Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California - Data Protection Overview
Back

California - Data Protection Overview

May 2022

1. Governing Texts

This Guidance Note provides an overview of the California Consumer Privacy Act of 2018 (as amended) ('CCPA') under Part 4 of Division 3 of the California Civil Code ('Cal. Civ. Code'), and the California Consumer Privacy Act Regulations ('CCPA Regulations'). 

Additionally, the California Privacy Rights Act of 2020 ('CPRA'), or Proposition 24, was passed with a 56% majority in the California General Election of 3 November 2020. Although the CPRA will not become operative until 1 January 2023, many of its provisions are applicable to personal information collected from 1 January 2022.

1.1. Key acts, regulations, directives, bills

  • CCPA
  • CCPA Regulations
  • CPRA

1.2. Guidelines

The California Attorney General ('AG') has issued the following guidance:

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The CCPA protects natural persons or consumers and obliges businesses to undertake certain requirements with regards to the processing of personal information. A business is a for profit entity that determines the purpose and means of the processing of consumer's personal information, doing business in California. Additionally, under the CCPA a business must meet one of the following thresholds (§1798.140 of the CCPA):

  • has annual gross revenues in excess of $25 million, as adjusted pursuant to §1798.185(a)(5) of the CCPA;
  • alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; and
  • derives 50% or more of its annual revenues from selling consumers' personal information. 

Businesses that control or are controlled by covered businesses or share common branding with covered businesses are also subject to the CCPA (§1798.140(c)(2) of the CCPA).

2.2. Territorial scope

The obligations imposed on businesses under the CCPA do not restrict a business' ability to collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California (§1798.145(a)(6) of the CCPA). Commercial conduct is said to be taking place wholly outside of California if the business had collected that information while the consumer was outside of California, no part of the sale of the consumer's personal information occurred in California, and no personal information collected while the consumer was in California is sold (§1798.145(a)(6) of the CCPA). Businesses are prohibited from storing, for example on a device, personal information about a consumer when the consumer is located in California and then collecting that personal information when the consumer and stored personal information is outside of California (§1798.145(a)(6) of the CCPA).

2.3. Material scope

The CCPA generally covers the processing of consumer personal information with processing defined as any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means (§1798.140(q) of the CCPA). 

Furthermore, some of the obligations under the CCPA refer to collecting or selling personal information. Notably, when a business uses or shares with a service provider, the personal information of a consumer that is necessary to perform a business purpose this will not be said to be selling personal information as long as the following conditions are met (§1798.140(t) of the CCPA):

  • a consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information;
  • the business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information for the purposes of alerting third parties that the consumer has opted out of the sale of their personal information; and
  • the business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
    • the business has provided notice of that information being used or shared in its terms and conditions, consistent with §1798.135 of the CCPA; and
    • the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose;
  • the business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transactions in which the third party assumes control of all or part of the business, provided that the information is used or shared consistently with §§1798.110 and 1798.115 of the CCPA.

The CCPA does not apply to activities governed by other laws including:

In addition, the obligations imposed by the CCPA on businesses do not restrain the business' ability to (§1798.145(a) of the CCPA):

  • comply with federal, state, or local laws;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
  • cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law; or
  • exercise or defend legal claims.

Lastly, the CCPA is not limited to information collected electronically or over the internet but applies to the collection and sale of all personal information collected by a business from consumers (§1798.175 of the CCPA).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The CCPA is enforced by the AG (§1798.155 of the CCPA).

The CPRA mandated the creation of a new state agency, the California Privacy Protection Agency ('CPPA'), which would enforce its provisions (Section 17 of the CPRA).

3.2. Main powers, duties and responsibilities

CCPA

The AG is also responsible for initiating investigations and issuing supplementary guidance on CCPA compliance and, where a business has been held to be in violation of a provision under the CCPA, the AG will bring the civil action in the name of the people of the State of California (§1798.155(b) of the CCPA).

Moreover, under the CCPA the AG may adopt regulations on topics including, but not limited to (§1798.185(a) of the CCPA):

  • updating, as needed, additional categories of personal information to those enumerated in §§1798.130(c) and 1798.140(o) of the CCPA in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns;
  • updating, as needed, the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of designated methods for submitting requests to facilitate a consumer's ability to obtain information from a business pursuant to §1798.130 of the CCPA;
  • establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of the CCPA and as needed thereafter;
  • establishing rules and procedures for the following:
    • to facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information pursuant to §1798.120 of the CCPA;
    • to govern business compliance with a consumer's opt-out request; or
    • for the development and use of a recognisable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information;
  • adjusting the monetary threshold in §1798.140(c)(1)(A) of the CCPA in January of every odd-numbered year to reflect any increase in the Consumer Price Index;
  • establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to the CCPA are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentive offerings, within one year of passage of the CCPA and as needed thereafter; or
  • establishing rules and procedures to further the purposes of §§1798.110 and 1798.115 of the CCPA and to facilitate a consumer's or their authorised agent's ability to obtain information pursuant to §1798.130 of the CCPA, with the goal of minimising the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business' determination that a request for information received from a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business' authentication of the consumer's identity, within one year of passage of the CCPA and as needed thereafter.

