Thomas C. Carey

Sunstein LLP

FAQs about the CCPA

Table of Contents

As we build an intent-based advertising network that’s beneficial for consumers, brands, and publishers, we at Customers.ai are conscientious of privacy and in compliance with laws and regulations regarding compliance.

Disclaimer: This webpage regarding the CAN-SPAM Act, the CCPA and GDPR is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship with Sunstein LLP. This is not intended to be an exhaustive summary of all requirements of the CAN-SPAM Act, CCPA, or GDPR. If you have questions about complying with the CAN-SPAM Act, CCPA, or GDPR, contact your legal counsel.

Last update: July 31, 2023

1. Who does the CCPA apply to?

According to the Office of the Attorney General of California, the CCPA applies to “for-profit businesses that do business in California” and meet any of the following:
  • Have a gross annual revenue of over $25 million
  • Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
  • Derive 50% or more of their annual revenue from selling California residents’ personal information

2. What if my business is not located in California?

If you meet the above criteria you are required to comply with the CCPA regardless of where you are located.

3. What does the CCPA consider “personal information”?

According to the Office of the Attorney General of California, personal information is “information that identifies, relates to, or could reasonably be linked with an individual or their household.

This includes but is not limited to:

  • Name
  • Social security number
  • Email address
  • Records of products purchased
  • Internet browsing history
  • Geolocation data
  • Fingerprints
  • Inferences from other information that could create a profile about an individual’s preferences and characteristics

The CCPA defines “Special personal information” as including but not limited to:

  • Certain government identifiers
  • Account login information
  • Financial account numbers
  • Passwords
  • Contents of mail, email, or text messages
  • Biometric data
  • Information concerning health, sex life, or sexual orientation
  • Information about racial or ethnic origin
  • Information about religious or philosophical beliefs

4. What rights does the CCPA grant California residents?

The CCPA and the CPRA, which amended the CCPA, grant California consumers the following rights:
  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale or sharing of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.
  • The right to correct inaccurate personal information that a business has about them; and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

5. What are businesses subject to the CCPA required to do at or before the point of collection?

At or before the point of collection, businesses subject to the CCPA are required to inform consumers of the following:
  • The categories of personal information to be collected
  • The purposes for which the categories of personal information are collected or used
  • Whether the personal information is shared or sold
  • The categories of sensitive personal information to be collected
  • The purposes for which the categories of sensitive personal information are collected or used
  • Whether the sensitive personal information is sold or shared
  • The length of time the businesses intends to retain each category of personal information or sensitive personal information, or if that is not possible, the criteria used to determine the period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

A business subject to the CCPA may not do the following without written notice:

  • Collect additional categories of personal information
  • Use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected with
  • Collect additional categories of sensitive personal information
  • Use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected with

6. What resources are businesses required to provide for consumers exercising their rights?

Businesses have to make two or more methods for submitting requests for information or requests for deletion or correction available to consumers. This includes, at minimum, a toll-free number. If a business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, they are only required to provide an email address for submitting requests.

7. How long do businesses have to disclose, deliver, delete, or correct the required information?

Businesses have 45 days from the receipt of a verifiable consumer request to disclose, deliver, delete, or correct the corresponding information. Consumers have a right to request disclosure, delivery, deletion, or correction to any information collected after January 1, 2022. Businesses are not obligated to provide this information to the same consumer more than twice in a 12-month period.

8. Do businesses subject to the CCPA have to update their privacy policy?

Businesses subject to the CCPA are required to include the following in their privacy policies:
  • A description of the consumers’ rights
  • The methods available for consumers to submit requests
  • A list of the categories of personal information it has collected about consumers in the preceding 12 months
  • The categories of sources from which consumers’ personal information is collected
  • The businesses or commercial purpose for collecting, selling, or sharing consumers’ personal information
  • The categories of third parties to whom the businesses discloses consumers’ personal information
  • A list of the categories of personal information it has sold or shared about consumers in the preceding 12 months (if a business has not sold or shared consumers’ personal information in the preceding 12 months, they shall prominently disclose that fact in their privacy policy)
  • A list of the categories of personal information it has disclosed for a business purpose in the preceding 12 months (if a business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact)

9. What processes are businesses required to implement when handling personal information?

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.

Businesses are also required to ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business’ compliance with this title are informed of all requirements and informed of how to direct consumers to exercise their rights.

This FAQ is for informational purposes only and does not constitute legal advice. For specific legal advice, please consult with an attorney. The CCPA is a complex law and this FAQ does not cover all of its requirements. If you have questions about complying with the CCPA, please contact your legal counsel.

Additional resources

This document is for informational purposes only and does not constitute legal advice. For specific legal advice, please consult with an attorney. The CAN-SPAM Act, CCPA and GDPR are complex laws and this document does not cover all of its requirements. If you have questions about complying with the CAN-SPAM Act, CCPA or GDPR, please contact your legal counsel.

Thomas Carey, Sunstein LLP

LET'S CHAT ABOUT LEAD CAPTURE & SALES OUTREACH FOR YOUR BUSINESS

Generate more leads and meetings for your sales team with automated inbound lead capture, qualification, tracking and outreach across the most popular messaging channels.

I agree to receive text and email updates from Customers.ai

Convert more traffic into contacts

Send email follow-ups, enrich contacts with B2C and B2B profile data, and restore ad retargeting audiences.

See what Website Visitor ID X-Ray Pixel can reveal on your site

GROW YOUR RETAINERS, DIVERSIFY REVENUE SOURCES, AND MAKE CLIENTS HAPPIER WITH CUSTOMERS.AI FOR AGENCIES.

I agree to receive text and email updates from Customers.ai