What is the CCPA?
The California Consumer Privacy Act ("CCPA") grants California consumers new rights with respect to the collection of their personal information and requires companies to comply with certain obligations related to those rights, including:
- An obligation on businesses to notify a consumer of its data collection practices, including the categories of personal information it has collected, the source of the information, the business’s use of the information, and to whom the business disclosed the information it has collected about the consumer;
- The consumer’s right to receive a copy, in a readily usable format, of the specific personal information collected about them during the twelve (12) months prior to their request;
- The consumer’s right to have such personal information deleted (with exceptions);
- The consumer’s right to know the business’ data sale practices and to request that their personal information not be sold to third parties;
- A prohibition on businesses on discrimination for exercising a consumer right; and
- An obligation on businesses to notify a consumer of their rights.
What is considered personal data?
The CCPA defines personal information broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household.
The statute provides a non-exhaustive list of categories of personal information, including:
- Identifiers including real name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Characteristics of protected classifications under California or federal law;
- Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information; and
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA).