The California Consumer Privacy Act of 2018 (“CCPA”)

Download Original PDF copy of this article from Defense Comment // Summer 2019

Don Willenburg, Gordon Rees Scully Mansukhani Alexander Golovets, Law Offices of Alexander Golovets

The  California       Consumer Privacy         Act       of  2018         (“CCPA”) (full text https://leginfo.legislature. id=201720180SB1121) becomes effective January 1, 2020. It affects even those who do not share or sell consumer information. Your law firm, and many business clients of your firm, may need to implement procedures to comply with the CCPA, particularly the requirements to respond to requests to disclose or delete personal information, to create procedures to do so, and to train employees how to respond.

The CCPA was enacted quickly, under the threat of an even more restrictive ballot initiative (which was withdrawn upon enactment). That haste may be at least partly to blame for its many ambiguities and inconsistencies.

This is a big deal, and you are probably not ready. Get ready, and get ahead of the curve to get your clients ready.


The CCPA governs use of “personal information,” which it broadly defines as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA lists eleven nonexclusive categories of such information, including name, address (IP, email, or postal), driver’s license number, social security number, passport information, records of purchases, and “consuming history and tendencies.” The CCPA applies to information collected or stored electronically, but it is not limited to electronic information. It covers paper files too.

“Consumer” is defined broadly to include “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2)  every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.” A consumer for CCPA purposes does not have to be a consumer of the business’s products or services.

The CCPA’s use of “household,” apparently unique in privacy laws, means that “personal information” does not have to be about any specific person.


The CCPA applies to “businesses,” which it broadly defines as for-profit operations that meet any of the following:

  • An annual gross revenue of more than $25 million.
  • Buys, receives or shares for commercial purposes, or sells personal information of 50, 000 of more consumers, households, or devices.
  • Derives 50% or more of annual revenue from selling consumers’ personal information.
  • An entity, such as an affiliate or subsidiary, that controls or is controlled by a business satisfying any of 1-3 above and shares common “branding.”

It does not matter if the business is located outside California. What matters is whether the information of any California “consumer” is collected.


The main CCPA requirements can be grouped in five categories:

Disclosure; Deletion;

Non-discrimination; Protection; and

Provide for opt-in and opt-out.

1.      Disclosure

Consumers may request that a business disclose:

  • the categories, and specific pieces, of personal information that it collects about the consumers;
    • the categories of sources from which that information is collected;
    • the business purposes for collecting or selling the information; and
    • the categories of third parties with which the information is shared.

These disclosures must be made both by a publicly posted privacy notice, and upon request by a consumer.

2.      Deletion

“A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” Further, the business must also ensure that the information is deleted by third-party contractors, including service providers, with which the business shared that consumer’s personal information. There are some exceptions to this requirement, such as if the personal information is needed to complete a transaction. The following two exceptions to the deletion requirement are likely to lead to conflict: where retention is necessary to “[c]omply with a legal obligation,” and “use [of] the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”

Notably, the deletion requirement appears to be limited to information “which the business has collected from the consumer,” and so does not appear to include personal information gathered from any other source.

3.     Non-Discrimination

A business may not discriminate against anyone for exercising any rights under the CCPA, including, but not limited to, by:

  • Denying goods or services to the consumer.
  • Charging different prices or rates for goods or services.
  • Providing a different level or quality of goods or services.
  • Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

A business may, however, differentiate “if that difference is reasonably related to the value provided to the consumer   by the consumer’s data.” Similarly, a business may offer financial incentives, including payments, for the collection, sale, or deletion of personal information, and in that connection “may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”

4.      Protection

The CCPA creates a “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the [personal] information,” and provides a private right of action for breach (see below). Yes, the CCPA threatens to make businesses the insurers of the security of personal information against every malicious hacker in the world.

5.     Provide for opt-out, and opt-in for minors.

There are many new requirements specific to businesses that sell consumer personal information. This article is directed to the more general situation of businesses that are not engaged in such commerce, so readers representing such businesses have extra need to review the specific statutory requirements. Here’s a sampling:

  • Businesses must provide consumers with an easy way to opt-out of having their personal information sold to a third party, including posting a “Do Not Sell My Personal Information” link on the business’s Web page.
  • For minors, there are f urther restrictions. A business may not sell the personal information of anyone under 16 without an affirmative opt-in, including parental consent for those under 13.