CPRA

The CPPA is responsible for adopting final regulations required by the CPRA, which are expected towards the third or fourth quarter of 2022.

4. Key Definitions

Data controller: There is no definition for 'data controller' in the CCPA, however, the definition for 'business' under the CCPA bears some similarity. A 'business' is defined as a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organised or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in California, and that satisfies one or more of the following thresholds (§1798.140(c)(1) of the CCPA):

  • has annual gross revenues in excess of $25 million;
  • alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; and
  • derives 50% or more of its annual revenues from selling consumers' personal information.

In addition, a business is any entity that controls or is controlled by a business, and that shares common branding with the business. 'Control' or 'controlled' means ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. 'Common branding' means a shared name, service mark, or trademark (§1798.140(c)(2) of the CCPA).

The CPRA would provide for some amendments to this definition when it takes effect (§1798.140(d) under Section 14 of the CPRA).

Data processor: There is no definition of 'data processor' under the CCPA. 'Service provider' means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organised or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business (§1798.140(v) of the CCPA).

The CPRA would provide for some amendments to this definition when it takes effect (§1798.140(ag) under Section 14 of the CPRA).

Personal data: 'Personal information' means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household (§1798.140(o)(1) of the CCPA):

  • identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers;
  • any categories of personal information under §1798.80(e) of the CCPA, including, any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their names, signature, social security number, physical characteristics or descriptions, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, or any other financial information, medical information, or health insurance information;
  • characteristics of protected classifications under California or federal law, such as, race, colour, religion, sex/gender, gender identity, gender expression, sexual orientation, marital status, medical conditions, military or veteran status, national origin, citizenship status, ancestry, disability, genetic information, AIDS/HIV status, political affiliations or activities, status as a victim of domestic violence, assault or stalking, requests for family care leave, requests for leave for own illness, request for pregnancy disability leave, retaliation for reporting patient abuse in tax-supported institutions, aged 40 and above;
  • commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; 
  • biometric information; 
  • other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet web site, application, or advertisement;
  • geolocation data;
  • audio, electronic, visual, thermal, olfactory, or similar information;
  • professional or employment-related information;
  • education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act of 1974 ('FERPA'), including those records, files, documents, and other materials which (i) contain information directly related to a student; and (ii) are maintained by a federally funded educational agency or institution or by a person acting for such agency or institution (§1232g(a)(2) of FERPA); and
  • inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.

'Personal information' does not include personal information that is 'publicly available'. 'Publicly available' is defined as information that is lawfully made available from federal, state, or local government records' and explicitly excludes biometric information collected by a business about a consumer without the consumer's knowledge (§1798.140(2) of the CCPA). It also explicitly does not include information that is deidentified or aggregated (§1798.140(3) of the CCPA).

The CPRA would provide for some amendments to this definition when it takes effect (§1798.140(v) under Section 14 of the CPRA).

Sensitive data: There is no definition of 'sensitive data' in the CCPA. The CPRA provides for a definition of 'sensitive personal information', which means (§1798.140(ae) under Section 14 of the CPRA):

  • personal information that reveals:
    • a consumer's social security, driver's license, state identification card, or passport number;
    • a consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
    • a consumer's precise geolocation;
    • a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; and
    • the contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication;
  • a consumer's genetic data;
  • the processing of biometric information for the purpose of uniquely identifying a consumer;
  • personal information collected and analysed concerning a consumer's health; and
  • personal information collected and analysed concerning a consumer's sex life or sexual orientation.

Sensitive personal information that is publicly available must not be considered sensitive personal information or personal information.

Health data: There is no definition of 'health data' under the CCPA or the CPRA.

Biometric data: 'Biometric information' means an individual's physiological, biological, or behavioural characteristics, including an individual's deoxyribonucleic acid ('DNA'), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information (§1798.140(b) of the CCPA).

The CPRA would provide for some amendments to this definition when it takes effect (§1798.140(c) under Section 14 of the CPRA).

Pseudonymisation: The processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organisational measures to ensure that the personal information is not attributed to an identified or identifiable consumer (§1798.140(r) of the CCPA).

Data subject: There is no definition of 'data subject' under the CCPA. 'Consumer' means a natural person who is a California resident, as defined in §17014 of Title 18 of the California Code of Regulations, as that Section read on 1 September 2017, however, identified, including by any unique identifier (§1798.140(g) of the CCPA).

5. Legal Bases 

5.1. Consent

CCPA

A business is prohibited from selling the consumer's personal information after its receipt, unless the consumer subsequently provides express authorisation for the sale of the consumer's personal information (§1798.120(d) of the CCPA).

CPRA

A business is prohibited from using or disclosing a consumer's sensitive personal information upon the receipt of a consumer request to do so. A business can only use or disclose the consumer's sensitive personal information if the consumer subsequently provides consent for such use or disclosure for additional purposes (§1798.121(b) under Section 10 of the CPRA).

5.2. Contract with the data subject

CCPA

The CCPA does not explicitly outline an obligation of a contract with respect to a data subject, however, the definition of 'service provider' under the CCPA does outline a written contract with a consumer (see section 4 above for the definition of 'service provider') (§1798.140(v) of the CCPA).

Additionally, §1798.105(d)(1) of the CCPA provides that a business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain their personal information in order to complete the transaction for which the personal information was collected, fulfil the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

5.3. Legal obligations

CCPA

The obligations imposed on businesses by the CCPA do not restrict a business' ability to (§1798.145(a)(1) to (4) of the CCPA):

  • comply with federal, state, or local laws;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
  • cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law; and
  • exercise or defend legal claims.

5.4. Interests of the data subject

The CCPA and CPRA do not expressly list positive grounds for the processing of personal information for the interests of the data subject.

5.5. Public interest

The CCPA and CPRA do not expressly list positive grounds for the general processing of personal information for the public interest. 

However, and with respect to processing and consumers' right to deletion, the CCPA provides that a business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest (§1798.105(d)(6) of the CCPA).

5.6. Legitimate interests of the data controller

The CCPA and CPRA do not expressly list positive grounds for the processing of personal information for the legitimate interest of the data controller.

5.7. Legal bases in other instances

CCPA

The CCPA does not explicitly refer to other legal bases for processing personal data in other instances. However, the CCPA lists examples of the following as purposes for which businesses can process personal information, which include (§1798.140(d)(1) to (7) of the CCPA):

  • auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;
  • detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
  • debugging to identify and repair errors that impair existing intended functionality;
  • short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including, but not limited to, the contextual customisation of ads shown as part of the same interaction;
  • performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider;
  • undertaking internal research for technological development and demonstration; or
  • undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

Furthermore, a business purpose is defined under the CCPA as the use of personal information for the business' or a service provider's operational purposes, or other notified purposes, provided that the use of personal information is reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected (§1798.140(d) of the CCPA).

6. Principles

CCPA

The CCPA obliges businesses that collect a consumer's personal information to disclose to that consumer the categories and specific pieces of personal information the business has collected prior to or before the point of collection. Further, a business is prohibited from collecting additional categories of personal information or using personal information already collected for additional purposes without providing the consumer with the notice consistent under the CCPA (§1798.100(a) and (b) of the CCPA).

CPRA

The CPRA stipulates that businesses should (Section 3 of the CPRA): 

  • specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
  • only collect consumers' personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumers' personal information for reasons incompatible with those purposes; and 
  • collect consumers' personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared.

In addition, and in regard to the implementation of the CRPA, businesses should ensure (Section 3 of the CPRA):

  • the rights of consumers and the responsibilities of businesses should be implemented with the goal of strengthening consumer privacy, while giving attention to the impact on business and innovation;
  • businesses and consumers should be provided with clear guidance about their responsibilities and rights;
  • the law should place the consumer in a position to knowingly and freely negotiate with a business over the business' use of the consumer's personal information;
  • the law should adjust to technological changes, help consumers exercise their rights, and assist businesses with compliance, with the continuing goal of strengthening consumer privacy;
  • the law should enable pro-consumer new products and services and promote efficiency of implementation for business, provided that the amendments do not compromise or weaken consumer privacy;
  • the law should be amended, if necessary, to improve its operation, provided that the amendments do not compromise or weaken consumer privacy, while giving attention to the impact on business and innovation;
  • businesses should be held accountable for violating the law through vigorous administrative and civil enforcement; and
  • to the extent it advances consumer privacy and business compliance, the law should be compatible with privacy laws in other jurisdictions.

7. Controller and Processor Obligations

The CPRA requires that businesses not penalise consumers for exercising these rights and take reasonable precautions to protect consumers' personal information from a security breach. In addition, businesses should be held accountable when they violate consumers' privacy rights, and the penalties should be higher when the violation affects children (Section 3 of the CPRA).

