The Ultimate Guide to

California Consumer Privacy Act (CCPA)

What Is California Consumer Privacy Act (CCPA)

The Consumer Consumer Privacy Act (CCPA) is a wide-ranging privacy law that went into effect on January 1st, 2020. It regulates how businesses collect, use, and disclose just about any kind of information that relates to an individual. It covers any business that earns $25 million in revenue per year overall, or sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information.

The CCPA requires businesses to implement new policies and procedures to ensure the protection of personal information for Californian residents. What’s more, the law expands what’s considered “personal information” and includes data elements not previously considered personal information under any U.S. law. It also gives California residents some new rights to make data requests to businesses that handle their data.

Businesses that fail to comply with the CCPA can incur fines and face private right of actions from individuals. Even if your business does not deal with California residents, other states are implementing similar privacy laws and you can expect more in the future. Complying with CCPA’s core principles of meaningful transparency and choice will set your organization on the right track for the future of U.S. privacy regulation.

Navigating the Path to Compliance

For organizations just beginning their journey, establishing a robust CCPA data compliance program is the first step toward long-term consumer trust. This requires more than just updating a privacy policy; it involves building a repeatable CCPA compliance framework that can scale as your data volumes grow. By adopting a structured CCPA framework, you can ensure that every consumer request is handled within the state-mandated 45-day window while minimizing the risk of costly civil penalties.

CCPA: Frequently Asked Questions

The California Consumer Privacy Act (CCPA) establishes rules that businesses must follow to protect the privacy rights of California residents. The established rules are as follows:

Disclosure requirements: Businesses must inform consumers about the personal data they collect and how it is used, shared, and stored. This information must be provided at or before the point of collection and in the business’s privacy policy.
Consumer rights: Businesses must facilitate and honor consumer rights, including access to information, deletion of personal data, opting out of data sales, and the right to know whether their data is being sold or disclosed for business purposes.
Data security: Businesses must implement reasonable security measures to protect personal data
Non-discrimination: Businesses cannot discriminate against consumers who exercise their CCPA rights
Third-party contracts: Businesses must ensure that third parties handling personal data adhere to CCPA regulations

CCPA applies to businesses that meet one or more of the following criteria:

The business has annual gross revenues exceeding $25 million
The business buys, receives, sells, or shares the personal information of 50,000 or more California residents, households, or devices annually
The business derives 50% or more of its annual revenues from selling California residents’ personal information

The CCPA grants California residents the following seven rights:

Right to know: Consumers have the right to know what personal data is being collected about them
Right to access: Consumers can request access to their personal data held by businesses
Right to data portability: Consumers can request that their data be provided in a portable and readily usable format
Right to deletion: Consumers can request the deletion of their personal data
Right to opt-out: Consumers can opt out of the sale of their personal data
Right to non-discrimination: Consumers have the right not to be discriminated against for exercising their CCPA rights
Right to correct: Consumers can request corrections to inaccurate personal data

CCPA prohibits businesses from:

Selling personal information of minors under 16 without explicit opt-in consent. For minors under 13, the consent must be provided by a parent or guardian.
Retaliating against consumers who exercise their CCPA rights, including by denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services unless the difference is reasonably related to the value provided by the consumer’s data.
Engaging in deceptive practices concerning the collection, use, and sharing of personal data
Failing to comply with consumer requests related to their CCPA rights, including requests for access, deletion, or opting out of the sale of personal information, within the required timeframes

CCPA grants privacy rights to all California residents. This includes those domiciled in California for temporary or transitory purposes, as well as individuals who are domiciled outside of California for other purposes

The 5 key requirements of the CCPA include:

Privacy policy updates: Businesses must update their privacy policies to reflect CCPA rights and practices
Consumer rights requests: Businesses must establish processes for handling consumer rights requests, such as access, deletion, and opt-out requests
Data inventory: Businesses must maintain an inventory of the personal data they collect, use, and share
Training and awareness: Businesses must train employees on CCPA requirements and consumer rights
Third-party management: Businesses must ensure contracts with third parties comply with CCPA regulations and restrict the use of personal information to the specific purposes outlined in the contract

The CCPA went into effect on January 1, 2020. However, enforcement of the CCPA began on July 1, 2020.

Under CCPA, businesses are required to disclose:

Categories of personal information: Types of personal data collected in the preceding 12 months
Sources of information: How the personal data was collected
Business purpose: The purposes for collecting or selling personal data
Third parties: Categories of third parties with whom personal data is shared
Consumer rights: Information about consumer rights under the CCPA and how to exercise them

Non-compliance with the CCPA can result in significant fines. For civil penalties, companies can be charged up to $2,500 per violation or up to $7,500 per intentional violation. Consumers also have a private right of action in which they can sue for data breaches, with statutory damages ranging from $100 to $750 per consumer per incident or actual damages, whichever is greater.

To prepare for CCPA compliance, businesses can utilize various tools, including:

Data mapping tools to track and manage personal data across the organization
Privacy management software to handle consumer rights requests and ensure compliance
Security solutions to safeguard personal data against breaches
Training programs to educate employees on CCPA requirements and compliance procedures
Third-party risk management tools to assess and manage third-party compliance

While GDPR and CCPA share common goals of data protection and privacy, they differ in four main ways:

Scope: GDPR applies to organizations operating within the EU or processing data of EU residents, while CCPA specifically targets businesses handling data of California residents
Consumer rights: GDPR includes the right to rectification and restriction of processing, which are not explicitly stated in the CCPA
Penalties: GDPR fines can be much higher, up to €20 million or 4% of global annual revenue, compared to CCPA’s maximum of $7,500 per intentional violation. Additionally, the CCPA created a private right of action related to data breaches that allows for statutory damages of up to $750 per consumer (or actual damages, whichever is greater).
Opt-in vs. opt-out: GDPR requires explicit consent (opt-in) for data processing, whereas CCPA provides an opt-out mechanism for data sales

Under CCPA, personal information is broadly defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes:

Identifiers: Name, address, email, phone number, IP address, Social Security number
Commercial information: Records of personal property, products purchased, purchase histories
Biometric information: Fingerprints, face recognition data
Internet activity: Browsing history, search history, and interactions with websites
Geolocation data: Precise physical location
Employment information: Job history, professional information
Educational information: Academic records
Inferences: Profiles drawn from any personal information to reflect preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

The following are not considered personal information under CCPA:

Public information: Any information publicly available via local, state, or federal government records including professional licenses, public real estate records, public property records, etc.
De-identified information: Information that cannot reasonably identify, relate to, describe, or be linked, directly or indirectly, to a particular consumer or household is not considered personal information.
Information exempted by sector specific privacy laws: Certain information is excluded from the CCPA because it falls under specific privacy regulations, including health information protected under HIPAA, consumer credit information protected under FCRA, and financial information protected under the Gramm-Leach-Bliley Act.