CCPA and Data Protection: all there is to know

Image of Iron Brands

Published on Nov 9, 2023 and edited on Nov 23, 2023 by Iron Brands

The CCPA is a well-known and influential law in the data protection landscape. It is easy to see why: many data-driven tech companies are based in Silicon Valley, including giants like Apple, Google, and Meta. So, the CCPA is by far the most impactful State law for the digital economy. Let’s learn more about the CCPA and how it influences data protection within and outside California!

  1. What is the CCPA?
  2. What is personal information under the CCPA?
  3. How does the CCPA apply to cookies?
  4. How does the CCPA impact direct marketing?
  5. How does the CCPA impact the use of sensitive information?
  6. The CCPA in action: the Sephora case
  7. Beyond the CCPA: California privacy law
  8. The future of data protection under the CCPA
Logo of MichelinMichelin chose Simple AnalyticsJoin them

What is the CCPA?

The CCPA is the California Consumer Privacy Act of 2018. The Act gives California residents certain rights, such as erasing their personal information and opting out of the sale of their data.

The CCPA was amended several times and underwent extensive modifications in 2020 with the CPRA (California Privacy Rights Act). The CCPA is enforced by the Attorney General of California and the California Privacy Protection Agency (CPPA).

The CCPA only gives rights to California residents but applies to organizations outside of California as well, and even outside the US. The Act only applies to large businesses and businesses that control large amounts of personal information of California residents. It does not apply to government agencies and nonprofits, with narrow exceptions for nonprofits tied to businesses.

What is personal information under the CCPA?

The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.

This is a broad definition and covers more than direct identifiers such as names, addresses, and social security codes. For instance,** unique identifiers** such as those found in cookies are personal information under the CCPA, because they can reasonably be linked to a device- and therefore to its user.

Bottom line: don’t be too rash in assuming your business does not control personal information!

How does the CCPA apply to cookies?

The CCPA has no rule for cookies, but its rules on third-party data sharing impact web analytics.

Under the Act, California residents have a right to opt out of the sale of their personal information. The definition of “sale” in the CCPA was always broad and became even broader with the CPRA. As a result, sharing personal information with Google Analytics or other web analytics providers, can constitute a sale under the Act. In practice, this means that California residents have a right to be informed and must be provided an option to opt out.

So, businesses covered by the CCPA must provide information pop-ups regarding analytics and marketing cookies on their websites and provide a conspicuous opt-out option in the form of a button or link.

Additionally, the CCPA requires opt-in consent for selling the personal data of minors. Businesses are required to collect consent from minors of 16 before they knowingly sell their personal information.

The CCPA also requires companies to honor Global Privacy Control (GPC). GPC is a technical standard through which browsers require websites to not sell or share their data. In other words, GPC is how browsers send automated opt-out requests so that users do not need to manually opt out of data sales for every single website they visit.

How does the CCPA impact direct marketing?

The CCPA does not deal with direct marketing specifically, but some of its rules matter for direct marketing.

The rules on the selling and sharing of personal data do not apply to direct marketing in and of itself, but they may restrict the availability of third-party data for direct marketing. The Delete Act will likely further restrict data availability, which is bad news for many marketing companies relying on third-party data, and for any company enriching their databases with third-party data.

Additionally, consumers who receive direct marketing have a right to know what personal information is processed. Businesses engaged in direct marketing should establish efficient procedures for handling these requests. Ideally, they would keep a record of their operations in order to be able to tell consumers what data they have, where it came from, and whether it was received from or shared with any third parties.

It is unclear whether the right to delete under the CCPA applies to third-party data as well. Future enforcement will likely clarify this point. In the meantime, marketing companies should err on the side of caution and honor requests to delete third-party data.

How does the CCPA impact the use of sensitive information?

Sensitive information is personal information such as sex life and sexual orientation, genetic data, ethnicity data, and so on. Social security numbers, credit/debit card information, emails, and precise geolocation data are also sensitive information under the CCPA (for a more accurate and comprehensive list, please refer to the website of the Office of the Attorney General of California).

