California Consumer Privacy Act (CCPA)

Frequently asked questions

This document is an overview of the California Consumer Privacy Act (CCPA) and does not provide legal advice. We encourage you to consult your own legal counsel to familiarize yourself with the requirements that govern your situation.

What is the CCPA?

The CCPA is a new consumer data privacy law. The law went into effect on January 1, 2020, and enforcement by the California Attorney General began on July 1, 2020. Similar to the sweeping changes that came with the EU’s General Data Protection Regulation (GDPR), the CCPA represents the highest standard of data protection yet in the United States and has required companies to carefully assess their data practices. Essentially, the CCPA grants California residents several new rights over their personal information. These include the right to access or delete personal information collected by a business and the right to opt out of a business’s “sale” of the individual’s personal information. The opt-out right is particularly significant because the CCPA defines “sale” in very broad terms that encompass many commonplace data sharing arrangements, even where no money is exchanged. However, transfers to “service providers” are not considered “sales.”

The CCPA applies to any “business” anywhere in the world that collects, receives, or “sells” California consumers’ personal information while doing business in California. It regulates the collection, use, and disclosure of personal information belonging to a “consumer,” which the CCPA defines as “a natural person who is a California resident” (including residents who are temporarily out of the state). It also applies to “service providers” who process personal information on behalf of a business, and to other “third parties” who receive “sales” of personal information from a business.

A “business” is any for-profit entity that collects, and determines the purposes and means of processing, California consumers’ personal information while doing business in California and that: (1) has annual gross revenues in excess of $25 million; (2) processes the personal information of 50,000 or more consumers, households, or devices, for its own commercial purposes; or (3) earns more than half of its annual revenue from “selling” consumers' personal information.

“Selling” is defined very broadly to cover most transfers of personal information for monetary or other value. However, unlike other transfers, a transfer to an entity that qualifies as a “service provider” under the CCPA is not considered a “sale.” Transfers that are directed by the consumer or where a consumer uses a business to intentionally interact with a third party are also not considered “sales,” but other exceptions are limited.

A “service provider” under the CCPA is any for-profit entity that processes a consumer’s personal information on behalf of another business, which discloses the personal information for a business purpose. To be a service provider, the entity must also receive the personal information under a written contract that limits the service provider’s processing to purposes specified in the contract or otherwise permitted by the CCPA. ConnectWise is a service provider to its customers and offers a Data Processing Addendum containing CCPA-specific terms.

The answer largely depends on whether your organization would be a “business,” a “service provider,” or a “third party” under the CCPA.

For businesses, the main obligations include:

  • Notifying consumers of the types of personal information collected and how that information will be used. This notice must be provided at or before the point where personal information is collected.
  • Providing a more detailed privacy policy explaining personal information collection and sharing practices and describing consumers’ rights.
  • Providing consumers with ways to submit requests to access or delete their personal information or to know more about how it is processed and shared, and responding to those requests.
  • Providing a clear and conspicuous link on the business’s website entitled “Do Not Sell My Personal Information” so that consumers may exercise their right to opt-out of “sales” of their personal information, if the business sells personal information.
  • Not discriminating against consumers who exercise their rights under the CCPA.
  • Providing reasonable security to protect personal information from unauthorized access or acquisition.

For service providers, the main obligations include:

  • Processing personal information only for the purposes specified in the written contract with the business customer, and not for the service provider’s own commercial purposes.
  • Deleting personal information about a consumer when instructed to do so by the business customer.

For third parties that receive personal information in a “sale,” but that are not service providers, CCPA prohibits the third party from further “selling” that personal information unless the consumer received “explicit notice” and an opportunity to opt out of “sales.” “Explicit notice” is not defined by the CCPA, and third parties may wish to consult their own legal counsel to assess their obligations.

ConnectWise qualifies as a service provider under the CCPA, and ConnectWise is dedicated to helping our customers comply with the CCPA when using our services. We have a new Data Processing Addendum (DPA) available on our website here, that can be signed and returned to ConnectWise following the instructions on page 1.

It’s likely that most ConnectWise customers’ existing Data Processing Addenda (DPA) contain the necessary provisions to accommodate CCPA. However, customers should consult their own legal counsel to make this determination. Alternatively, if customers prefer a DPA with CCPA-specific terms, they can execute our most recent DPA, available here.

Fact versus Fiction

The content presented here discusses in general terms the California Consumer Privacy Act (CCPA) and does not provide legal advice. We encourage you to consult your own legal counsel to familiarize yourself with the requirements that govern your situation.

Fiction: The CCPA requires CA personal information to remain in California or the United States.

Fact: The CCPA does not require businesses to keep data in California or the United States, so businesses subject to the law can process the personal information of California residents from anywhere in the world. And, unlike the GDPR, the CCPA does not impose special requirements on businesses for the transfer of personal information outside of California or the United States.

Fact: The CCPA could still apply to your company, even if you do not have a California office. The CCPA would apply directly to you as a “business” if you:

  • Are a for-profit entity;
  • Do business in California;
  • Collect personal information about California residents; and
  • Meet certain revenue or other thresholds. Cal. Civ. Code § 1798.140(c)(1). Based on a long history of interpretation by California and U.S. courts and in California tax regulations, a company may be considered to “do business” in California, regardless of physical presence or place of incorporation, if it regularly offers goods or services to people or companies in California or otherwise benefits from its activities in California. Even if you’re not a “business” under the CCPA, you could be subject to certain obligations, for example if you receive a “sale” of California consumers’ personal information from a business subject to the CCPA. In that case, you may need to provide consumers with explicit notice and an opportunity to opt-out before you further share that personal information outside of your organization. Cal. Civ. Code § 1798.115(d). If every aspect of your processing of California consumers’ personal information takes place wholly outside of California—for example, if you collected that information while the consumer was outside of California—then the CCPA may not apply to your company.

Fact: While the GDPR and CCPA overlap in many ways, the CCPA is not a carbon copy of the GDPR. Even a robust GDPR compliance program will not automatically be in compliance with the CCPA, which imposes additional obligations. For example, under the CCPA:

  • “Personal information” includes information relating to “households,” as well as individuals. Cal. Civ. Code § 1798.140(o)(1).
  • Consumers have a broad right to opt out of “sales” of their personal information, a right potentially broader than data subject rights to opt out of direct marketing or object to certain processing under the GDPR. Cal. Civ. Code § 1798.120.
  • Businesses that “sell” personal information must place a “clear and conspicuous” link on their homepage that says “Do Not Sell My Personal Information” to allow consumers to exercise their right to opt out of sales. Cal. Civ. Code § 1798.135(a)(1).

Fact: The CCPA does not require businesses to obtain consent—opt in or opt out—to use personal information. The CCPA instead grants consumers the right to opt-out of the “sale” of their personal information. (We explain why “sale” is in quotations below). Even if a consumer opted out of sales, a business can still collect and use information from that consumer as long as the business doesn’t give that information to a third party in return for something of value. It is true that the CCPA has some limited opt-in obligations: the CCPA prohibits businesses from selling personal information of consumers younger than 16 unless the consumer has opted-in to the sale or, for those younger than 13, unless the consumer’s parent or guardian has opted-in. Cal. Civ. Code § 1798.120(c). You might be wondering why we put “sale” in quotation marks. The CCPA defines “sale” to include many activities, including renting, disclosing, transferring, or otherwise making available a consumer’s personal information to a third party for money or other valuable consideration. Cal. Civ. Code § 1798.140(t)(1). Certain transfers are excluded from the definition of “sale” under the CCPA, such as transfers to service providers. Cal. Civ. Code § 1798.140(t)(2). In other words, a “sale” under the CCPA may be almost any exchange of data for something of value, unless an exception applies—such as transfers to service providers like ConnectWise or disclosures directed by the consumer.

FactThe CCPA applies to all processing of personal information—online and offline—and it impacts business operations far beyond online advertising. For example, the law grants California residents new rights over their personal information that businesses must receive and honor, including:

  • The right to transparency
  • The right to access
  • The right to deletion
  • The right to opt-out of sales of personal information.

While the CCPA may impact the online advertising industry, the CCPA is not “only” about online advertising.

Fact: The CCPA does not require data to be encrypted. However, it does refer to businesses’ “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Cal. Civ. Code § 1798.150. Encryption may be appropriate depending on the circumstances but is not mandated by CCPA.