CCPA Paving the Way For State Law’s Privacy Policy

Jacalyn Smith

Associate Editor

Loyola University Chicago School of Law, JD 2020

After Equifax, one of the largest credit reporting agencies, leaked 143 million people’s personal information in 2017, many state legislators scramble to regulate how businesses collect, protect, and use customer’s personal information.

Despite the fact that all 50 states have adopted some statute that requires businesses to notify consumers when their personal information has been breached, many people remain uneasy.  Some citizens, like those in California, have decided to take matters into their own hands. Because California allows its citizens to propose initiatives by acquiring the requisite number of signatures via petition, California residents possess the ability to add an initiative to the November ballot. If Californians vote to pass the initiative, it becomes a state law, which the state legislature cannot amend.

In response to the citizen’s initiative, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law on June 28, 2018. In doing so, Governor Brown allows California legislators to streamline issues within the bill; however, it provides many hurdles for businesses’ compliance efforts. Especially for companies like Facebook, Quora, and Reddit, all of whom have headquarters in California, and for which collecting and disclosing user data to advertisers is a key source of revenue.

What does the CCPA do for consumers?

Set to take effect on January 1, 2020, the CCPA provides consumers with basic rights regarding their personal information. Generally, personal information is considered an identifier such as a person’s legal name, alias, email address, social security number, driver’s license number, or passport number. The CCPA expands the understanding of personal identifiers to include biometric information such as fingerprint, face, hand, and palm patterns, identifiers that many consumers use to open their smartphones and laptops.

More pertinent to businesses, personal information, under the CCPA, includes records of “personal property, products or services purchased, obtained or other purchasing histories” and “inferences drawn about consumer preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

Intended to improve consumer control, the CCPA affords consumers five basic rights regarding their personal information:

  1. To know what personal information is being collected about them,
  2. To know whether their personal information is sold or disclosed and to whom,
  3. To say no to the sale of personal information,
  4. To access their personal information,
  5. To equal service and price, even if they exercise their right to privacy.

Implied in these five rights, consumers may also request that their personal information is deleted. Businesses that collect and disclose or sell personal information must notify any and all third parties that they must delete the consumer’s personal information as well.

While the CCPA only provides rights to natural persons who are California residents, it applies to any business that conducts business in California, regardless of where the business is incorporated. In an age where consumers have access to goods from across the country or around the globe, California’s CCPA represents a movement towards consumer empowerment, and it has the ability to set a precedent of nationwide privacy reform. 

What does this mean for businesses?

While the CCPA requires businesses to disclose what personal information is collected and whether it is sold or disclosed to third parties, businesses [1]are not required to disclose that information unless a consumer requests it. Even then, consumers are limited. According to the CCPA’s Right to Know provision, §1798.100(d), a business may provide personal information to a consumer at any time. However, a business is only required to provide information twice in a six-month period. After those two free reports, business can charge for any additional information requests within the same 12-month period. The CCPA fails to cap the fees that businesses can charge for fulfilling these additional requests.

Businesses are required to provide consumers with at least two means to make a request for the category, source, or sale of their personal information. The most common methods are toll-free numbers and online forms. Businesses must update their privacy statements to outline what personal information the business will collect about its consumers and the purposes for which such data will be used.

Upon request, businesses must disclose from what sources the personal information was collected, the business or commercial purpose for collecting or selling the personal information and the categories of third parties that received the personal information within 45 days of receiving the request. If a consumer requests information about who their personal information was sold to, then a business does not have to disclose the source of the personal information.

For businesses that sell consumer data to third parties, they should include a “Do Not Sell My Personal Information” link on their homepage. Akin to the Federal Trade Commission’s “Do Not Call” Registry, which aims to protect consumers from unwanted sales, the CCPA allows consumers to “opt out” of data collection for adults and an “opt in” for minors under 16 years old.

Failure to comply with the CCPA may result in hefty fines for California businesses. The Attorney General may levy fines up to $7,500 per intentional violation. For unintentional violations that are not remedied within 30 days, the Attorney General may require businesses to pay $2,500 per violation. Keeping in line with consumer rights, the CCPA allows consumers to bring private claims in class action suits for damages.

Because the CCPA was written and passed quickly, California businesses may need to reconsider what data they collect and for how long they store the data. While the CCPA allows consumers to request that the business delete their personal information, businesses may refuse the consumer’s request if the personal information is required to complete a transaction or to notify a third party to stop selling consumer information.

Overall, the CCPA not only provides consumers with more rights regarding their personal information, it also forces companies to reevaluate how they collect, maintain, and disclose their consumer’s personal information. In the wake of data breaches like Equifax, businesses are likely to see consumers in other states demanding legislative protection and control similar to California’s CCPA.


[1] The CCPA applies to business that meet one of the following requirements: (1) with annual gross revenues of at least $25 million; (2) data brokers and other businesses that buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices, or (3) business that derive the majority of their annual revenue from selling consumers’ personal information.