7.1. Data processing notification

There is no notification requirement under the main CCPA statute. However, under the CCPA Regulations, a business that knows or reasonably should know that it, alone or in combination, buys, receives for the business' commercial purposes sells, or shares for commercial purposes, the personal information of 10 million or more consumers in a calendar year must, upon request from the AG, communicate the following metrics for the previous calendar year (§999.317(g)(1) of the CCPA Regulations):

  • the number of requests to know that the business received, complied with in whole or in part, and denied;
  • the number of requests to delete that the business received, complied with in whole or in part, and denied;
  • the number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
  • the median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

7.2. Data transfers

The CCPA does not contain provisions explicitly relating to cross-border data transfers and localisation. However, transferring data to third parties is included in the definition of selling. 'Selling' is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration (§1798.140(t)(1) of the CCPA).

Under the CCPA a business does not sell information when (§1798.140(t)(2) of the CCPA):

  • A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of the CCPA. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party.
  • The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer's personal information.
  • The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
    • the business has provided notice of that information being used or shared in its terms and conditions consistent with §1798.135 of the CCPA; and
    • the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
  • The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with §§1798.110 and 1798.115 of the CCPA. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it must provide prior notice of the new or changed practice to the consumer. The notice must be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with §1798.120 of the CCPA. This Subsection does not authorise a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act under §172000 of Chapter 5 of Part 2 of Division 7 of the Business and Professions Code.

In addition, and in accordance with a consumer's right to be informed, access, and right to object, consumers have the right to choose not to have their data shared with third parties (see section on other rights below). Businesses may offer consumers financial incentives to share their personal information, however such incentives must be disclosed, and businesses must be transparent about this practice (§1798.125(b)(1) and (2) of the CCPA).

7.3. Data processing records

CCPA

A business is required to maintain, for at least 24 months, records of consumer requests made pursuant to the CCPA and how the business responded to the requests (§999.317(b) of the CCPA Regulations). Information maintained for this record-keeping purpose is not permitted to be used for any other purpose. In addition, a business is not required to retain personal information solely for the purpose of fulfilling a consumer request under the CCPA (§999.317(f) of the CCPA Regulations).

CPRA

A business may maintain a confidential record of its deletion requests solely for the purpose of preventing the personal information of a consumer who has submitted a deletion request from being sold, for compliance with laws, or for other purposes solely to the extent permissible under the CPRA (§1798.105(c)(2) under Section 5 of the CPRA).

7.4. Data protection impact assessment

There is no mandatory requirement to undertake a PIA under the CCPA. However, the CPRA refers to risk assessments, and mandates that the CPPA has the authority to issue regulations requiring businesses whose processing of consumers' personal information presents significant risk to consumers' privacy or security, to submit on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing, with the goal of restricting or prohibiting such processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public (§1798.185(a)(15)(B) under Section 21 of the CPRA).

7.5. Data protection officer appointment

There is no requirement to appoint a data protection officer in the CCPA or CPRA.

7.6. Data breach notification

There is a requirement to provide notification following a data breach in California which is governed by Cal. Civ. Code §1798.82.

CCPA

Any consumer whose non-encrypted and non-redacted personal information is subject to unauthorised access and exfiltration, theft, or disclosure, as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information, may institute a civil action for any of the following (§1798.150(a)(1) of the CCPA):

  • to recover damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater;
  • injunctive or declaratory relief; or
  • any other relief the court deems proper.

In assessing the amount of statutory damages, the courts are entitled to consider any one or more of the relevant circumstances presented by any of the parties to a case including (§1798.150(a)(2) of the CCPA):

  • the nature and seriousness of the misconduct;
  • the number of violations;
  • the persistence of the misconduct;
  • the length of time over which the misconduct occurred;
  • the wilfulness of the defendant's misconduct; and
  • the defendant's assets, liabilities, and net worth.

CPRA

The CPRA reinforces the breach notification obligations and stipulates that a business should also be held directly accountable to consumers for data security breaches and notify consumers when their most sensitive information has been compromised (Section 2(K) of the CPRA). 

The CPRA amends the breach notification obligation to provide that any consumer whose non-encrypted and non-redacted personal information, or whose email address in combination with a password or security question and answer that would permit access to the account, is subject to an unauthorised access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action (§1798.150(a)(1) under Section 16 of the CPRA).

7.7. Data retention

CCPA

The CCPA does not establish data retention obligations for businesses to collect personal information that they would not otherwise collect in the ordinary course of business (§1798.145(k) of the CCPA). Specifically, the CCPA states that, in relation to access requests and disclosure obligations, there is not a requirement for a business to retain any personal information collected for a single, one-time transaction if such information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information (§§1798.100(e) and 1798.110(d)(1) of the CCPA). However, as part of a business' obligation to respond to consumer requests for access or in the exercise of a consumer's right to know, a business is obliged to provide only the personal information for the 12-month period preceding the original consumer request (§1798.130(a)(2) of the CCPA).

