Thomas C. Carey
FAQs about the CCPA
Table of Contents
As we build an intent-based advertising network that’s beneficial for consumers, brands, and publishers, we at Customers.ai are conscientious of privacy and in compliance with laws and regulations regarding compliance.
Disclaimer: This webpage regarding the CAN-SPAM Act, the CCPA and GDPR is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship with Sunstein LLP. This is not intended to be an exhaustive summary of all requirements of the CAN-SPAM Act, CCPA, or GDPR. If you have questions about complying with the CAN-SPAM Act, CCPA, or GDPR, contact your legal counsel.
Last update: July 31, 2023
1. Who does the CCPA apply to?
- Have a gross annual revenue of over $25 million
- Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
- Derive 50% or more of their annual revenue from selling California residents’ personal information
2. What if my business is not located in California?
3. What does the CCPA consider “personal information”?
According to the Office of the Attorney General of California, personal information is “information that identifies, relates to, or could reasonably be linked with an individual or their household.
This includes but is not limited to:
- Social security number
- Email address
- Records of products purchased
- Internet browsing history
- Geolocation data
- Inferences from other information that could create a profile about an individual’s preferences and characteristics
The CCPA defines “Special personal information” as including but not limited to:
- Certain government identifiers
- Account login information
- Financial account numbers
- Contents of mail, email, or text messages
- Biometric data
- Information concerning health, sex life, or sexual orientation
- Information about racial or ethnic origin
- Information about religious or philosophical beliefs
4. What rights does the CCPA grant California residents?
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale or sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
5. What are businesses subject to the CCPA required to do at or before the point of collection?
- The categories of personal information to be collected
- The purposes for which the categories of personal information are collected or used
- Whether the personal information is shared or sold
- The categories of sensitive personal information to be collected
- The purposes for which the categories of sensitive personal information are collected or used
- Whether the sensitive personal information is sold or shared
- The length of time the businesses intends to retain each category of personal information or sensitive personal information, or if that is not possible, the criteria used to determine the period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
A business subject to the CCPA may not do the following without written notice:
- Collect additional categories of personal information
- Use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected with
- Collect additional categories of sensitive personal information
- Use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected with
6. What resources are businesses required to provide for consumers exercising their rights?
7. How long do businesses have to disclose, deliver, delete, or correct the required information?
- A description of the consumers’ rights
- The methods available for consumers to submit requests
- A list of the categories of personal information it has collected about consumers in the preceding 12 months
- The categories of sources from which consumers’ personal information is collected
- The businesses or commercial purpose for collecting, selling, or sharing consumers’ personal information
- The categories of third parties to whom the businesses discloses consumers’ personal information
- A list of the categories of personal information it has disclosed for a business purpose in the preceding 12 months (if a business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact)
9. What processes are businesses required to implement when handling personal information?
A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.
Businesses are also required to ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business’ compliance with this title are informed of all requirements and informed of how to direct consumers to exercise their rights.
This FAQ is for informational purposes only and does not constitute legal advice. For specific legal advice, please consult with an attorney. The CCPA is a complex law and this FAQ does not cover all of its requirements. If you have questions about complying with the CCPA, please contact your legal counsel.
This document is for informational purposes only and does not constitute legal advice. For specific legal advice, please consult with an attorney. The CAN-SPAM Act, CCPA and GDPR are complex laws and this document does not cover all of its requirements. If you have questions about complying with the CAN-SPAM Act, CCPA or GDPR, please contact your legal counsel.
Thomas Carey, Sunstein LLP