California Consumer Privacy Act (CCPA) Explained

What is the CCPA?

The California Consumer Privacy Act of 2018 (CCPA) is a law that grants California residents rights over how their personal data is collected, stored, and used by businesses. The state’s former Attorney General, Xavier Becerra, told the New York Times in 2019 that the law would effectively force businesses to start treating consumer’s data like it belongs to the consumer, “rather than data that, because it’s in possession of the company, belongs to the company.” The CCPA passed without opposition in June 2018 and became effective on January 1, 2020. You can read the full text of the law here.

Why was the CCPA needed?

Before the CCPA, there were no clear data privacy laws in the United States. So, while federal and state governments could take legal action against tech companies for violating antitrust laws or lying to consumers, there was no legal basis for protecting personal data. Whether or not we had a right to our personal information was a question—one that neither the federal government nor any one state had the answer to.

Throughout the 2010s, data collection fueled the internet economy, and went almost entirely unregulated. Multiple attempts at legislation failed, until one stuck. It makes sense that the legislation came from the state of California, not only because that state is home to Silicon Valley, but also because of California’s unique ballot initiative process, which allowed residents to push for a new privacy law without the influence of tech lobbyists.

Who does the CCPA apply to?

The CCPA technically only applies to residents of California. But since the United States lacks a national data law, and California is its largest state, “the CCPA became the de facto law for the rest of the nation,” says Sridhar Ramaswamy, cofounder of Neeva.

Just like how California’s emission standards changed the way cars were made across the nation, the CCPA’s repercussions are felt all over the U.S. Shortly after the CCPA passed, major tech companies like Microsoft announced that the changes it made to comply with the CCPA would apply to all users in the United States.

Your rights under the CCPA

Under the CCPA, California residents have these rights.

The right to know what categories of personal information a business collects about you and how that data is being used and shared. Personal information includes identifiers such as your:

• Name
• Email address
• Social security number
• Driver’s license number
• Purchase history
• Browsing history
• Voice recordings
• IP address
• Geolocation data.

It also includes profiles that advertisers like Google build about you based on inferences. (Personal information does not include publicly available information such as professional licenses and property records.)

Businesses are required to both notify you of the types of data they will collect at the time of request, and to provide you with the information they’ve collected upon your request. When you request this information, a business has 45 days to respond to your request and 12 months to provide you with the requested information.

The right to delete personal information that has been collected and stored by businesses. Businesses are not required to provide an online form for data deletion, so you may have to call a toll-free number, send an email, or mail a form to make this request. Once they receive your request, businesses have 45 days to respond (which they can extend by an additional 45 days if they send you a notice).

The right to opt out of the sale of your personal information. If you ask a company that is regulated under CCPA to stop selling your information, they must comply, and you shouldn’t have to create an account to opt out. (If you can’t find the “Do Not Sell My Personal Information,” go to the website’s privacy policy, which must include this link.)

Children under the age of 16 are protected from the sale of their information by default and must opt in to have their personal information sold, and children under the age of 13 need to have a parent or guardian opt in on their behalf.

The right to non-discrimination when excercizing your rights under the CCPA. This means that businesses cannot change the quality of products or services they provide or charge different prices if you exercise any of the above rights. Businesses can, however, provide discounts in exchange for your personal information.

Which businesses and organizations does the CCPA apply to?

The CCPA applies to businesses that meet at least one of these three criteria:

1. The business has annual global gross revenues of over $25 million.
2. The business receives, buys, or sells the personal information of 50,000 or more California residents.
3. The business derives at least 50% of its annual revenue from selling the personal information of California residents.

This covers many types of businesses, including mobile service providers, retailers, and ride-hailing services. Data brokers (businesses that collect and sell personal data to other businesses) are also covered, and must register on the Attorney General’s website.

Which businesses and organizations are exempt from the CCPA?

Certain businesses and organizations are not subject to the regulations of the CCPA, including nonprofits and government agencies.

