CCPA Fundamentals: Who and what does the CCPA apply to?

How did the CCPA come to be?

The California Consumer Privacy Act (CCPA), is a data privacy regulation intended to give California residents insight into how their data is monetized by organizations and power over how the data is treated. It started out as a ballot initiative in early 2018 and was signed into law in June of 2018. It goes into effect on January 1, 2010 and will be enforceable on July 1, 2020. The original CCPA ballot initiative was introduced by California real estate developer, Alistair Mactaggart, who realized the massive amounts of data companies collect and store regarding consumers during a conversation with a tech employee at a cocktail party. This realization came at a time when privacy was suddenly on the top of everyone’s minds, around the time the Facebook Cambridge Analytica scandal news was breaking and being covered virtually everywhere and as the enforcement date of the General Data Protection Regulation (GDPR) was closing in.

With this in mind, Mactaggart worked to develop a privacy initiative focusing on three main principles:

  • Transparency
  • Control
  • Accountability

The new privacy ballot initiative received 630,000 signatures which is almost twice the required signatures to be included on the California ballot. Based on this strong indicator that the initiative would pass and the implication that it would be effective immediately and not go through the usual legislative process, politicians made a deal with Mactaggart to pass a regulation based on the original ballot’s three principles of transparency, control, and accountability. The new ballot initiative had a later enforcement date and various other changes such as less in-depth disclosures that still provided consumers with fundamental rights. Thus, the California Consumer Privacy Act was developed and approved.

The CCPA as we know it today was passed with strong bipartisan support and California proved it continues to be on the cutting edge when it comes to consumer protections.

The CCPA applies to any business that collects California residents’ personal data that either:

  • Has annual gross revenues of at least $25 million
  • Annually buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices
  • Derives 50% or more of its annual revenue from the sale of consumer personal information.

An important note here is that the CCPA applies to any business regardless of whether the business is located in or out of the state of California. Any business that meets the criteria above and collects California residents’ personal data as defined by the CCPA is subject to its requirements.

Before getting into the requirements under the CCPA, there are a few key definitions to understand:

A “Consumer” is defined as “a natural person who is a California resident.” Keep in mind that “consumers” includes all California residents, including both customers and employees.

“Personal information” is defined as “any information that identifies, relates to, describes, is capable of being associated with, or could reasonable be linked, directly or indirectly, with a particular consumer or household.” The CCPA explicitly outlines that personal information does not include any information that is publicly available.

Examples of personal information provided within the CCPA include, but are not limited to, the following:

  • First and last name
  • Postal address
  • Online identifier
  • IP address
  • Email address
  • Account name
  • Social security number
  • Driver’s license number
  • Passport number
  • Biometric information
  • Internet/electronic network activity
  • Geolocation data
  • Professional/employment related information
  • Education information not publicly available

“Processing” means any operation or set of operations that are performed on personal data, whether or not by automated means. This essentially means that processing could include any action taken on person-al data including collection, the act of processing, storage, and deletion.

“Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or other-wise communicating a consumer’s personal information to a third-party for monetary or “other valuable consideration.”

This blog is part of an educational series that will explain the fundamentals of California’s upcoming data protection act, CCPA – who it impacts, how to comply, and more. Follow along as our expert team breaks down the complexities of CCPA.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.