- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Does the CCPA apply to paper records?
There is little consistency in the United States as to whether a particular data privacy or data security law applies to digital records, or applies to digital and hard copy records. Some statutes, like the Health Information Portability and Accountability Act (“HIPAA”), are functionally media agnostic. Other statutes, like the Children’s Online Privacy Protection Act (“COPPA”), were specifically designed to apply only to the online collection of information.
In California, historically most privacy and security specific legislation dealt only with electronic information. For example, most companies were required to post privacy notices only if they collected consumer information online.1 Similarly, California only required companies to report data breaches where unauthorized access of digital information occurred.2 Unlike its predecessors, the CCPA applies to both electronic and paper information:
The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers.3
It is interesting to note that the scope of the CCPA may be broader than other privacy regimes that cover both electronic and paper records. For example, while the drafters of the European GDPR also intended for it to be “technologically neutral,”4 they limited its application to only situations in which (1) processing of personal data is conducted by “automated means,” or (2) the data “form[s] part of a filing system or [is] intended to form part of a filing system.”5 As a result, a plaintiff’s attorney may attempt to argue that documents – such as loose papers on a printer, loose papers on a desk – that would not be governed by the GDPR are nonetheless governed by the CCPA.
1. Cal. Bus. & Prof. Code §§22575-22579.
2. Cal. Civ. Code § 1798.82(a) (referring to the obligation to report as it relates to “computerized data”).
3. CCPA, § 1798.175.
4. GDPR, Recital 15.
5. GDPR, Article 2(1).