The California Consumer Privacy Act (CCPA)

Legislation called the California Consumer Privacy Act (nicknamed the “CCPA”) was signed into law by California Governor Jerry Brown in June of 2018. The law became effective on January 1, 2020. The CCPA is a comprehensive consumer data privacy protection statute. The main features of the California Consumer Privacy Act (CCPA) are discussed below.

What is the California Consumer Privacy Act (CCPA)?

The CCPA is legislation that regulates how California residents’ personal information can be collected, sold, processed, used, and handled. The law was passed to provide Californians greater rights with respect to the processing, use, sale, collection, disclosure, and sharing of their personal information.

Who is Regulated by the CCPA?

The California Consumer Privacy Act (CCPA) regulates businesses. To be regulated by the CCPA, a business must meet certain requirements. 

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

Doing Business in California:

To be subject to the California Consumer Privacy Act (CCPA), a business must, first and foremost, “do business” in California. This does not mean that the business must have a physical presence in California, or must be incorporated in California. To “do business” in California, an entity must direct one or more activities toward California consumers (whom the law defines as “residents of California”). This requirement is not difficult to satisfy. For example, a company incorporated in another state, and having its headquarters in another state, that merely operates a website in which California residents are allowed to provide their personal information, “does business” in California. A business, therefore, need not have a business-customer relationship with a consumer individual for the CCPA to apply.

Engaging in Certain Activities:

To be subject to the CCPA, a business must, in addition to doing business in California:

  • Be conducted for profit; and
  • Collect the personal information of California residents (or have such information collected on its behalf); and 
  • Determine on its own or jointly with others the purpose and means of processing that information.

The California legislature did not intend to target all businesses that collect, share, or sell personal information. Rather, it intended to target those entities that, in addition to meeting the above requirements, either have a high sales volume or possess a large amount of PHI; and/or earn significant revenue from selling personal information.

Therefore, to be regulated by the CCPA, an entity must, in addition to meeting the above requirements:

  1. Have annual gross revenues in excess of $25,000,000; OR
  2. Annually buy, receive, sell, or share, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; OR
  3. Earn more than half of its annual revenue (whether that revenue is $25 or $25,000,000) from selling personal information. 

What is Personal Information?

Under the CCPA, personal information includes any information that:

  • Identifies;
  • Relates to;
  • Describes; 
  • References;
  • Is capable of being associated with; or
  • Could reasonably be linked to, directly or indirectly,

a particular consumer or household.

Personal information includes eleven specific categories relating to consumers.  These categories include:

Category 1: Identifiers such as a real name, alias, postal address, online identifier Internet Protocol address, email address, account name, Social Security number, driver’s license number, or other similar identifiers or unique personal identifiers. Unique personal identifiers include (among other things) passport numbers, tax identification numbers, military identification numbers, and other unique identification numbers issued on a government document. 

Category 2: Category 2 overlaps with category one. Category 2 consists of any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. 

Category 3: Characteristics of protected classifications under California or federal law. Protected classifications include (among others):

      • Race. 
      • Color.
      • National origin.
      • Religion.
      • Gender (including pregnancy).
      • Disability.
      • Age. 
      • Citizenship status.

Category 4: Commercial information, including:

        • Records of personal property;
        • Records of products or services purchased, obtained, or considered; and
        • Other purchasing or consuming histories or tendencies.

Category 5: Biometric information. Biometric information includes an individual’s physiological, biological, or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity

Category 6: Internet or other electronic network activity information, including, but not limited to:

          • Browsing history;
          • Search history; and 
          • Information regarding a consumer’s interaction with an Internet Website, application, or advertisement.

Category 7: Geolocation data.

Category 8: Audio, electronic, visual, thermal, olfactory, or similar information.

Category 9: Professional or employment-related information.

Category 10: Education information (i.e., information that is not publicly available) personally identifiable as defined in the federal Family Educational Rights and Privacy Act (FERPA). 

Category 11: Inferences drawn from any of the above to create a profile about a consumer reflecting the consumer’s:

            • Preferences; 
            • Characteristics;
            • Psychological trends; or
            • Psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Under the CCPA, an inference as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information of data.”What is Collection of Personal Information? 

“Collection of personal information” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

What is Sale of Personal Information?

“Selling of personal information” is the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for a financial benefit (e.g., money). 