CPRA

Under the CPRA, §1798.110(d)(1) of the CCPA will not apply (see amendments under §1798.110 of Section 7 of the CPRA).

7.8. Children's data

A business is prohibited from selling the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorised the sale of the consumer's personal information (§1798.120(c) of the CCPA). This right is known as the right to opt-in. 

Upon receiving this direction expressly stating a request to not sell the personal information, the business is prohibited from selling the consumer's personal information unless the consumer or their guardian subsequently provides express authorisation for the sale of the consumer's personal information (§1798.120(d) of the CCPA).

7.9. Special categories of personal data

CCPA

The CCPA does not explicitly provide for a definition of special categories of personal data nor does it stipulate any obligations in relation to the processing of such data.

CPRA

In accordance with §1798.140(ae) under Section 14 of the CPRA, the CPRA defines 'sensitive personal information' as personal information that reveals: 

  • consumer's social security, driver's license, state identification card, or passport number; 
  • a consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; 
  • a consumer's precise geolocation; 
  • a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; 
  • the contents of a consumer's mail, email and text messages, unless the business is the intended recipient of the communication; and
  • a consumer's genetic data.

Sensitive personal information also includes:

  • the processing of biometric information for the purpose of uniquely identifying a consumer; 
  • personal information collected and analysed concerning a consumer's health; or 
  • personal information collected and analysed concerning a consumer's sex life or sexual orientation. 

Sensitive personal information that is publicly available shall not be considered sensitive personal information or personal information.

In this respect, the CPRA also establishes certain requirements when processing such information, such as limiting the use of such sensitive personal information (Section 3(A)(2) of the CPRA), providing consumers with certain information when handling sensitive personal information and not collecting additional categories for additional purposes (§1798.100(a)(2) and (3) under Section 4 of the CPRA), as well as the express right to limit the use and disclosure of sensitive personal information (§1798.121 under Section 10 of the CPRA), among other requirements.

7.10. Controller and processor contracts

CCPA

The CCPA provides that a service provider can only process information on behalf of a business and receive a consumer's personal information for a business purpose pursuant to a written contract (§1798.140(v) of the CCPA).

A business purpose is defined as 'the use of personal information for the business' or a service provider's operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected' (§1798.140(d) of the CCPA). 

The contract must prohibit the entity that is receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business (§1798.140(v) of the CCPA). 

Under the CCPA Regulations, service providers cannot retain, use, or disclose personal information obtained in the course of providing services, except (§999.314(c) of the CCPA Regulations):

  • to process or maintain personal information on behalf of the business that provided the personal information or directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA;
  • to retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and the CCPA Regulations;
  • for internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source;
  • to detect data security incidents or protect against fraudulent or illegal activity; or 
  • to comply with federal, state, or local laws, a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities, cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law, or exercise or defend legal claims.

CPRA

A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose, must enter into an agreement with such third party, service provider, or contractor that (§1798.100(d) under Section 4 of the CPRA): 

  • specifies that the personal information is sold or disclosed by the business only for limited and specified purposes;
  • obligates the third party, service provider, or contractor to comply with applicable obligations under the CPRA and obligate those persons to provide the same level of privacy protection as is required by the CPRA;
  • grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business' obligations under the CPRA;
  • requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under the CPRA; and
  • grants the business the right, upon notice to take reasonable and appropriate steps to stop and remediate unauthorised use of personal information.

8. Data Subject Rights

The CPRA provides the following consumer rights (Section 3 of the CPRA):

  • consumers should know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed, so that they have the information necessary to exercise meaningful control over businesses' use of their personal information and that of their children;
  • consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal information, the unauthorised use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed;
  • consumers should have access to their personal information and should be able to correct, delete, and take it with them from one business to another;
  • consumers or their authorised agents should be able to exercise these options through easily accessible self-serve tools;
  • consumers should be able to exercise these rights without being penalised for doing so;
  • consumers should be able to hold businesses accountable for failing to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches;
  • consumers should benefit from businesses' use of their personal information; 
  • the privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses. In addition, this law is not intended to interfere with the right to organise and collective bargaining under the National Labor Relations Act of 1935 ('the Labour Relations Act'). It is the purpose and intent of the Labor Relations Act to extend the exemptions in the CCPA for employee and business to business communications until 1 January 2023; and
  • consumers or their authorised agents should be provided with easily accessible means to allow consumers and their children to obtain their personal information, to delete or correct it, and to opt-out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive personal information. 