Under the CCPA, consumers have a right to limit the use and sharing of their sensitive information to what is strictly needed (for instance, to provide a service).

To some extent, this right overlaps with the right to opt out of the sale of personal information. But it is also broader because it covers first-party use of data and instances of data sharing that do not fall under the definition of sell or share.

The CCPA in action: the Sephora case

CCPA enforcement is catching up with businesses, and the Sephora case is a very good example of what not to do.

French company Sephora is a multinational retailer of beauty products. It got in trouble with the Attorney General for a laundry list of CCPA violations related to its web analytics. The company failed to disclose it was selling personal information, failed to honor user requests to opt out of a sale, and did not cure its violations within the 30-day period allowed by the law.

The case ended with a $1.2M settlement between the company and the Attorney General. In practice, it is common for CCPA violations to end with a settlement. An actual fine would likely have been much more costly.

Interestingly, Sephora was not selling personal information to data brokers and such. Like countless other businesses, Sephora company was doing web marketing and analytics through a popular web analytics provider (the provider’s name was not disclosed).

So, even web marketing and re-targeting can be a sale under the CCPA. This is a really important point to stress: many companies believe they do not sell consumer data, but they do, and they can be held accountable if they do not comply with the obligations that the sale ensues.

It is also worth noting that the Advocate General enforced the rule on Global Privacy Control against Sephora. Only time will tell how big a role GPC will play in practice, but the enforcement of the GPC rules in this case sets a promising precedent.

Beyond the CCPA: California privacy law

There are other promising developments in California law aside from the CCPA.

We already mentioned the Delete Act. The Act allows residents to require all data brokers to delete their personal information by filing a single request. In other words, it is a one-stop-shop system of sorts.

If strictly enforced, the Delete Act could effectively enforce privacy rights against data brokers and limit the amount of personal information available for surveillance-based advertising and third-party data enrichment. It is also worth noting that **data broker registration is mandatory **under California law, which could make the Delete Act easier to enforce.

It is also worth noting that California privacy law limits reverse-keyword searches and geofencing.

Geofencing is the use of location data to create a virtual boundary around a location and record all the individuals within it. Reverse-keyword searches are a type of court order often used by law enforcement.

Both geofencing and reverse-keyword searches are frequently used to monitor and prosecute women seeking reproductive health care after the Dobbs v. Jackson ruling of the US Supreme Court (it’s a long story, we wrote about it here).

Washington was the first State to limit geofencing and reverse-keyword searches with the suggestively named My Health My Data Act. California has long been a sanctuary State for reproductive health care, and shortly followed suit.

The future of data protection under the CCPA

The CCPA already had a tangible impact on digital privacy within and outside California. Its future impact will depend on enforcement and on the CPPA’s upcoming regulations. But the most important variable for the future of California privacy law is, of course, the future of US privacy law at large.

The US has no federal privacy law. The first federal data protection legislation (ADPPA) is currently in the works but negotiations have stalled in Congress. Specific sectors such as healthcare and finance have their own privacy rules, but there is no comprehensive and general federal law for online privacy.

State laws such as the CCPA are an attempt to fill this void. But while State laws afford important protections to the residents of some States, they also create a fragmented legal landscape throughout the US. Right now, companies need to understand and comply with each State's legislation to do business nationwide.

This legal fragmentation is also an obstacle to the legislative process behind the ADPPA. States with privacy laws do not want the ADPPA to undermine the privacy rights their citizens already enjoy, and some of them have pushed back against ADPPA drafts that would preempt their own legislation.

Long story short, it is hard to say if the ADPPA draft will ever become law and what role State laws such as the CCPA would play in that scenario.

_We care about privacy. This is why we do our best to provide our audience with quality, jargon-free information on privacy news.

Our passion for privacy is at the heart of Simple Analytics. Our product gives organizations all the insight they need, without collecting a single bit of personal data. If you are looking for a complaint, ethical, and powerful web analytics tool, feel free to give Simple Analytics a try! _

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial