On June 28, 2018, the California Consumer Privacy Act (“CCPA”) was enacted, which represents a major shift in consumer protection and privacy. While the CCPA will not go into effect until January 1, 2020, the CCPA empowers consumers with significant new rights concerning how their personal information is collected, used, stored, transmitted and sold, and requires significant transparency from businesses collecting and using such information.
Under the CCPA, personal information is defined broadly as information that identifies, describes or is capable of being associated with a particular consumer or household, and includes (1) identifiers such as a consumer’s name, alias, ISP address, e-mail address, postal address, social security number, driver’s license number, passport number, and similar identifiers; (2) commercial information such as records of a consumer’s purchase of personal property and products; (3) biometric information; (4) internet records or other electronic network activity information, such as a consumer’s web browsing and search history; (5) audio, visual, electronic or similar information; (6) professional and employment information; (7) education information; and (8) information used to create a profile about the consumer’s preferences, characteristics, behavior, abilities and interests.
Significantly, the CCPA grants consumers (among other things) the right to request (a) the categories of personal information a business has collected; (b) the specific pieces of personal information it has collected about that consumer and sources; (c) the commercial purpose for collecting or selling that personal information; and (d) the categories of third parties with whom the business shares personal information. Interested consumers must first submit a “verifiable consumer request” to obtain such information so that the business can verify that the consumer submitting the request is indeed the consumer about whom it has collected such information.
The CCPA precludes businesses from selling personal information to third parties until the business provides explicit notice to the consumer and the opportunity for the consumer to opt-out. If a consumer has exercised his or her right to opt-out, the business is prohibited from selling that consumer’s personal information unless the consumer expressly authorizes such sales. However, the business may ask the consumer for authorization to sell his or her personal information twelve months after the opt-out request.
The CCPA also prohibits businesses from selling the personal information of minors under age 16 unless it receives express authorization from children between 13 and 16 years old. Businesses must obtain authorization from the parent or guardian of children under 13 to sell their personal information.
Perhaps most importantly, consumers may request that a business delete their personal information and the business must require any service providers with whom it has shared personal information to honor that request. There are, however, nine exceptions to the right of deletion, such as to comply with a legal obligation, complete a transaction for which the personal information has been collected, engage in scientific or statistical research in the public interest, detect security threats, identify and debug computer errors, exercise free speech, and otherwise use the personal information lawfully in a manner compatible with the context in which the consumer provided the information, among others.
Additionally, businesses are prohibited from discriminating against consumers who exercise their rights under the CCPA and may not (among other things) deny goods or services to the consumer, charge different prices or rates for goods or services, provide a different level or quality of good or service, or suggest the consumer will receive a different level or quality of good or service. With some exceptions and qualifications, businesses must comply with a consumer’s request concerning his/her personal information within forty-five days of receipt.
At the same time, businesses may offer financial incentives and compensation to the consumer for the collection or sale of his or her personal information. Consumers can participate in such financial compensation if they affirmatively opt-in to the business’s compensation program after informed written consent, which the consumer can revoke at any time.
Businesses that violate the CCPA may be subject to fines, injunctive relief and other relief. Fines range between $100 and $750 per incident or actual damages, whichever is greater. Before filing any legal action, however, an aggrieved consumer must first notify the business of the alleged violation and provide thirty-day notice to cure. No such notice is required if the consumer is seeking actual pecuniary damages caused by the violation. If within thirty days the business cures the violation and provides an express written statement that the violation has been cured and that no further violation will occur, the consumer cannot initiate any action.
Compliance with the CCPA will obviously require significant time and resources from businesses. Among other things, businesses must track and be able to identify (both internally and externally with any third parties it has shared a consumer’s personal information) what personal information is obtained from consumers, where and how it is stored, used, transferred and/or sold. Companies must also implement procedures for honoring and timely responding to consumers’ requests concerning personal information, including a consumer’s request to delete his or her personal information and determining if any exception exists.
In short, the CCPA is a ground-breaking piece of consumer legislation and promises to have an enormous impact on companies conducting business in California.
 The CCPA is codified at Title 1.81.5 [§§1798.100-1798.11] of the California Civil Code.
 §1798.100, 110.