Frequently Asked Questions
Have a question? See below. For other questions, email firstname.lastname@example.org.
What is the CCPA?
Briefly, the CCPA says a business must:
2. Deliver the personal information they collected about the consumer in response to a “verifiable consumer request.”
3. Delete the personal information they collected about a consumer and direct their vendors (“service providers”) to delete it as well, in response to a verifiable consumer request.
4. Display a “Do Not Sell My Personal Information” link on their homepage that enables consumers to opt out of the sale of the consumer’s personal information.
5. Display a toll-free number that consumers can call to register privacy preferences.
And the CCPA says businesses must not:
1. Discriminate against a consumer who exercises their CCPA rights (but they can charge different prices or provide goods or services in certain circumstances).
3. Sell personal information of consumers known to be less than 16 years of age, unless the consumer, if aged 13 to 16 years, or the consumer’s parent or guardian, for consumers under 13, has affirmatively authorized the sale.
Does CCPA apply to me?
1. Have > $25 million in revenue (likely from all jurisdictions, although the CCPA is ambiguous on this point); or
2. Buys, receives, sells, or shares personal information about 50,000 or more consumers, households, or devices (if your website serves 50,000 or more unique visitors, you’ve likely collected sufficient analytics data); or
3. Derives >= 50% of annual revenue from selling CA consumers’ personal information (this is probably most relevant to data brokers and other marketing or ad tech businesses).
“Doing business” in California can include entering into repeated transactions within California, maintaining a physical presence in California such as offices or servers, and having employees in California. It is possible for a business to be “doing business” in California, whether or not it is incorporated, qualified or registered under California law. For more information, the latest version of this resource is helpful in addition to seeking legal advice.
Do I really need a toll free number?
What personal information does the CCPA pertain to?
This is much broader than other U.S. privacy laws and is similar to the EU’s definition in the GDPR. In fact goes beyond the GDPR to include information related to “households” rather than specific persons, however it still excludes aggregated or de-identified data.
Examples include not only names, phone numbers, mailing and email addresses or a Social Security number, but also so IP addresses, cookie IDs and other unique identifiers.
How do consumers submit requests under the CCPA?
How do I respond to consumer requests?
Business may not charge consumers for responding to requests and they cannot discriminate against consumers who exercise their requests.
For example, a business charge a consumer a different price or provide different or lower-quality goods or services to a consumer who exercised his or her CCPA rights. CCPA does, however, permit a business to offer different goods or services where the difference is “reasonably related” to the value to the consumer of the consumer’s data.
Businesses can also encourage consumers to provide access to data by offering financial incentives programs (e.g., cash payments) for the collection, sale or deletion of personal information. The incentives must not be unjust, unreasonable, coercive or usurious. Businesses must obtain opt-in consent for incentive programs, must disclose all material program terms in advance, and must offer consumers the ability to opt out of the programs at any time.
Do I really have to stop selling personal information if requested?
Do I really have to delete personal information if requested?
Businesses do not need to delete information if it’s needed to:
1. complete a transaction or perform a contract with the consumer
2. detect security incidents or protect against fraud or illegal activity
3. identify and fix errors in service functionality
4. exercise free speech
5. comply with a legal obligation
6. engage in scientific research
7. engage in other internal uses reasonably aligned with consumer expectations
A “verifiable request” is one where the business verify that data in question is associated with the requester. The level of due diligence should be proportional to the sensitivity of the information to be disclosed or deleted. Note businesses cannot require consumers to create an account to fulfill CCPA requests. The California Attorney General will issue more guidance on verifiable requests.
Who can enforce the CCPA and what are the penalties for non-compliance?
Consumers may, however, sue directly under the CCPA where unencrypted data is subject to a breach that resulted from a failure to implement reasonable security practices. In this scenario, consumers can recover $100 to $750 each per incident for statutory, or their actual, provable damages if more. This “private right of action” carries a high risk of class-action lawsuits in case of a data breach.