The CCPA and Its Ratified Amendments: Is It Better or Is It Worse?
breach notification | CCPA | Consumer Rights and Protection | Do Not Sell My Personal Information | Personal Information

By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.

The California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §§ 1798.100-1798.199) – the strictest privacy law in the United States, to date.  The Act expands the rights of consumers, requires companies to develop and maintain data management practices, and to be more transparent about how they collect, use and disclose personal information.

The recently ratified amendments were intended to “clarify” confusing legislative requirements.  Below is a summary of some key points of the Act and its amendments that would be of interest to those of you collecting California residents’ personal information.


The CCPA impacts all businesses who collect personal information about California residents and makes decisions (alone or jointly with others) about how and why the personal information is processed and if the business either:

(a) Has annual gross revenues in excess of U.S. $25 Million.

(b) It annually receives, buys, shares or sells, directly or indirectly, the personal information of 50,000 or more California residents, households, or devices.

(c) Derives 50% or more of its annual revenue from the sale of personal information about California consumers.

California’s Gov. Newsom signed into law AB 874 which refines the definition of “personal information” to mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. The Act lists out eleven categories of personal information identifiers.  Furthermore, the definition of “personal information” excludes deidentified or aggregate consumer information and defines “publicly available” to mean information that is lawfully made available from federal, state, or local government records.

AB 25, which has also been signed into law, excludes, until January 1, 2021, from most CCPA provisions any personal information collected from job applicants, employees, business owners, directors, officers, medical staff, or contractors, as well as any emergency contact information that those individuals provide to the business.  Businesses do not need to offer opt-out, access and deletion rights during that one-year time period.  Businesses still need to provide consumer and employees a privacy notice, at or before the point of collection and inform individuals of the processing purposes. The private right of action for data security incidents still applies to the bill’s specified personal information with potential statutory damages of $100 to $750 per consumer per incident.


The Act requires your company to offer consumer rights similar to the EU’s GDPR.


The CCPA expands the rights of consumers and requires transparency on how you collect, use and disclose personal information.  Your business is obligated to notify consumers of the:

  • categories and specific pieces of personal information to be collected;
  • categories of sources from which the personal information is collected;
  • business or commercial purpose for collecting or selling personal information;
  • categories of third parties which whom the business shares personal information.

This information must be included your business’ privacy notice and your privacy notice must be updated at least once every twelve (12) months.  As a best practice, you should document your privacy policy update processes.

Other transparency measures which have been enacted when bills AB 1355 an AB 25 were signed into law include:

  • Privacy notices must provide instructions to the consumer on how they can obtain their specific pieces of personal information.
  • Appropriate personnel must be trained on all of the CCPA’s consumer rights.


The consumers’ rights afforded under the CCPA (right to disclosure, right to deletion, right to opt-out) may not be waived or limited by contract pursuant to Cal. Civ. Code § 1798.192.  Your business practices may not discriminate against any consumer who elects to exercise their consumer rights.

AB 1355 clarifies that businesses do not need to collect personal information that it would not normally collect or retain just to satisfy consumers’ rights.

Data Access Right – Consumers have the right to obtain, within 45 days, from your business their personal information, including:

(1) The categories of personal information it has collected about that consumer.

(2) The specific pieces of personal information it has collected about that consumer.

(3) The categories of third parties with whom the business shares personal information.

(4) The categories of sources from which the personal information was obtained.

(5) The business or commercial purpose for collecting or selling personal information.

Currently, the Act requires businesses provide consumers with two or more methods for submitting requests for information, one which must be a toll-free telephone number.  Enacted bill AB 1564 requires a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information only needs to provide an email address for submitting CCPA requests.

Data Portability Right – Consumers have the right to obtain their personal information in a format that allows the consumer to transmit it to another organization.

Data Deletion Right – Consumers may request you and your vendors to delete their personal information.  A proposed amendment, if signed into legislation, includes a one-year exemption for access and deletion rights to employee data and B2B communications.

Opt-out – The right to opt-out for sales of personal information, gives consumers the right, at any time, to direct a business that sells personal information about them to third parties to not sell their personal information.  If you engage in the selling of personal information, then you must notify the consumer of this use and advise them they have the right to opt-out by placing a link on your business’ website homepage titled “DO NOT SELL MY PERSONAL INFORMATION” enabling consumers to opt-out of the selling of their personal information.

Enacted bill AB 1146 exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair as long as that shared information is not sold, shared or used for any other purposes.

Enacted bill AB 1355 creates one-year exemption for certain B2B communications or transactions and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA) as long as the information is subject to regulation by the FCRA and is not used, communicated, disclosed or sold except as authorized by the FCRA.

Data Brokers – Enacted bill AB 1202 requires data brokers to register with the California Attorney General’s office.  The AG will publish the list of registrants on the California AG’s website, allowing consumers to identify the businesses that may be collecting and selling their information and exercising their privacy rights, such as, “right-to-opt-out/do-not-sell”.

Breach Notification – Enacted bill AB 1130 increases the types of personal information in the breach notification statute, therefore, consumer information subject to a breach would fall under the CCPA, potentially leading to additional liability for businesses.


The CCPA goes into effect on January 1, 2020 with enforcement to begin no later than July 1, 2020.

Enforcement actions may not be brought until 6 months after the publication of the final regulations or July 1, 2020, whichever is sooner.

The Attorney General may bring a civil action against businesses, services providers or other persons, and possibly result in an injunction and/or civil penalties of up to $2,500 for each violation (and up to $7,500 for each intentional violation).

Consumer’s private right of action under Cal. Civ. Code § 1798.150 has legal basis for instituting a civil action by violating Cal. Civ. Code § 1798.81.5 which requires businesses to implement and maintain reasonable security procedures and practices to protect their personal information from unauthorized access, destruction, use, modification or disclosure.  Note, there is a right to cure provision for businesses.

Where violations result in unauthorized access to a consumer’s unencrypted/unredacted personal information, consumers may receive:

  • damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater;
  • an injunction or declaratory relief; and
  • any other relief as determined by a court.

Under the CCPA, even service providers will be held liable for civil penalties.

CSR Privacy Solutions, Inc. is all about regulatory compliance and risk mitigation.  We provide you with tools, guidance and access to our award-winning solutions in a cost sensitive environment.  Our goal is the same as yours – compliance without the hurt!

Become a Partner – Contact CSR

I understand CSR will use this information for the purpose of responding to my query or request. I have reviewed their Privacy Policy. I understand I can withdraw consent or make a Data Access Request at any time.