8.1. Right to be informed

CCPA

The CCPA makes a distinction between a business' obligation to disclosure when it collects information and when it sells information.

The CCPA provides for the right to be informed in §§1798.100(b), 1798.130(a), and 1798.135 of the CCPA. In addition, the CCPA Regulations outline more specific information on notices that should be provided to consumers, including a notice at collection of personal information (see §999.305 of the CCPA Regulations). If businesses do not give information to the consumer at or before the point of collection, then they would not be able to collect information from such consumer (§999.305(a)(6) of the CCPA Regulations).

A business is required to disclose and update annually the following information in the form of its online privacy policy and if the business does not maintain those policies, on its internet website (§1798.130(a)(5) of the CCPA):

  • a description of a consumer's rights pursuant to §§1798.100, 1798.105, 1798.110, 1798.115, and 1798.125 of the CCPA, and one or more designated methods for submitting requests;
  • for purposes of §1798.110(c) of the CCPA a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in §1798.110(c) of the CCPA that most closely describe the personal information collected; and
  • for purposes of §1798.115(c)(1) and (2) of the CCPA, two separate lists:
    • a list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in of §1798.110(c) of the CCPA that most closely describe the personal information sold, or if the business has not sold consumers' personal information in the preceding 12 months, the business must disclose that fact; and
    • a list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in §1798.110(c) of the CCPA that most closely describe the personal information disclosed, or if the business has not disclosed consumers' personal information for a business purpose in the preceding 12 months, the business must disclose that fact.

Disclosure obligations when collecting information

In addition, under the CCPA a consumer has the right to request that a business that collects personal information about the consumer disclose the following (§1798.110(a) of the CCPA):

  • the categories of personal information it has collected about that consumer;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purpose for collecting or selling personal information;
  • the categories of third parties with whom the business shares personal information; and
  • the specific pieces of personal information it has collected about that consumer.

A business that collects personal information about a consumer must disclose, pursuant to §1798.130(a)(5)(B) of the CCPA, the following (§1798.110(c) of the CCPA):

  • the categories of personal information it has collected about consumers;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purpose for collecting or selling personal information;
  • the categories of third parties with whom the business shares personal information; and
  • that a consumer has the right to request the specific pieces of personal information the business has collected about that consumer.

Disclosure obligations when selling information

A consumer has the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to the consumer (§1798.115(a) of the CCPA):

  • the categories of personal information that the business collected about the consumer;
  • the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each category of third parties to whom the personal information was sold; and
  • the categories of personal information that the business disclosed about the consumer for a business purpose.

A business that sells consumers' personal information, or that discloses consumers' personal information for a business purpose, must disclose, pursuant to §1798.130(a)(5)(C) of the CCPA, the following: 

  • the category or categories of consumers' personal information it has sold, or if the business has not sold consumers' personal information, it must disclose that fact; and
  • the category or categories of consumers' personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers' personal information for a business purpose, it must disclose that fact.

CPRA

Obligations when collecting personal information

The CPRA extensively amends §1798.100 of the CCPA by stipulating that a business that controls the collection of consumer's personal information must, at or before the point of collection, inform consumers of the following (§1798.100(a) under Section 4 of the CPRA):

  • The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether such information is sold or shared. A business must not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice.
  • If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used and whether such information is sold or shared. A business must not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected, without providing the consumer with notice.
  • The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business must not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

Moreover, a business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under §1798.100(a) under Section 4 of the CPRA by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if such business, acting as a third party, controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business must, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether such personal information is sold, in a clear and conspicuous manner at such location (§1798.100(b) under Section 4 of the CPRA).

A business' collection, use, retention, and sharing of a consumer's personal information must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes (§1798.100(c) under Section 4 of the CPRA).

Obligations when selling personal information

A consumer has the right to request that a business that sells or shares the consumer's personal information, or that discloses it for a business purpose, disclose the following information (§1798.115(a) under Section 8 of the CPRA):

  • the categories of personal information that the business collected about the consumer;
  • the categories of personal information that the business sold or shared about the consumer and the categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each category of third parties to whom the personal information was sold or shared; and
  • the categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

A business that sells or shares consumers' personal information, or that discloses consumer's personal information must, after a verifiable consumer request, disclose the following information (§1798.115(c) under Section 8 of the CPRA):

  • the category or categories of consumers' personal information it has sold or shared, or if the business has not sold or shared consumers' personal information, it must disclose that fact; and
  • the category or categories of consumers' personal information it has disclosed for a business purpose, or if the business has not disclosed consumers' personal information for a business purpose, it must disclose that fact.

