CLS Blue Sky Blog

Sullivan & Cromwell Discusses California Consumer Privacy Act of 2018

On June 28, 2018, California enacted the California Consumer Privacy Act (the “CCPA” or the “Act”), which will take effect on January 1, 2020.[1]  The Act applies to any organization that conducts business in California and satisfies one of three conditions:  (1) has annual gross revenue in excess of $25,000,000;[2] (2) annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, alone or in combination; or (3) derives 50 percent or more of its annual revenue from selling consumers’ personal information (each, a “Covered Business”).[3]  The Act also applies to any entity that “controls or is controlled by” any Covered Business.[4]

As detailed below, the CCPA establishes a new privacy framework for Covered Businesses by:

The CCPA has significant implications for all Covered Businesses.  The Act also allows potentially substantial penalties to be imposed on companies even in the absence of demonstrated consumer harm, and provides the California Attorney General with broad implementing authority.[5]  For these reasons, and because compliance with the Act may require substantial lead-time and investment, businesses that are potentially subject to the Act should begin preparing and implementing a plan for compliance as soon as possible.  There may also be questions as to whether certain provisions of the CCPA are preempted by federal statutes such as the National Bank Act.


In September 2017, Alastair Mactaggart and Mary Ross proposed a statewide ballot initiative entitled the “California Consumer Privacy Act.”  Ballot initiatives are a process under California law in which private citizens can propose legislation directly to voters, and pursuant to which such legislation can be enacted through voter approval without any action by the state legislature or the governor.[6]  While the proposed privacy initiative was initially met with significant opposition, particularly from large technology companies, some of that opposition faded in the wake of the Cambridge Analytica scandal and Mark Zuckerberg’s April 2018 testimony before Congress.[7]  By May 2018, the initiative appeared to have garnered sufficient support to appear on the November 2018 ballot.[8]  On June 21, 2018, the sponsors of the ballot initiative and state legislators then struck a deal:  in exchange for withdrawing the initiative, the state legislature would pass an agreed version of the California Consumer Privacy Act.[9]  The initiative was withdrawn, and the state legislature passed (and the Governor signed) the CCPA on June 28, 2018.[10]

Key Provisions of the CCPA

Expanded Definition of Personal Information.

Under the Act, “personal information” (“PI”) is broadly defined to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  The Act specifies that PI includes, but is not limited to:  (i) identifiers, such as names, aliases, addresses, and IP addresses; (ii) characteristics of protected classifications under California or federal law; (iii) commercial information, including records of personal property, products or services purchased, or consuming histories or tendencies; (iv) biometric information; (v) Internet or other electronic network activity information, such as browsing history; (vi) geolocation data; (vii) audio, electronic, visual, thermal, olfactory, or similar information; (viii) professional or employment-related information; (ix) education information; and finally, (x) any inferences drawn from any of the information identified to create a profile about a consumer.[11]

The Act does, however, include a few limitations.  First, the Act excludes “aggregate consumer information,” which is defined as data that is “not linked or reasonably linkable to any consumer or household, including via a device.”[12]  Data kept in such a fashion does not fall within the definition of PI.  Second, information that is publicly available from federal, state, or local government records is similarly excluded.[13]

The Act applies to all PI collected by Covered Businesses from consumers, who the Act defines as natural persons who are California residents, whether or not collected electronically.[14]  Accordingly, the Act applies not only to Internet-based businesses, but also to businesses ranging from brick-and-mortar stores to large financial institutions.  Covered Businesses that collect consumer information should carefully evaluate what portions of the information they collect may constitute PI and therefore be subject to the provisions of the CCPA.

Five Categories of Rights

The Act enumerates five categories of data privacy rights granted to consumers with respect to their PI: the “right to know,” the “right to access,” the “right to deletion,” the “right to opt out,” and the “right to equal service.”  These rights create a variety of obligations for Covered Businesses.