What Must an Entity Regulated by the California Consumer Privacy Act Actually Do?
To be regulated by the CCPA, a business must be engaged in activities involving personal information. The CCPA gives California consumers certain rights with respect to businesses that sell consumers’ personal information, or disclose it for a business purpose. Specifically, a consumer has the right to request, under what the CCPA calls the “right to know” provision, that a business that sells the consumer’s personal information, or that discloses it for a business purpose (i.e, the use of personal information for the business’s or a service provider’s operational purposes), disclose to that consumer:

  • The categories of personal information that the business collected about the consumer;
  • The categories of personal information that the business sold about the consumer;
  • The categories of third parties to whom the personal information was sold; and
  • The categories of sources from which the personal information was collected

A consumer’s request may encompass the personal information that the business collected or sold within the one year preceding the request. 

What other Rights Does the California Consumer Privacy Act Give to Consumers?

The CCPA gives consumers three other categories of rights:

  • The right to delete: Under the right to delete, a California resident can request that a business delete the resident’s personal information that is held by the business.
  • The right to opt-out: Under the right to opt-out, a consumer may request that a business cease selling the consumer’s personal information. Upon a consumer’s making a proper, verified request, the business must cease the sale. The right to opt-out requires businesses to provide a clear and conspicuous website link that states, “Do Not Sell My Personal Information,” which, when clicked, enables a consumer to opt-out of the sale of their personal information to third parties. Under the California Consumer Privacy Act, once a consumer has exercised his or her right to opt out, the business may not request that the consumer authorize the sale of the individual’s personal information for at least twelve months.
  • The right to non-discrimination: Under the right to non-discrimination, a business may not discriminate (in terms of price or service) when a consumer exercises a CCPA right. 

How are Consumers Made Aware of their Rights Under the CCPA?
A business subject to the CCPA must, in either an online privacy notice or on its website, disclose the rights that California residents have under the CCPA. A privacy notice must also list those categories of personal information, that the business collected or sold about California residents for a business purpose, within the last twelve months.

How is the California Consumer Privacy Act Enforced?
The California State Attorney General may, upon receiving a consumer complaint, recover damages for violations of the CCPA that are not cured within thirty days of notice to the business. The amount that can be recovered is up to $7,500 per inten­tional violation, and up to $2,500 per unintentional violation.

The California Consumer Privacy Act also allows California residents the right to bring a private right of action (i.e., their own lawsuit) against a business, if the business has failed to implement reasonable security safeguards, and that failure results in a data breach. 

Is California Expected to Modify the California Consumer Privacy Act?
Typically, when a legislature creates laws on a particular topic, the legislature delegates the task of creating regulations for that law to a state agency. The California Legislature has directed the California Attorney General to come up with regulations for the California Consumer Privacy Act. The Attorney General has proposed regulations, which can be found here. These regulations, if adopted, will have the force of law. 

Is There a HIPAA Exemption for Entities Covered by the CCPA?

The CCPA contains HIPAA safe harbor provisions – provisions exempting information and entities that would be otherwise subject to CCPA regulation.

  • Safe Harbor Provision Number One: The CCPA does not apply to medical information governed by California’s medical privacy law (the Confidentiality of Medical Information Act), or, to protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules under HIPAA or HITECH. Simply put, PHI collected for the treatment, payment, or healthcare operations would qualify for the CCPA HIPAA exemption. However, health information that is collected for other purposes would not fall under the CCPA HIPAA exemptions, and would be subject to the stricter privacy laws set forth by the CCPA.
  • Safe Harbor Provision Number Two: The CCPA exempts, from its coverage, both providers of healthcare governed by the Confidentiality of Medical Information Act and, covered entities governed by HIPAA, to the extent the provider or covered entity maintains patient information in the same manner as medical information (which must be kept confidential under the Confidentiality of Medical Information Act) or protected health information (which is subject to HIPAA). Simply put, a covered entity governed by the HIPAA privacy, security, and breach notification rules, is exempt from the CCPA to the extent the covered entity properly safeguards PHI under HIPAA. This means that if a covered entity is not compliant with one or more HIPAA regulations, the covered entity is not in complete compliance with the CCPA.

Regulations clarifying what these provisions mean are expected to be issued.

Can a HIPAA-Compliant Entity Still be Subject to the CCPA?

Under the terms of the CCPA, personal information created, received, maintained or transmitted by companies subject to HIPAA, is likely still subject to the CCPA, if: 1) It is not created or collected as part of payment, treatment, or healthcare operations; 2) the information was never PHI in the first place (or is excluded from the definition of PHI), or 3) the information was once PHI, but has been de-identified under HIPAA.


What Kinds of Information are Not Considered PHI?


Information that is not considered PHI, and thus may be subject to CCPA regulation, includes health app information and marketing data. Health apps that are not developed by a covered entity or business associate with the purpose of allowing patients to monitor their health, collect data that is not considered PHI. In addition, data collected for pure marketing purposes, by entities that are not covered entities or business associates, is not PHI, and therefore is subject to CCPA regulation.

The California Consumer Privacy Act (CCPA)