A third party must not sell or share personal information about a consumer that has been sold to, or shared with, the third party by a business unless the consumer has received explicitly notice and is provided an opportunity to exercise the right to opt-out (§1798.115(d) under Section 8 of the CPRA).

8.2. Right to access

CCPA

The consumer has the right to request that a business that collects a consumer's personal information disclose to that consumer (§1798.100(a) and (b) of the CCPA):

  • the categories and specific pieces of personal information to be collected or that have been collected;
  • the purposes for which the categories of personal information will be used;
  • limits to the collection of additional categories of personal information or use for additional purposes without notice to the consumer; and
  • the obligation for business to provide access information when at the consumers' requests.

When a business receives such a request it should take prompt steps to disclose and deliver, free of charge to the consumer, the personal information required. This can be done through mail or electronically, and if the latter the information should be in a portable, and to the extent technically feasible, readily useable format that allows the consumer to share this information to another entity without hindrance. This requirement is limited to twice in a 12-month period (§1798.100(d) of the CCPA).

Consumers also have the right to request that a business that collects personal information about them disclose the following to them (§1798.110(a) of the CCPA):

  • the categories of personal information it has collected about that consumer;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purpose for collecting or selling personal information;
  • the categories of third parties with whom the business shares personal information; and
  • the specific pieces of personal information it has collected about that consumer.

The CCPA Regulations provide additional information with respect to the right of access in §§999.312, 999.313, and 999.318 of the CCPA Regulations.

CPRA

A consumer has the right to request that a business that collects their personal information disclose the following (§1798.110(a) under Section 7 of the CPRA):

  • the categories of personal information it has collected about that consumer;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purpose for collecting, selling, or sharing personal information;
  • the categories of third parties to whom the business discloses personal information; and
  • the specific pieces of personal information it has collected about that consumer.

A business that collects personal information about consumers must disclose (§1798.110(c) under Section 7 of the CPRA):

  • the categories of personal information it has collected about consumers;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purpose for collecting, selling, or sharing personal information;
  • the categories of third parties to whom the business discloses personal information; and
  • that a consumer has the right to request the specific pieces of personal information the business has collected about that consumer.

8.3. Right to rectification

CCPA

The CCPA does not explicitly refer to the right to rectification.

CPRA

A consumer has the right to request that a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information (§1798.106(a) under Section 6 of the CPRA). 

A business must disclose to the consumer their right to request the correction of inaccurate personal information (§1798.106(b) under Section 6 of the CPRA). 

A business that receives a verifiable consumer request to correct inaccurate personal information must use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer (§1798.106(c) under Section 6 of the CPRA).

8.4. Right to erasure

CCPA

A consumer has the right to request, free of charge, that a business delete any personal information about the consumer which the business has collected from the consumer (§1798.105(a) of the CCPA).

A business that collects personal information about consumers is required to disclose pursuant to §1798.130 of the CCPA, the consumer's right to request the deletion of their personal information (§1798.105(b) of the CCPA). In response, the business is must delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records (§1798.105(c) of the CCPA).

A business or service provider is exempt from this obligation if it is necessary to maintain the consumer's personal information in order to (§1798.105(d) of the CCPA):

  • complete the transaction for which the personal information was collected, fulfil the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
  • detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity;
  • debug to identify and repair errors that impair existing intended functionality;
  • exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law;
  • comply with the California Electronic Communications Privacy Act;
  • engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business' deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent;
  • to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business;
  • comply with a legal obligation; or
  • otherwise use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

The CCPA Regulations provide additional information with respect to the right to erasure in §§999.312, 999.313, and 999.318 of the CCPA Regulations.

CPRA

A consumer will have the right to request that a business delete any personal information about the consumer which the business has collected (§1798.105(a) under Section 5 of the CPRA). A business that collects personal information about the consumer must disclose to the consumer their right to request the deletion of their personal information (§1798.105(b) under Section 5 of the CPRA).

A business, a service provider, or contractor, acting pursuant to its contract with the business, another service provider, or another contractor, must not be required to comply with a consumer's request to delete their personal information if it is reasonably necessary for the business, service provider, or contractor to maintain the consumer's personal information in order to (§1798.105(d) under Section 5 of the CPRA):

  • complete the transaction for which the personal information was collected, fulfil the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
  • help to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes;
  • debug to identify and repair errors that impair existing intended functionality;
  • exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law;
  • comply with the California Electronic Communications Privacy Act;
  • engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the business' deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if the consumer has provided informed consent;
  • to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business and compatible with the context in which the consumer provided the information; or
  • comply with a legal obligation.

