What is the California Consumer Privacy Act of 2018?

Published by Merryl Dusaran on

What is the California Consumer Privacy Act of 2018?

Have you ever wondered why, after checking out the product page for a pair of shoes on one website, that particular brand of footwear would follow you around with consumer ads popping up on your social media accounts? It’s because when you visit a site, it can track your behavior and see what you’re clicking or what blog posts you’re reading.

Such information can be collected from you and can be shared, bought and/or sold. That data may be used internally by a company for market research and site improvements, but most of the time, the data can go to a third-party vendor, such as Google Adsense. And that is why you start seeing advertisements similar to the products you’ve seen or searched online. However, the sun truly shines bright in California as consumers are now granted rights over their data through the CCPA law.

The California Consumer Privacy Act (CCPA) has been signed into law on June 28, 2018, and took effect on January 1, 2020.  It gives California residents the capability to know what kind of personal information a business collects from them and to whom the data has been shared or sold to.

What rights does the CCPA grant to California consumers?

The CCPA law grants the enhancement of privacy rights and consumer protection for California residents. Therefore, this grants a consumer:

  1. The right to request a business to disclose to the consumer the categories and specific pieces of what personal information is collected, used, shared, or sold. 
  2. The right to request the deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.
  3. The right to opt-out of the sale of personal information and the right to equal service and price even if they exercise their privacy rights.  The bill prohibits a business from selling the personal information of those under 16 years of age unless affirmatively authorized.

To whom does the CCPA apply?

The CCPA law applies to businesses that serve California consumers and that meet the following thresholds:

  1. Has annual gross revenues over $25 million.
  2. Alone or in combination, annually buys, receives for the business commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
  3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

What to do to be a CCPA-compliant business?

For a business to comply with the CCPA, they need to ensure that they:

  1. Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
  2. Include a description of consumer’s rights pursuant to the consumers’ right to opt out, along with the separate link to the “Do Not Sell My Personal Information” Internet Web page in:
    1. It’s online privacy policy or policies if the business has an online privacy policy/policies.
    2. Any California-specific description of consumer privacy rights.
  3. Ensure that the people who handles consumer inquiries about the business privacy practices or the business compliance and how to direct consumers to exercise their rights under those sections.
  4. Refrain from selling personal information collected by the business about the consumer and respect the consumer’s decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.

To ensure that customers can exercise their rights over their personal information, businesses shall:

  1. Make available to consumers two or more designated methods for submitting requests for information required to be disclosed such as a toll-free telephone number or a business website.
  2. Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer.

What are the penalties for a non-compliant business?

Businesses that are non-compliant with CCPA will be fined for violations. If a business fails to solve any alleged violation within 30 days after being notified of alleged non-compliance, it shall be liable for a civil penalty as provided in Section 17206 of the Business and Professions Code in a civil action brought in the name of the people of the State of California by the Attorney General. The fine is $2500 per violation, but if it is considered intentional, the civil penalty may go up to $7500 per violation.

Any consumer, whose non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ failure to implement and maintain reasonable security procedures and practices to protect their personal information, may institute a civil action for any of the following reasons:

a. To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or the equivalent value of actual damages, whichever is greater.

b.  Injunctive or declaratory relief.

c.  Any other relief the court deems proper.

Data breaches can affect both the business and its consumers. Laws and regulations implemented for tight security and to prevent breached records of consumers. With UK having the GDPR and California with CCPA, surely some areas are pushing for their protection too. These laws and regulations exist not to burden any company or anyone who wants to do business with them. They exist to ensure consumers and businesses will always have strong security coverage for their data.


It’s possible that your online business may be affected if you’re collecting information from your customers and potential buyers. You may have to apply some changes to your sales and marketing processes, and if you’re outsourcing some of the work, then you’d have to add a few steps to your workflow.

If this is something that concerns you, why not talk to our outsourcing consultant? Click the button below to get started and ask how your outsourcing can be CCPA-compliant.


//