July 9, 2019

SA&M Client Alert: The California Consumer Privacy Act

Effective January 1, 2020, the California Consumer Privacy Act (the “CCPA”) will grant new rights to California residents and impose restrictions on certain businesses that collect “personal information” from residents.

Many will assume they don’t collect personal information, however, under the CCPA, “personal information” is defined broadly as anything that directly or indirectly identifies, describes, or can reasonably be linked to a particular person or household. While some of what is classified as “personal information” may seem apparent (name, street address, email address, credit card numbers, etc.), “personal information” under the CCPA also includes wide-ranging identifiers that are not so apparent, such as account name, physical description, inferences drawn from other available information, as well as technical information such as internet browsing history, IP address, geolocation data, website preferences, etc.  Under this standard, most business that operates anything but the simplest of websites will likely be collecting personal information within the meaning of the CCPA.

Does the CCPA apply to your business?

The CCPA applies to any business that transacts business in California (which includes online sales to a California resident) and meets any one of the following criteria:

  1. Has annual gross revenues in excess of $25 million;
  2. Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
  3. Derives 50% or more of its annual revenues from selling personal information.

While receiving information from 50,000 consumers may sound like a high number, it comes out to just under 140 consumers, households, or devices per day. Keep in mind, each “device” may count separately.

The CCPA applies to my business, what are my obligations?

Under the CCPA, California consumers have several overarching rights.  These include the right to know what personal information is being collected, whether their personal information is sold or disclosed and to whom, and the right to say “no” to the sale of that information. Californians also have the right to access their personal information, and the right to equal service and price, even if they exercise their privacy rights.

More specifically, consumers can:

  • Request that a business that collects a consumer’s personal information disclose the categories and specific pieces of personal information the business has collected.
  • Request that a business deletes any personal information about the consumer which the business has collected from the consumer. (This is a limited right as businesses may utilize exceptions when it is necessary to maintain information.)
  • Request that a business that collects personal information about the consumer disclose to the consumer the following:
    • (1) The categories of personal information it has collected.
    • (2) The categories of sources from which the personal information is collected.
    • (3) The business or commercial purpose for collecting or selling personal information.
    • (4) The categories of third parties with whom the business shares personal information.
    • (5) The specific pieces of personal information it has collected.
  • Request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
    • (1) The categories of personal information that the business collected about the consumer.
    • (2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
    • (3) The categories of personal information that the business disclosed about the consumer for a business purpose.
  • Direct a business to not to sell the consumer’s personal information. This right may be referred to as the right to opt out. (Keep in mind, the definition of “sell” is broad and includes items of non-monetary value, such as coupons or discount codes.

Of note, there are a number of proposed amendments pending before the California legislature. The amendments are as diverse as they are contentious. However, there are many that appear likely to pass that are largely intended to provide clarification to the CCPA, which was hastily passed.  If you believe the CCPA impacts you, you should follow these developments.

With six months to go before the CCPA takes effect, the time to start preparations for compliance is now. The requirements of the new CCPA are cumbersome and will take time to implement. In most cases, online businesses will need substantial modification to their existing privacy policies and terms of use.  Preparation is important as penalties for non-compliance can be severe. A business that is found in violation of the CCPA may be liable for up to $2,500 per violation, and $7,500 per intentional violation.

For more information, including an assessment of your existing policies, please contact Heather Antoine at or (818) 444-4500.

Related news