8.5. Right to object/opt-out

CCPA

A third party is prohibited from selling personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to opt-out pursuant to §1798.120 of the CCPA (§1798.115(d) of the CCPA).

A consumer has the right, at any time, to direct a business that sells personal information about the consumer to not sell the consumer's personal information which is also known as the opt-out right (§1798.120(a) of the CCPA). A business selling consumer personal information to third parties is required to provide notice to consumers that this information may be sold and that consumers have the right to opt-out of the sale (§1798.120(b) of the CCPA).

The CCPA Regulations provide additional information with respect to the right to opt-out in §§999.306, 999.315, and 999.316 of the CCPA Regulations.

CPRA

The CPRA makes only minor amendments to this provision, as can be seen in §1798.120 under Section 9 of the CPRA.

8.6. Right to data portability

CCPA

As part of a consumer's right of access to their personal information, there is a right of the portability of said information. In particular, when a business receives such a request it should take prompt steps to disclose and deliver, free of charge to the consumer, the personal information required. This can be done through mail or electronically, and if the latter the information should be in a portable, and to the extent technically feasible, readily useable format that allows the consumer to share this information to another entity without hindrance. This requirement is limited to twice in a 12-month period (§1798.100(d) of the CCPA) (see section on the right to access above for further information).

8.7. Right not to be subject to automated decision-making

CCPA

The CCPA does not explicitly refer to the right not to be subject to automated decision-making.

CPRA

The CPRA does not explicitly refer to a right not to be subject to automated decision making. 

However, the CPRA does stipulate that the AG may adopt regulations in areas which include the governing of access and opt-out rights with respect to businesses' use of automated decision-making technology, including profiling and requiring businesses' response to access requests to include meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consume (§1798.185(a)(16) under Section 21 of the CPRA).

8.8. Other rights

Right to not be discriminated against

CCPA

A consumer has the right to not be discriminated against because of the exercise of any of the consumer's rights, including but not limited to (§1798.125(a)(1) of the CCPA):

  • denying goods or services to the consumer;
  • charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • providing a different level or quality of goods or services to the consumer; or
  • suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

CPRA

The CPRA amends the above provision under the CCPA slightly by providing that a consumer has the right to not be discriminated against because of the exercise of their rights, including but not limited to, by (§1798.125 under Section 11 of the CPRA):

  • denying good or services to the consumer;
  • charging different prices or rates for goods or services, including the sue of discounts or other benefits or imposing penalties; 
  • providing a different level or quality of foods or services to the consumer;
  • suggesting that the consumer will receive a different price or rate for foods or services or a different level or quality of foods or services;
  • retaliating against an employee, applicant for employment or independent contractor. 

Unfair practices

Under both the CCPA and CPRA, a business is generally permitted to use financial incentives in its contract with a consumer to collect, sell, or delete personal information. However, a business is prohibited from using the provisions permitting financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature (§1798.125(b)(4) of the CCPA).

Right to limit use and disclosure of sensitive personal information

CPRA

A consumer has the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer's sensitive personal information to use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. Where a business uses or discloses a consumer's sensitive personal information for purposes other than those specified to the consumer, the business must provide notice of the following (§1798.121(a) under Section 10 of the CRPA):

  • that this information may be used or disclosed to a service provider or contractor, for additional specified purposes; and 
  • that the consumer has the right to limit the use or disclosure of their sensitive personal information. 

9. Penalties

Non-compliance

CCPA

The CCPA establishes civil penalties in cases of non-compliance with its provisions. A civil action is brought in court by the AG on behalf of Californian consumers.

A business failing to rectify an alleged violation within 30 days of being notified of alleged non-compliance will be held to be in violation of the CCPA and subject to an injunction and liable for a civil penalty of not more than $2,500 per violation or $7,500 for each intentional violation (§1798.155(b) of the CCPA).

The proceeds of any settlement resulting from an action brought by the AG will be deposited in the Consumer Privacy Fund with the intent to fully offset any costs incurred by the state courts and the AG in bringing the action (§1798.155(c) of the CCPA).

CPRA

Under the CPRA, the same level of penalties is provided, but §1798.155 of the CCPA will be amended and expanded to provide that any business, service provider, contractor or other person that violates the CPRA can also be subject to an administrative enforcement action brought by the CPPA (see §1798.155(a) under Section 17 of the CPRA).

Private right of action

The CCPA provides for a civil remedy in relation to data security breaches where a consumer's non-encrypted or non-redacted personal information is subject to unauthorised access and exfiltration, theft, or disclosure as a result of the business' violation of security obligations. Damages under the CCPA range from $100 to $750 per consumer per incident or actual damages whichever is greater (§1798.150(a)(1)(A) of the CCPA). 

9.1 Enforcement decisions

Not applicable.