1.     The Right to Know

The right to know requires Covered Businesses to make both affirmative disclosures to all consumers and respond to verifiable consumer requests with individualized disclosures about the business’s collection, sale, or disclosure of the PI of the particular consumer making the information request.  In their privacy policies or otherwise on their website if they do not have such policies, Covered Businesses must affirmatively disclose:

In response to verifiable consumer requests, Covered Businesses must also disclose:

As part of their disclosures regarding data collection, businesses must include information about the categories of sources from which the PI was collected, the business or commercial purpose for “collecting or selling” that PI,[22] and the categories of third parties[23] with whom the business has shared the PI.[24]  As part of their disclosures regarding data sales or disclosures, businesses must disclose, as applicable, the categories of PI sold and to whom it was sold, or the categories of PI disclosed for a business purpose and to whom it was disclosed.[25]  If the request only pertains to sale, and not collection, the business need not disclose the sources of the PI.[26]

Businesses must provide at least two methods by which consumers can make verifiable consumer requests for disclosure, including, at a minimum, a toll-free number and an online form.[27]  The deadline for providing requested disclosures is 45 days from receipt of the request.[28]

The Act also provides that the following circumstances do not constitute a sale of PI:[29]

2.     The Right to Access

The CCPA further guarantees consumers the right to access a copy of the “specific pieces of personal information that [a business] has collected about that consumer” to be delivered either by mail or electronically.[31]  Whereas the right to know only provides consumers with information about what categories of PI have been collected, sold, or disclosed, the right to access provides consumers with a copy of the PI collected about them.

This right may also imply some duty to preserve.  Unlike the right to know, this portion of the Act does not expressly specify whether businesses will have the obligation to preserve the PI collected about each consumer, only that the businesses need to provide the specific PI collected about the consumer.  Considering that the Act provides that businesses that have collected PI for “single, one-time transaction[s]” have no obligation to retain any PI,[32] that may imply some duty to preserve may exist for data collected under other circumstances.

3.     The Right to Deletion

The CCPA allows consumers to request the deletion of their PI from business servers and service providers.[33]  Covered Businesses will be obligated to honor the deletion request unless it is necessary to maintain the PI in order to:

The last two “internal use” exceptions require careful attention by Covered Businesses to ensure that, consistent with long-standing best practice for privacy policies, consumers are clearly advised at the time PI is collected of the potential internal uses of their data.

4.     The Right to Opt Out

Under the Act, consumers may opt out of the sale of their PI to third parties.[34]  If an individual consumer does not affirmatively opt out, and such consumer is not a minor (as discussed below), their data may be sold without further action (provided that sale is disclosed in the business’s privacy policy).  Covered Businesses, however, must post a “clear and conspicuous link” entitled “Do Not Sell My Personal Information” on their national website or California-specific webpage,[35] describe the right and include a link to the opt-out page in their privacy policy,[36] and ensure that “all individuals responsible for handling consumer inquiries” about privacy practices and CCPA compliance are informed of the opt-out requirements and “how to direct consumers to exercise their [opt-out] rights.”[37]

In order to implement this system, Covered Businesses will need to separate consumer PI that they wish to sell into at least two categories: (1) PI of consumers who have opted out, and (2) PI of consumers who have not opted out.[38]  Covered Businesses that do not nationally conform to California’s system may also need a third category of PI for non-California residents.  Further, minors have distinct rights, discussed below.  Consumers can opt in or out at any time, and businesses must “respect the consumer’s decision . . . for at least 12 months before requesting that the consumer authorize the sale of [their PI].”[39]

5.     The Right to Equal Service

The CCPA grants a right to equal service, prohibiting discrimination against consumers who exercise their rights under the Act.[40]  Covered Businesses are generally prohibited from denying goods or services to those consumers, charging them different prices or rates (including through use of discounts or other benefits), or providing them with a different level or quality of service.[41]  Businesses may be permitted, however, to charge these consumers different rates or to provide different levels of service provided there is some relationship to the “value provided to the consumer by the consumer’s data.”[42]  Businesses may also offer financial incentives, including payments to consumers as compensation, for the collection or deletion of PI.[43]  It is uncertain at this point how these permitted pricing differentials will work in practice, and it appears likely that Covered Businesses will ask for further guidance.