Service providers, such as businesses that process payment information on behalf of other businesses, are treated differently than other businesses under the CCPA, in that they are not responsible for handling consumer requests. As such, if you reach out to a company that processes payment information and ask them to delete everything they know about you (such as your name, address, and credit card number), they can refuse. Instead, you’ll have to ask the retailer who used this service to facilitate the deletion. That doesn’t mean that service providers can do whatever they want with your data—they must provide the same level of cybersecurity as other businesses under the CCPA.

How is CCPA compliance enforced?

CCPA compliance is enforced by the California Attorney General. Individuals cannot sue businesses for CCPA violations, except in the case of a data breach which resulted in the theft of non-encrypted, non-redacted personal information. Individuals can, however, file a consumer complaint with the Office of the Attorney General if they believe a business has violated the CCPA. Based on these complaints or other factors, the Attorney General can launch an investigation and eventually take legal action.

A brief history of data privacy law in the United States

The road to the CCPA has been a long one. Here’s what it took to get the U.S.’s first digital privacy law on the books.

2011: The Federal Trade Commission (FTC) found that two of America’s most popular and trusted technology companies—Facebook and Google—had both violated their own privacy policies, using consumer data in ways that ran contrary to their own promises. The FTC was able to take legal action against Facebook and Google not because what they did with the data was illegal, but because they lied about it.

2012: In the wake of the 2011 FTC rulings, lawmakers realized the necessity of a single federal law protecting consumers' personal information. The Obama administration introduced a proposal for a Consumer Privacy Bill of Rights that would allow consumers to set limits on the personal data that companies could collect and store. At the time, President Obama said “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online.” As it turned out, Americans would have to wait several years: Facing strong opposition from the tech industry as well as criticism from privacy advocates, the Bill of Rights was eventually scrapped, and the data collection industry remained unregulated, even as internet usage ramped up.

2017:  Alastair Mactaggart, an Oakland, California–based real estate developer, was one of many people who had concerns about data privacy. He asked a friend, an engineer at Google, if he had anything to worry about. The answer surprised him: Yes, he should worry. Soon after, Mactaggart began work on a ballot initiative, a type of legislation that Californians could vote on directly, circumventing the usual process of passing legislation, and avoiding California’s massive tech lobby. He called his initiative the California Consumer Privacy Act.

2018: The Facebook Cambridge Analytica scandal broke, and suddenly Americans were more concerned with data privacy than ever. It looked like, if Mactaggart’s initiative made its way onto the ballot, it would pass. This frightened both the tech lobby and legislators, since, once passed, a 70% majority would be required to make changes to the law. So, before Mactaggart’s CCPA could go on the ballot, California lawmakers passed their own version.

4 privacy laws to know

Thankfully, the CCPA isn’t the only data privacy law on the books. Here are four to know:

1. European Union General Data Protection Regulation (GDPR). The GDPR predates the CCPA by about two years: It passed in 2016 and went into effect in 2018. The GDPR grants European residents even more rights and protections than the CCPA. The key differences are that the GDPR requires businesses to get users’ consent before collecting their data, and it allows private right of action (individuals can take legal actions against businesses  for violating its provisions).
   
2. California Privacy Rights Act of 2020 (CPRA). This followup to the CCPA expands Californians’ rights to include the right to correct inaccurate information and the right to data minimization (both features of the GDPR). It also creates a new agency to enforce the CPRA. The CPRA will go into effect on January 1, 2023.
   
3. Virginia Consumer Data Protection Act. Virginia’s data privacy law is closely modeled after the CCPA and will go into effect on January 1, 2023.
   
4. Colorado Bill to Protect Personal Data Privacy. This Colorado bill recently passed but has not yet been signed into law as of June 2021. It sets standards for data use and protection, but violations of these standards can only be enforced by the state Attorney General or District Attorneys.

In addition to the laws above, several states are working on their own privacy legislation. As of June 2021, privacy legislation was in committee in Illinois, Massachusetts, New York, North Carolina, Pennsylvania, and Texas.

Ready for a private search experience that was built for people, not data mining or advertising? Try Neeva, the world’s first private, ad-free search engine. We are committed to showing you the best results for every search. We will never sell or share your data with anyone, especially advertisers. Try Neeva for yourself, at neeva.com.