The required steps include all the following:

  1. “Make available to consumers two or more designated methods for submitting requests for information required to be disclosed … including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Website, a Website address.”
  2. “Disclose and deliver the required information to a consumer free of charge within 45 days of receiving  a verifiable request.” The 45 days may be extended for another 45 days “when reasonably necessary,” if the consumer is given notice within the initial 45-day period. “The disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable request.” A business is not required to provide disclosures “to the same consumer more than twice in a 12-month period.”
  • Disclose in its online privacy policy or policies, or if the business has none, then on the business’s Internet Website, and in any California-specific description of consumers’ privacy rights:
    • “A description of a consumer’s rights … and one or more desig nated method s for submitting requests.”
    • A “list of the categories of personal information it has collected about consumers in the preceding 12 months” or categories in subdivision (c) that most closely describe the personal information collected.
    • A business that sells personal information must disclose two separate lists:
      • “A list of the categories of personal information it has sold about consumers in the preceding 12 months.”
      • “A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months.”

The statute also requires the lists to be updated once every 12 months

  • “Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements” related to disclosures under the CCPA “and how to direct consumers to exercise their rights under those sections.”


A consumer may file a civil action, including a class action, if the consumer’s personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result” of the failure of the business’s security efforts. In such a case, consumers may recover from the business the greater of: (1) $100-$750 per incident or (2) actual damages.

The civil action does not proceed in quite the same way as other civil actions.

  • The consumer must provide 30 days’ notice and opportunity to cure prior to initiating an action for statutory damages. This requirement does not apply to an action solely for actual pecuniary damages.
  • The consumer must “notify the Attorney General within 30 days that the action has been filed.”
  • The Attorney General has 30 days after such notice to do one of the following:
    • Notify the consumer of the Attorney General’s intent to prosecute an action against the alleged violator. “If the Attorney General does not prosecute within six months, the consumer may proceed with the action.”
    • “Refrain from acting within the 30 days, allowing the consumer bringing the action to proceed.”
    • “Notify the consumer bringing the action that the consumer shall not proceed with the action.”

The statute is silent as to the grounds on which the Attorney General may direct that “the consumer shall not proceed with the action.”

The “good news” about private actions is that “[n]othing in this act shall be interpreted to serve as the basis for a private right of action under any other law.” This is apparently designed to prevent “piggyback” claims such as unfair business practices under Business and Professions Code section 17200.


CCPA provisions may also be enforced by a civil action filed by the Attorney General. Fines can be as large as $7,500 per intentional violation and $2,500 per unintentional violation, each multiplied by the number of consumers affected.


There are several exceptions and limitations on the CCPA. They are outside the scope of this article. The purpose of this article is to scare you into reading the CCPA and determining whether or the extent to which it applies to your firm or client – not to give any false or misleading hope that it does not apply.


The CCPA takes effect January 1, 2020. There are two caveats. First, the CCPA requires that the California Attorney General publish implementing regulations between then and July 2, 2020. Second, the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, and July 1, 2020. Warning: the private right of action effective date remains January 1, 2020.


There are multiple legislative efforts afoot to modify the CCPA. Some rough edges may be smoothed before it takes effect,or shortly thereafter. Or more draconian requirements may be imposed. Counsel would be wise to not just familiarize themselves with the CCPA, but also to
keep an eye out for legislative changes in the near future.


The CCPA comprises 19 new statutes in the Civil Code, summarily listed below.


Disclosure (focus on point-of-transaction)






Disclosure by businesses that sell personal information


Opt-out from sales of personal information; requires opt-in for minors under 16




Procedure for responding to consumer requests re disclosure or deletion


Procedure re opt-outs (for businesses that sell personal information)




Obligations shall not restrict business abilities in defined areas; other exceptions


Private civil actions to enforce


May seek advice from Attorney General re compliance; penalties for noncompliance


Establishes earmarked “Consumer Privacy Fund” from proceeds of Attorney General actions

information collected by a business from consumers. Wherever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of this title, but in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.”


“The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal


Preempts local rules or laws


Attorney General to solicit input, then issue implementing regulations on a variety of topics, plus any in the future “as necessary to further the purposes of this title”


Contractual waivers or limits of CCPA rights “void and unenforceable”


“This title shall be liberally construed to effectuate its purposes.”


“This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the California Constitution.”

Don Willenburg

Rees Scully Mansukhani

Don Willenburg is chair of the ADCNCN’s amicus briefs committee. He also chairs the national appellate practice group at Gordon from the firm’s Oakland office. Don is a graduate of Loyola University of Chicago and Stanford Law School.

Alexander Golovets

Alexander Golovets is a member of the ADCNCN’s Business Litigation Sublaw Committee. He is a graduate of both Far Eastern State University, College of Law, Vladivostok, Russia and John F. Kennedy University