Information for: DEVELOPERS   PARTNERS   SUPPORT

CCPA (California)

Overview

Please see Acquia’s CCPA resources at https://www.acquia.com/about-us/legal/ccpa. The article below appends but does not supersede the information provided therein.

CCPA = California Consumer Privacy Act

The California Constitution grants a right of privacy. Beginning January 1, 2020, the CCPA bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The bill would require a business to provide this information in response to a verifiable consumer request. The bill would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. The bill would authorize businesses to offer financial incentives for collection of personal information. The bill would prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in. The bill would prescribe requirements for receiving, processing, and satisfying these requests from consumers. The bill would prescribe various definitions for its purposes and would define “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information. The bill would prohibit the provisions described above from restricting the ability of the business to comply with federal, state, or local laws, among other things.

The CCPA

Definitions

See section 1798.140: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375

  1. A “consumer” who has rights under the CCPA is “a natural person who is a California resident.” The California Code of Regulations defines a resident as “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”
  2. Personal information
    1. “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
      1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
      2. Any categories of personal information described in subdivision (e) of Section 1798.80.
      3. Characteristics of protected classifications under California or federal law.
      4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
      5. Biometric information.
      6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
      7. Geolocation data.
      8. Audio, electronic, visual, thermal, olfactory, or similar information.
      9. Professional or employment-related information.
      10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
      11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
    2. “Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is deidentified or aggregate consumer information.
  3. The CCPA obligations apply to an organization (“business”) that:
    1. is for-profit
    2. collects consumers’ personal information, or on the behalf of which such information is collected
    3. determines the purposes and means of the processing of consumers’ personal information
    4. does business in California; and
    5. meets any of the following thresholds:
      1. has annual gross revenue in excess of $25 million;
      2. alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
      3. derives 50% or more of its annual revenues from selling consumers’ personal information.
      4. The CCPA also applies to any entity that controls or is controlled by the business.
    6. There are no obligations directed specifically at “service providers,” other than using the personal information solely at the direction of the business they serve. Businesses may also direct service providers to delete consumers’ personal information from their records.
  4. Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

Scope

The CCPA protects “consumers” who are natural persons and who must be California residents in order to be protected.

The CCPA applies to organizations “doing business in California.” This criterion is not precisely defined in the CCPA. However, according to the California Franchise Tax Board, doing business in California consists of “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit” and an out-of-state entity can be considered as doing business in California if it meets certain thresholds (see Section 23101 of the Revenue and Taxation Code). Therefore, it is conceivable that out-of-state entities collecting, selling or disclosing personal information of California residents can fall under the the scope of the CCPA.

The obligations imposed on businesses by the CCPA do not restrict a business’s ability to “collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California […] Commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California and no personal information collected while the consumer was in California was sold.”

The CCPA excludes from its application the collection, sharing, or processing of “aggregate consumer information” and “deidentified data.”

Rights of Consumers

The following rights are called out in the introduction of the CCPA (Section 2):

  1. Right to be informed
    1. Sec 2: The right of Californians to know what personal information is being collected about them.
    2. 1798.100: A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
    3. 1798.110: A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: type, source, purpose, third party destinations, and specific pieces of personal information
    4. Sec 2: The right of Californians to know whether their personal information is sold or disclosed and to whom.
    5. 1798.115: A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer
  2. Right of access & portability
    1. Sec 2: The right of Californians to access their personal information.
    2. 1798.100: A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
    3. 1798.110: A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: (1) types, (2) sources, (3) purposes, (4) third party destinations, and (5) specific pieces of personal information
  3. Right to erasure
    1. 1798.105: A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
  4. Right to opt-out
    1. Sec 2: The right of Californians to say no to the sale of personal information.
    2. 1798.120: A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.
  5. Right to equal service
    1. Sec 2: The right of Californians to equal service and price, even if they exercise their privacy rights.
    2. 1798.125: A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title

Requirements of Customer Data Platform (CDP)

CDP qualifies as a Service Provider under the CCPA. Service providers are specifically provided the following requirements:

  • A business can only disclose consumer’s personal information to a service provider for a business purpose pursuant to a written contract. The contract should prohibit the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract.
  • Requirement under “right to deletion”: Upon a valid consumer’s request to delete personal information, a business must direct any service provider to delete consumers’ personal information.
  • Liability for misuse of personal information: A service provider is liable for civil penalties if it uses the personal information received from businesses in violation of the CCPA. If a service provider fails to cure CCPA violations within 30 days, it is liable for a civil penalty under laws relating to unfair competition in an action brought by the Attorney General.

CCPA Compliance

CDP supports the CCPA right to erasure through the CDP user interface. For more information, see Data Erasure Requests. All other CCPA requirements are either fulfilled by the client organization (and not requirements of CDP as a service provider), or fulfilled inherently by CDP’s data processing and security design.