The Ultimate Guide to

California Consumer Privacy Act (CCPA)

What Is California Consumer Privacy Act (CCPA)

The Consumer Consumer Privacy Act (CCPA) is a wide-ranging privacy law that went into effect on January 1st, 2020. It regulates how businesses collect, use, and disclose just about any kind of information that relates to an individual. It covers any business that earns $25 million in revenue per year overall, or sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information.

The CCPA requires businesses to implement new policies and procedures to ensure the protection of personal information for Californian residents. What’s more, the law expands what’s considered “personal information” and includes data elements not previously considered personal information under any U.S. law. It also gives California residents some new rights to make data requests to businesses that handle their data.

Businesses that fail to comply with the CCPA can incur fines and face private right of actions from individuals. Even if your business does not deal with California residents, other states are implementing similar privacy laws and you can expect more in the future. Complying with CCPA’s core principles of meaningful transparency and choice will set your organization on the right track for the future of U.S. privacy regulation.

CCPA: Frequently Asked Questions

The California Consumer Privacy Act (CCPA) establishes rules that businesses must follow to protect the privacy rights of California residents. The established rules are as follows:

  1. Disclosure requirements: Businesses must inform consumers about the personal data they collect and how it is used, shared, and stored. This information must be provided at or before the point of collection and in the business’s privacy policy.
  2. Consumer rights: Businesses must facilitate and honor consumer rights, including access to information, deletion of personal data, opting out of data sales, and the right to know whether their data is being sold or disclosed for business purposes.
  3. Data security: Businesses must implement reasonable security measures to protect personal data
  4. Non-discrimination: Businesses cannot discriminate against consumers who exercise their CCPA rights
  5. Third-party contracts: Businesses must ensure that third parties handling personal data adhere to CCPA regulations

CCPA applies to businesses that meet one or more of the following criteria:

  • The business has annual gross revenues exceeding $25 million
  • The business buys, receives, sells, or shares the personal information of 50,000 or more California residents, households, or devices annually
  • The business derives 50% or more of its annual revenues from selling California residents’ personal information

The CCPA grants California residents the following seven rights:

  1. Right to know: Consumers have the right to know what personal data is being collected about them
  2. Right to access: Consumers can request access to their personal data held by businesses
  3. Right to data portability: Consumers can request that their data be provided in a portable and readily usable format
  4. Right to deletion: Consumers can request the deletion of their personal data
  5. Right to opt-out: Consumers can opt out of the sale of their personal data
  6. Right to non-discrimination: Consumers have the right not to be discriminated against for exercising their CCPA rights
  7. Right to correct: Consumers can request corrections to inaccurate personal data

CCPA prohibits businesses from:

  • Selling personal information of minors under 16 without explicit opt-in consent. For minors under 13, the consent must be provided by a parent or guardian.
  • Retaliating against consumers who exercise their CCPA rights, including by denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services unless the difference is reasonably related to the value provided by the consumer’s data.
  • Engaging in deceptive practices concerning the collection, use, and sharing of personal data
  • Failing to comply with consumer requests related to their CCPA rights, including requests for access, deletion, or opting out of the sale of personal information, within the required timeframes

CCPA grants privacy rights to all California residents. This includes those domiciled in California for temporary or transitory purposes, as well as individuals who are domiciled outside of California for other purposes

The 5 key requirements of the CCPA include:

  1. Privacy policy updates: Businesses must update their privacy policies to reflect CCPA rights and practices
  2. Consumer rights requests: Businesses must establish processes for handling consumer rights requests, such as access, deletion, and opt-out requests
  3. Data inventory: Businesses must maintain an inventory of the personal data they collect, use, and share
  4. Training and awareness: Businesses must train employees on CCPA requirements and consumer rights
  5. Third-party management: Businesses must ensure contracts with third parties comply with CCPA regulations and restrict the use of personal information to the specific purposes outlined in the contract

The CCPA went into effect on January 1, 2020. However, enforcement of the CCPA began on July 1, 2020.

Under CCPA, businesses are required to disclose:

  • Categories of personal information: Types of personal data collected in the preceding 12 months
  • Sources of information: How the personal data was collected
  • Business purpose: The purposes for collecting or selling personal data
  • Third parties: Categories of third parties with whom personal data is shared
  • Consumer rights: Information about consumer rights under the CCPA and how to exercise them

Non-compliance with the CCPA can result in significant fines. For civil penalties, companies can be charged up to $2,500 per violation or up to $7,500 per intentional violation. Consumers also have a private right of action in which they can sue for data breaches, with statutory damages ranging from $100 to $750 per consumer per incident or actual damages, whichever is greater.

To prepare for CCPA compliance, businesses can utilize various tools, including:

  • Data mapping tools to track and manage personal data across the organization
  • Privacy management software to handle consumer rights requests and ensure compliance
  • Security solutions to safeguard personal data against breaches
  • Training programs to educate employees on CCPA requirements and compliance procedures
  • Third-party risk management tools to assess and manage third-party compliance

While GDPR and CCPA share common goals of data protection and privacy, they differ in four main ways:

  1. Scope: GDPR applies to organizations operating within the EU or processing data of EU residents, while CCPA specifically targets businesses handling data of California residents
  2. Consumer rights: GDPR includes the right to rectification and restriction of processing, which are not explicitly stated in the CCPA
  3. Penalties: GDPR fines can be much higher, up to €20 million or 4% of global annual revenue, compared to CCPA’s maximum of $7,500 per intentional violation. Additionally, the CCPA created a private right of action related to data breaches that allows for statutory damages of up to $750 per consumer (or actual damages, whichever is greater).
  4. Opt-in vs. opt-out: GDPR requires explicit consent (opt-in) for data processing, whereas CCPA provides an opt-out mechanism for data sales

Under CCPA, personal information is broadly defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes:

  • Identifiers: Name, address, email, phone number, IP address, Social Security number
  • Commercial information: Records of personal property, products purchased, purchase histories
  • Biometric information: Fingerprints, face recognition data
  • Internet activity: Browsing history, search history, and interactions with websites
  • Geolocation data: Precise physical location
  • Employment information: Job history, professional information
  • Educational information: Academic records
  • Inferences: Profiles drawn from any personal information to reflect preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

The following are not considered personal information under CCPA: 

  • Public information: Any information publicly available via local, state, or federal government records including professional licenses, public real estate records, public property records, etc. 
  • De-identified information: Information that cannot reasonably identify, relate to, describe, or be linked, directly or indirectly, to a particular consumer or household is not considered personal information. 
  • Information exempted by sector specific privacy laws: Certain information is excluded from the CCPA because it falls under specific privacy regulations, including health information protected under HIPAA, consumer credit information protected under FCRA, and financial information protected under the Gramm-Leach-Bliley Act.

CCPA maps to the following frameworks: 

Hyperproof for CCPA Compliance

Hyperproof Helps you Comply With the CCPA Step-by-Step

CCPA

CCPA compliance framework with requirements and controls to help you get started

Quickly collect evidence to document your efforts toward CCPA compliance

Work with the productivity tools you already have

Re-use evidence across multiple frameworks and controls

Ability to map a control to multiple regulatory standards. Reduce time to compliance for all regulations that matter to your business

Pinpoint & prioritize your critical work stream

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader