What is the California Consumer Privacy Act of 2018 (CCPA):

The California Consumer Privacy Act of 2018, which went into effect January 1, 2020, is a bill passed by the state of California’s legislature. The bill, in part, grants a California resident the right to request that a business disclose the categories and specific pieces of personal information that it collects about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared. The bill also requires a business to make disclosures about the information and the purposes for which it is used.

Who Does the California Consumer Privacy Act of 2018 apply to:

Businesses (for-profit) that meet one or more of the following thresholds are liable for compliance with the CCPA:

  • Has annual gross revenues in excess of $25 million
  • Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more California residents, households or devices
  • Derives 50% or more of its annual revenues from selling California residents’ personal information.

Personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” For more information on personal classification according to the CCPA, review section 1798.140.

What are the requirements for CCPA compliance?

In brief, the law requires businesses to provide California residents with the right to:

  • Know what personal information is being collected and how it is being used. Consumers will have the right to know the personal information a business has collected about them, its source, and the purpose for which it is being used.
  • Know whether and to whom their personal information is sold or disclosed, and to opt-out of its sale. Companies that provide or make consumer data available to third parties for monetary or other valuable consideration are deemed to have sold the data and will need to disclose this. Subject to certain exceptions, consumers will then have the further right to opt-out of the sale of this information by using the “Do Not Sell My Personal Information” link on the business’s home page. This link is required by the Act. Moreover, those individuals 16 years and under must opt-in to have their information sold.
  • Access their personal information. Consumers will have the right to request certain information from businesses, including the sources from which a business collected the consumer’s personal information, the specific elements of personal information it collected about the consumer, and the third parties with whom it shared that information. Once the request is made, businesses must disclose the requested information free of charge within 45 days, with extensions of time available in certain circumstances.
  • Not to be discriminated against for asserting any of the rights granted by the law. The CCPA gives consumers the right to receive equal service and pricing from a business, even if they exercise their privacy rights.
  • Sue for a data breach. The new right of private action for a data breach will likely result in significant class action litigation.

For further information on how the CCPA affects marketers, as well as recommended practices to implement, you may reference CCPA What Marketers Need to Know or refer to the Government publication.

How does Predictive Response enable our customers to be CCPA compliant?

When offering services to its customers, Predictive Response acts as a “service provider” under the CCPA and our receipt and collection of any consumer personal information is completed on behalf of our customers, in order for us to provide the service. Should our customers have a request from a CA resident for their personal data, or to delete their personal information, Predictive Response will process these requests. For any such request, please submit a support ticket.

Disclaimer:

The content of this web page is a commentary on the CCPA, as Predictive Response interprets it, as of the date of publication. We’ve spent a lot of time with CCPA and like to think we’ve been thoughtful about its intent and meaning. But the application of CCPA is highly fact-specific, and not all aspects and interpretations of CCPA are well-settled.

As a result, this content is provided for informational purposes only and should not be relied upon as legal advice or to determine how CCPA might apply to you and your organization. We encourage you to work with a legally qualified professional to discuss CCPA, how it applies specifically to your organization, and how best to ensure compliance.