Special Rules for Minors

The CCPA generally prohibits the sale of PI if the business has actual knowledge that the consumer is less than 16 years of age or willfully disregards the consumer’s age.[44]  If the business wishes to sell such information, it must obtain affirmative consent from the consumer if they are between the ages of 13 and 16, or their parents’ consent if they are under 13—creating a special opt-in system for minors.[45]

Public Enforcement Framework

Except in the data breach context, there is no private cause of action available under the Act.  Rather, the only enforcement mechanism for violations of the Act is by the California Attorney General.  For violations of the Act, a Covered Business is subject to statutory damages as follows:

The Act creates a 30-day window for businesses to cure violations.[49]  Proceeds of any settlement or award will be allocated to a new fund called the “Consumer Privacy Fund,” intended to offset any costs incurred by the state courts or California Attorney General in connection with the Act.[50]  The Act provides that any business or third party may seek the opinion of the Attorney General for ex ante guidance on “how to comply with the provisions” of the Act.[51]

Private Action:  Liability for Data Breach

Under the Act, Covered Businesses are liable for the unauthorized access and exfiltration, theft, or disclosure of certain categories of “nonencrypted or nonredacted”[52] PI due to the business’s failure to implement reasonable security procedures and practices appropriate for the particular type of PI.[53]  Significantly, liability does not appear to require a showing of consumer harm, and statutory damages may be significant.  The Act provides for statutory damages, in action brought by a consumer, of between $100–$700 per violation per consumer or actual damages, whichever is higher.[54]  In addition to this limited private cause of action,[55] the Act authorizes the California Attorney General to bring a public enforcement action, as described above.[56]

Notably, for the purpose of data-breach liability only, PI is defined pursuant to California Civil Code § 1798.81.5(d)(1)(A).[57]  This definition is much narrower than the general definition of PI included in the Act.  For purposes of data-breach liability, PI means an individual’s first name or first initial and last name in combination with one of the following:

As a result, the Act expands potential data-breach liability because it not only permits suit in the absence of a showing of both particularized and concrete harm but also creates a private right of action with an associated statutory damages framework.

To bring a private claim or class action, consumers must provide businesses with 30-days’ written notice.[58]  In the event that cure is possible within 30 days, the business may be able to avoid statutory damages, but not actual pecuniary damages (if they exist).[59]  After 30 days, if the breach has not been cured, consumers may bring an action but must also notify the Attorney General, who has 30 days from notification to either bring an enforcement action, notify the consumer of the intent to bring an enforcement action, refrain from acting, or notify the consumer bringing the action “that the consumer shall not proceed with the action.”[60]  If the Attorney General refrains from acting or notifies the consumer of the intent to bring an action but fails to do so within six months, the consumer may bring an action against the company for statutory damages due to data breach.[61]


The Act also creates several exceptions.  By its terms, it will not restrict a business’s ability to:

The Act creates several exemptions as well.  The Act shall not apply where:

Finally, the Act creates several limits on secondary liability:

Brief Comparison with the European Union’s (“EU”) General Data Protection Regulation (“GDPR”)[70]

At a high level, the CCPA bears certain similarities to GDPR, the comprehensive regulation governing the “processing of personal data” of EU residents.[71]  But the CCPA and GDPR provide for differing rights, obligations, and exceptions, and compliance with one will not necessarily ensure compliance with the other.  For example, unlike GDPR, the CCPA does not generally (other than with respect to minors) require businesses to implement an “opt-in” system to obtain consumers’ consent prior to processing their information.[72]  Instead, the CCPA requires businesses to allow consumers to “opt-out” of having their information sold.[73]  Thus, businesses will need to develop a CCPA compliance strategy in light of these and other differences with GDPR.  Businesses may choose to adopt differentiated policies for consumers in different jurisdictions, or may seek to create a unified global policy that adopts the most consumer-favorable protections from the CCPA and GDPR (and, of course, other applicable regulations).


The CCPA will require businesses to take several steps to come into compliance on or before the effective date of January 1, 2020.

Among the implications for many other industries, financial institutions may need to take special care with respect to certain provisions of the Act:


[1]           California Consumer Privacy Act of 2018 (“CCPA”), Cal. Civ. Code § 1798.198(a) (2018).

[2]           Pursuant to § 1798.185(a)(5), this number will be adjusted every odd-numbered year to reflect any increase in the Consumer Price Index.

[3]           Id. § 1798.140(c)(1).

[4]           Id. § 1798.140(c)(2).

[5]           Id. § 1798.155.

