCPA violations. You can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. If you want to sue for statutory damages, you must give the business written notice of which CCPA sections it violated and give it 30 days to give you a written statement that it has cured the violations in your notice and that no further violations will occur. You cannot sue for statutory damages for a CCPA violation if the business is able to cure the violation and gives you its written statement that it has done so, unless the business continues to violate the CCPA contrary to its statement.
For all other violations of the CCPA, only the Attorney General can file an action against businesses. The
Attorney General does not represent individual California consumers. Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California. If you believe a business has violated the CCPA, you may file a consumer complaint with the Office of the Attorney General. If you choose to file a complaint with our office, explain exactly how the business violated the CCPA, and describe when and how the violation occurred. Please note that the Attorney General cannot represent you or give you legal advice on how to resolve your individual complaint.
8. What kind of data breach can I sue a business for under the CCPA?
You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following:
- Your social security number
- Your driver’s license number, tax identification number, passport number, military identification
number, or other unique identification number issued on a government document commonly used
to identify a person’s identity - Your financial account number, credit card number, or debit card number if combined with any
required security code, access code, or password that would allow someone access to your account - Your medical or health insurance information
- Your fingerprint, retina or iris image, or other unique biometric data used to identify a person’s
identity (but not including photographs unless used or stored for facial recognition purposes)
This personal information must have been stolen in nonencrypted and nonredacted form.
B. REQUESTS NOT TO SELL PERSONAL INFORMATION (RIGHT TO OPT-OUT OF SALE)
- What is the right to opt-out?
You may request that businesses stop selling your personal information (“opt-out”). With some exceptions, businesses cannot sell your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale of your personal information.
You may request that businesses stop selling your personal information (“opt-out”). With some exceptions,businesses cannot sell your personal information after they receive your opt-out request unless you laterprovide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale of your personal information.
2. Can businesses sell a child’s personal information?
Businesses can only sell the personal information of a child that they know to be under the age of 16 if they get affirmative authorization (“opt-in”) for the sale of the child’s personal information. For children under the age of 13, that opt-in must come from the child’s parent or guardian. For children who are at least 13 years old but under the age of 16, the opt-in can come from the child.
3. How do I submit my opt-out request?
Businesses that sell personal information are subject to the CCPA’s requirement to provide a clear and
conspicuous “Do Not Sell My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request.
Make sure you submit your opt-out request through the “Do Not Sell My Personal Information” link or through another method that the business designates for opt-out requests, which may be different from its normal customer service contact information. If you can’t find a business’s “Do Not Sell” link, review its privacy policy, which must include that link. If a business’s “Do Not Sell” link or other designated method of submitting opt-out requests is not working, notify the business in writing and consider submitting your request through another designated method if possible.
4. Why is the business asking me for more information?
While businesses are not required to verify that the person submitting an opt-out request is really the consumer for whom the business has personal information, they may need to ask you for additional information to make sure they stop selling the right person’s personal information. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.
5. Why did the business deny my opt-out request?
There are some exceptions to the opt-out right. Common reasons why businesses may refuse to stop selling your personal information include:
- If a sale is necessary for the business to comply with legal obligations, exercise legal claims or rights,
or defend legal claims - If the personal information is certain medical information, consumer credit reporting information, or
other types of information exempt from the CCPA