Updated: 12/31/2019

The California Consumer Privacy Act of 2018 (CCPA), which grants California residents new rights with respect to the collection and sale of their personal information, will go into effect on January 1, 2020. To learn more about the CCPA and how it impacts people, you can visit California Attorney General CCPA homepage.

The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. By this date, all covered businesses interacting with California consumers must update their online privacy policy. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information.[i]

1) The right to request disclosure of your business’ data collection and sales practices in connection with the requesting consumer, including the categories of personal information you have collected, the source of the information, your use of the information and, if the information was disclosed or sold to third parties, the categories of personal information disclosed or sold to third parties and the categories of third parties to whom such information was disclosed or sold;

2) The right to request a copy of the specific personal information collected about them during the 12 months before their request (together with right #1, a “personal information request”);

3) The right to have such information deleted (with exceptions);

4) The right to request that their personal information not be sold to third parties, if applicable; and

5) The right not to be discriminated against because they exercised any of the new rights.

The CCPA requires covered businesses to make disclosures in their public-facing privacy policies and to update annually such disclosures, in addition to those disclosures already required by current law, in those policies starting January 1, 2020.

Existing law, the California Online Privacy Protection Act (Busn. & Prof Code 22575) (OPPA), requires the operator of a commercial website or online service that collects personally identifiable information about a California consumer to post a privacy policy that (i) identifies the categories of personally identifiable information it collects and the categories of third parties with whom it shares such information, (ii) describes how a site visitor can access and change information previously submitted, (iii) describes how the operator notifies consumers of changes to the privacy policy, (iv) identifies the effective date of the policy, (v) describes how the operator responds to do-not-track signals from a user’s browser and (vi) discloses whether it permits third parties to collect information about site visitors’ online activities over time and across other websites. For purposes of the statute “personally identifiable information” means individually identifiable information about a consumer including name, physical or email address, telephone number, social security number, any other identifier that permits physical or online contact of the specific individual, and any other information about a user in personally identifiable form in combination with an identifier described above. A “consumer” means an individual who seeks or acquires, by purchase or lease, any goods, services, money or credit for personal, family or household purposes.

However, the CCPA broadens the definition of “consumer” to mean any California resident, and eliminates the restriction of transacting for personal, family or household purposes. It also expands the definition of “personal information” to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It provides a non-exclusive list of categories of personal information more expansive than that in the OPPA. Where the OPPA requires disclosures about information collected by an online service or website, the CCPA requires the privacy policy to disclose its practices with respect to information collected online or offline, in any format and from any source.

[i] Note the CCPA’s requirements do not apply to “medical information” subject to the California Confidentiality of Medical Information Act (CMIA) or to “protected health information” collected by covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules. Moreover, providers of health care subject to CMIA and covered entities subject to HIPAA are not covered businesses under CCPA if they maintain all patient information in the same manner they maintain “medical information” or “protected health information” subject to CMIA and HIPAA, respectively. CCPA also exempts information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act as well as other exemptions. In contrast, the GDPR has no such carve out for health-related data.