[6]           How to Qualify an Initiative, Cal. Secretary of State, (last accessed June 29, 2018).

[7]           See Committee to Protect California Jobs, Cal. Secretary of State, (last accessed July 1, 2018); see also Sasha Ingber, Facebook Will Stop Funding Opposition To A User Privacy Initiative in California, NPR (Apr. 12, 2018),; Christopher Crosby, Verizon Exits Fight Against Proposed Calif. Privacy Law, Law360 (May 9, 2018, 3:37 PM),

[8]           To appear on the November 2018 ballot, an initiative needed to submit 365,800 verified signatures by June 28; Mactaggart and Ross submitted 629,000.  California Consumer Privacy Act Clears Major Hurdle: Submits 629,000 Signatures Statewide, Californians for Consumer Privacy (May 3, 2018),  The proposed initiative was withdrawn before verification could be completed.

[9]           John Myers & Jazmine Ulloa, California lawmakers agree to new consumer privacy rules that would avert showdown on the November ballot, L.A. Times (June 21, 2018, 8:40 PM), html.

[10]          See Cal. Civ. Code § 1798.198(b) (making the Act contingent upon withdrawal of ballot initiative 17-0039); see also Initiatives and Referenda Withdrawn or Failed to Qualify, Cal. Secretary of State, (last accessed June 29, 2018) (listing the status of ballot initiative 17-0039 as having been withdrawn on June 28, 2018).

[11]          Id. § 1798.140(o)(1).  It is important to note that the provisions of the CCPA are “not limited to information collected electronically or over the Internet,” but apply to brick-and-mortar businesses as well.  Id. § 1798.175.

[12]          Id. § 1798.140(a).

[13]          Id. § 1798.140(o)(2).

[14]          Id. § 1798.175.

[15]          Id. § 1798.100(b).

[16]          Id. § 1798.110(c).

[17]          The Act specifically prohibits third parties from further sale of PI unless the consumer has received explicit notice and is provided with an opportunity to opt out.  Id. § 1798.115(d).

[18]          “Business purpose” is defined as “the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of [PI] shall be reasonably necessary and proportionate to achieving the operation purpose for which the [PI] was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.”  Id. § 1798.140(d).  Among the several enumerated purposes, the Act provides that “Business purposes are . . . Performing services on behalf of the business or service provider, including . . . providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.”  This could somewhat undercut the restrictions on “sale.”  Additionally, it is possible that disclosure may occur for non-business purposes.  It is unclear whether such disclosures will require notice to consumers.

[19]          Id. §§ 1798.110(c); 1798.115(c).

[20]          Id. § 1798.110(a).

[21]          Id. § 1798.115(b).

[22]          The Act require businesses that collect PI to make disclosures that go beyond merely what PI was collected.  As part of the disclosure, the Act requires information about “[t]he business or commercial purpose for collecting or selling personal information.”  Id. § 1798.110(a)(3).

[23]          The Act defines “third party” to exclude persons to whom data is disclosed pursuant to a written contract prohibiting the party from (i) selling the information, (ii) retaining, using, or disclosing the information for any purpose other than performing the services enumerated in the contract, and (iii) retaining, using, or disclosing the information  outside of direct business relationships between the person and the business.  Id. § 1798.140(w).  If a person, under such a contract, violates any of the restrictions set forth in the Act, the disclosing business will not be liable, only the person will.  Id. § 1798.140(w)(2)(B).

[24]          Id. § 1798.110(a).

[25]          Id. § 1798.130(a)(4).

[26]          Compare id. § 1798.110(a), with § 1798.115(b), and § 1798.130(a)(4).

[27]          Id. § 1798.130(a)(1).

[28]          Id. § 1798.130(2).  Extensions are sometimes available, but the Act is not clear as to whether the extension is an additional 45 days, see id. § 1798.130(2), or an additional 90 days, see id. § 1798.145(g)(1).

[29]          Id. § 1798.140(t)(2).

[30]          Id. § 1798.140(t)(2)(D).

[31]          Id. § 1798.110(a)(5).  If disclosure is made electronically, in a portable—and to the extent technically feasible—readily useable format, consumers will have the capability of transmitting this information to other entities without hindrance.

