The CCPA – For Better or For Worse?
CCPA | Consumer Rights and Protection | Personal Information

By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.

Are you thinking that the deluge of publicly announced, big data, too-big-to-fail data breaches is mind-blowing?  Well, get ready to wrap your mind around the legal obligations and compliance requirements businesses are facing with the California Consumer Privacy Act of 2018 (CCPA).

The CCPA goes into effect on January 1, 2020 with enforcement to begin no later than July 1, 2020.


The CCPA impacts all businesses who collect personal information about California residents and makes decisions (alone or jointly with others) about how and why the personal information is processed and if the business either:

(a) Has annual gross revenues in excess of U.S. $25 Million.

(b) It annually receives, buys, shares or sells, directly or indirectly, the personal information of 50,000 or more California residents, households, or devices.

(c) Derives 50% or more of its annual revenue from the sale of personal information about California consumers.

Personal information covered by the CCPA is so complex that the law provides two separate definitions for personal information.  Despite these definitions, the general consensus is that the personal information is still broadly defined and multiple amendments are proposed to clarify the term!

Currently under the Act, “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.  The Act then lists out eleven categories of personal information identifiers.

If signed into law by California’s Gov. Newsom, AB 874 refines the definition of “personal information” to mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. Furthermore, the bill amends the definition of “personal information” to exclude deidentified or aggregate consumer information and defines “publicly available” to mean information that is lawfully made available from federal, state, or local government records.

AB 25 excludes, until January 1, 2021, from most CCPA provisions any personal information collected from job applicants, employees, business owners, directors, officers, medical staff, or contractors, as well as any emergency contact information that those individuals provide to the business.  Businesses would not need to offer opt-out, access and deletion rights during that one-year time period.  Businesses will still have to provide consumer and employees a privacy notice, at or before the point of collection and inform individuals of the processing purposes. The private right of action for data security incidents still applies to the bill’s specified personal information with potential statutory damages of $100 to $750 per consumer per incident.


The Act requires your company to offer consumer rights similar to the EU’s GDPR.  If you have already implemented data subject rights that align with the GDPR, then you are already on your way to complying with the CCPA.


The Act expands the rights of consumers and requires transparency on how you collect, use and disclose personal information.  Your business is obligated to notify consumers of the:

  • categories and specific pieces of personal information to be collected;
  • categories of sources from which the personal information is collected;
  • business or commercial purpose for collecting or selling personal information;
  • categories of third parties which whom the business shares personal information.

This information must be included your business’ privacy notice and your privacy notice must be updated at least once every twelve (12) months.  As a best practice, you should document your privacy policy update processes.

AB 1355 attempts to clarify that privacy notices must include instructions to the consumer on how they can obtain their specific pieces of personal information.

AB 25 expands the training of personnel.  Appropriate personnel must be trained on all of the CCPA’s consumer rights.


The consumers’ rights afforded under the CCPA (right to disclosure, right to deletion, right to opt-out) may not be waived or limited by contract pursuant to Cal. Civ. Code § 1798.192.  Your business practices may not discriminate against any consumer who elects to exercise their consumer rights.

AB 1355 clarifies that businesses do not need to collect personal information that it would not normally collect or retain just to satisfy consumers’ rights.

Data Access Right – Consumers have the right to obtain, within 45 days, from your business their personal information, including:

(1) The categories of personal information it has collected about that consumer.

(2) The specific pieces of personal information it has collected about that consumer.

(3) The categories of third parties with whom the business shares personal information.

(4) The categories of sources from which the personal information was obtained.

(5) The business or commercial purpose for collecting or selling personal information.

Currently, the Act requires businesses provide consumers with two or more methods for submitting requests for information, one which must be a toll-free telephone number.  However, if passed, AB 1564 requires a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information only needs to provide an email address for submitting CCPA requests.

Data Portability Right – Consumers have the right to obtain their personal information in a format that allows the consumer to transmit it to another organization.

Data Deletion Right – Consumers may request you and your vendors to delete their personal information.  A proposed amendment, if signed into legislation, includes a one-year exemption for access and deletion rights to employee data and B2B communications.

Opt-out – The right to opt-out for sales of personal information, gives consumers the right, at any time, to direct a business that sells personal information about them to third parties to not sell their personal information.  If you engage in the selling of personal information, then you must notify the consumer of this use and advise them they have the right to opt-out by placing a link on your business’ website homepage titled “DO NOT SELL MY PERSONAL INFORMATION” enabling consumers to opt-out of the selling of their personal information.

AB 1146, if signed into law, will exempt vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair as long as that shared information is not sold, shared or used for any other purposes.

AB 1355 creates one-year exemption for certain B2B communications or transactions and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA) as long as the information is subject to regulation by the FCRA and is not used, communicated, disclosed or sold except as authorized by the FCRA.

Data Brokers – AB 1202 will require data brokers to register with the California Attorney General’s office.  The AG will publish the list of registrants on the California AG’s website, allowing consumers to identify the businesses that may be collecting and selling their information and exercising their privacy rights, such as, “right-to-opt-out/do-not-sell”.

Breach Notification – If California Gov. Newsom signs AB 1130, which increases the types of personal information in the breach notification statute, then consumer information subject to a breach would fall under the CCPA, potentially leading to additional liability for businesses.


Enforcement actions may not be brought until 6 months after the publication of the final regulations or July 1, 2020, whichever is sooner.

The Attorney General may bring a civil action against businesses, services providers or other persons, and possibly result in an injunction and/or civil penalties of up to $2,500 for each violation (and up to $7,500 for each intentional violation).

Consumer’s private right of action under Cal. Civ. Code § 1798.150 has legal basis for instituting a civil action by violating Cal. Civ. Code § 1798.81.5 which requires businesses to implement and maintain reasonable security procedures and practices to protect their personal information from unauthorized access, destruction, use, modification or disclosure.  Note, there is a right to cure provision for businesses.

Where violations result in unauthorized access to a consumer’s unencrypted/unredacted personal information, consumers may receive:

  • damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater;
  • an injunction or declaratory relief; and
  • any other relief as determined by a court.

Under the CCPA, even service providers will be held liable for civil penalties.

CSR Privacy Solutions, Inc. is all about regulatory compliance and risk mitigation.  We provide you with tools, guidance and access to our award-winning solutions in a cost sensitive environment.  Our goal is the same as yours – compliance without the hurt!

Become a Partner – Contact CSR

I understand CSR will use this information for the purpose of responding to my query or request. I have reviewed their Privacy Policy. I understand I can withdraw consent or make a Data Access Request at any time.