[32]          Id. § 1798.100(e).

[33]          See id. § 1798.105.

[34]          Id. § 1798.120(a).

[35]          Id. § 1798.135(a)(1).

[36]          Id. § 1798.135(2).

[37]          Id. § 1798.135(a)(3).

[38]          The Act does not describe the process in which consumers opt in.  See id. § 1798.120(d).  Presumably, this will be clarified by regulations passed under § 1798.185(b) (giving the Attorney General broad authority to pass necessary regulations outlining different processes) or through legislative amendment.

[39]          Id. § 1798.135(a)(5).

[40]          Id. § 1798.125(a)(1).

[41]          Id. § 1798.125(a)(1).

[42]          Id. § 1798.125(a)(2).

[43]          Id. § 1798.125(b).

[44]          Id. § 1798.120(d).

[45]          Id.

[46]          Id.

[47]          The Act is not clear as to whether “per violation” in this context means per incident per consumer or merely per incident—a distinction that could mean the difference between $2,500 in damages and $250,000,000 for an incident affecting 100,000 consumers.  In the June 28, 2018 Senate Floor Analysis (one of the last pieces of legislative history prior to passage), the report discusses statutory damages in the data breach context as “per consumer per incident.”  See California Legislative Information: Senate Floor Analysis (June 28, 2018), available at This is suggestive that “per violation” really means “per incident per consumer.”

[48]          Id. § 1798.155(b).

[49]          Id. § 1798.155(a).

[50]          Id. §§ 1798.155(c); 1798.160.

[51]          Id. § 1798.155(a).

[52]          The Act does not specify the level of encryption required or define “nonredacted” PI.  See id. § 1798.150(a)(1).  These terms can be subject to numerous interpretations.

[53]          Id. § 1798.150.

[54]          Id. § 1798.150(a)(1)(A).

[55]          The provision that provides for the private cause of action uses ambiguous language to outline its limitations.  The private cause of action is limited to actions pursuant to the data breach section, but uses language requiring purported plaintiffs to provide 30-days’ written notice “identifying the specific provisions of this title the consumer alleges to have been or are being violated.”  Id. § 1798.150(b)(1).  Despite this ambiguity, a report issued by the Assembly Committee on Privacy and Consumer Protection stated that the statute only created a “limited private right of action” for data breaches.  Informational Hearing Report, Assembly Comm. on Privacy and Consumer Prot., (June 27, 2018) Client.xhtml?bill_id=201720180AB375.

[56]          Cal. Civ. Code § 1798.155(a)–(b); see also Cal. Bus. & Prof. Code § 17206.

[57]          Id. § 1798.150(a)(1).

[58]          Id. § 1798.150(b)(1).

[59]          Id.

[60]          Id. § 1798.150(b)(3).

[61]          Id.  It seems intended by the Act that if the Attorney General brings an action during the 30-day period or notifies the consumer during that period that the Attorney General intends to bring an action within six months, the consumer cannot proceed with their private right of action.  See id.

[62]          Id. § 1798.140(h).

[63]          Id. § 1798.140(h)(1)–(3).

[64]          Id. § 1798.145(a)(6).  Businesses are also prohibited from storing PI about a consumer while the consumer is in California and then collecting that PI when the consumer and stored personal information is outside of California.  Id.

[65]          Id. § 1798.140(w)(2).

[66]          Id. § 1798.140(w)(2).

[67]          Id. § 1798.140(w)(2)(B).

[68]          Id. § 1798.145(h).

[69]          Id.

[70]          Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[71]          Id.

[72]          Cal. Civ. Code § 1798.120; General Data Protection Regulation Art. 7.

[73]          Cal. Civ. Code § 1798.120.  The CCPA only requires businesses to allow consumers to “opt-out” of having their information sold to third parties.  Unlike GDPR, the CCPA does not require businesses to allow consumers to “opt-out” of having their data processed in other ways.

[74]          Id. § 1798.140(t)(2)(D).

[75]          Id. § 1798.140(w)(2)(A).

This post comes to us from Sullivan & Cromwell. It is based on the firm’s memorandum, “California Consumer Privacy Act of 2018,” dated July 2, 2018, and available here. Joshua Wright provided significant assistance in creating the memorandum

Exit mobile version