The CCPA or the California Consumer Privacy Act is a comprehensive state-level privacy act passed by the California State Legislature and signed into law in 2018. The Act provides California residents rights over their personal data and regulates how businesses can process it. 

Effective from: 1 January 2020 Official text: SB-1121 California Consumer Privacy Act of 2018

What is CCPA?

The CCPA is the first-of-its-kind data privacy legislation in the US and gives Californian residents controls over how companies use their personal data. These include the right to access the data, the right to ask for its deletion, and the right to prevent its sale to third parties. The CCPA came into effect in January 2020 and in July 2020, the California Attorney General (AG) began enforcing the Act.

Who does CCPA apply to?

The CCPA applies to all for-profit organizations that conduct business in California, collects consumers’ personal information and meet any of the following requirements:

  1. Has gross annual revenue of $25 million or more 
  2. Buys, receives, or sells personal data from more than 50,000 California consumers, households, or devices
  3. Earns 50% or more of its annual revenue from the sale of personal data

The law also applies to any business that is controlled by a business covered by CCPA or shares common branding such as a shared name, service mark, or trademark with such a business.

Does CCPA apply to businesses outside California?

The CCPA can apply to any organization “doing business in California”. So, businesses outside California that engage in collecting, selling or disclosing the personal information of California residents can fall under the scope of the CCPA. This means, if you have customers from California, you can be subject to CCPA compliance.

What is personal information in CCPA?

The CCPA defines personal information as any information that: “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

CCPA takes a broad approach to define personal information (PI) and specifies different categories that constitute PI.

  • ​​Identifiers such as a real name, alias, postal address, email address, social security number, driver’s license number, passport number, or online identifiers, IP address and other similar identifiers
  • Electronic network activity information, including, browser history, search history, and any information regarding a consumer’s interaction with a website, app or advertisement
  • Geolocation data, audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Information that is protected classifications under California or federal law such as race, ancestry, national origin, religion, age, mental and physical disability, sex, sexual orientation, gender identity, medical condition, genetic information, marital status, or military status

While the definition of PI is broad, CCPA has several exemptions such as “publicly available” information that is lawfully made available from federal, state, or local government records and pseudonymized or de-identified information that cannot be reasonably linked to an individual. 

What are the key definitions of CCPA?

Service provider: Any organization that processes personal information on behalf of a business for a business purpose pursuant to a written contract is a service provider. They are prohibited from retaining, using, or disclosing personal information for any other purpose.

Sale: Sell, selling or sale is broadly defined in the CCPA and it means the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information by a business to another business or a third party for monetary or other valuable consideration.

Third-party: The CCPA defines third parties in the negative. Any entity that is neither the business that collected personal information from the consumer nor a service provider pursuant to the contract is a third party.

What are the consumer rights provided by the CCPA?

The CCPA grants California consumers the following rights regarding the use and sale of their personal data. 

The right to access information: Consumers have the right to request a business to disclose the categories of personal information that was collected or sold, the specific pieces of information collected, the business purposes for collecting, the sources from which it was collected,  the third parties with who the information is shared. 

The right to delete information: Consumers have the right to request a business to delete the personal information it has collected about them. Businesses who receive verifiable consumer requests are required to delete the consumer’s personal information from its records and direct any service providers to delete the same.

The right to opt-out: Consumers have the right to direct a business to not sell their personal information to third parties. Businesses also cannot sell the personal information of consumers under 16 years of age unless the consumer or their parent/guardian consents to it or opts in.

The right to non-discrimination: Consumers have the right to be not discriminated against for exercising their CCPA consumer rights. This may include practices like denying goods or services, charging different prices,  providing a different level or quality.

06 Steps to comply with CCPA

01 Map all the data you collect

Conduct a thorough data inventory and review your organization’s data collection practices. Analyze all collected data and create auditable records where the data is located and stored. Here are some specific questions that you need to take into account.

  • What is the personal information you’re collecting?
  • What is the purpose of the information you are collecting?
  • Is the information used only for the purpose it was intended for?
  • Where is the information stored?
  • Do you collect any sensitive information?
  • How does personal information flow through your network?
  • Is the information being shared with any third parties and why?

After mapping all the data, conduct a risk assessment to determine where data practices fit within the legal framework for CCPA. Depending on the types of data your organization has acquired, you may have to take steps like organizing, deleting, or anonymizing personal information. If your business works with third parties or vendors, ensure that there are contracts in place to establish their liability for any failures to comply with CCPA.

02 Display a ‘Do Not Sell My Personal Information’ link

The CCPA’s right to opt-out applies where a business sells personal information relating to Californian consumers. 

  • The Act requires businesses to provide a conspicuous “Do Not Sell My Personal Information” (DNSMPI) link on your website’s homepage or mobile application, or on any webpage where you collect personal information. 
  • Place the DNSMPI link on your website’s footer and link it to a dedicated page where they can opt out of the sale of their personal information.
  • Your business is required to stop selling personal information when the consumer opts out unless the consumer provides explicit consent to do so at a later stage.
  • You have to restrict from asking the consumer’s permission to sell their personal information again till 12 months after the consumer opts out.
  • Provide two or more methods for consumers to opt out. These can include a toll-free telephone number or a designated email address.
NBC Universal's CCPA Do not sell page.
The dedicated ‘Do Not Sell My Personal Information’ page.

03 Display an opt-out cookie notice

While CCPA does not involve opt-in consent, if you sell personal information with third parties for tracking, analytics or cross-site behavioural advertising, you have to enable users to opt-out.

Note that CCPA defines “sale” very broadly, and it is likely to include transfers of information related to cookies such as third-party cookies and advertising cookies. So, if your website uses cookies and trackers, you can display a cookie notice with a ‘Do not sell’ button, so users can opt out of these cookies.

CCPA opt out notice by CookieYes
An example of CCPA opt-out cookie notice from CookieYes.

CookieYes is a cookie consent solution used by over 1 million websites to comply with laws like the CCPA and GDPR. You can display a custom cookie banner or a ‘Do not sell’ opt-out notice on your website as per your website’s design. You can choose to block only the relevant cookie categories (that would constitute a ‘sale’). You can also include a link to a detailed cookie policy on the notice, generated using the in-built cookie policy generator.

04 Revamp your privacy policy

For CCPA compliance, you need to update your current privacy policy with CCPA-specific disclosures such as categories and types of personal information collected, the purpose for which it is used, the sources of that information and the third parties it is shared with. Note that the privacy policy should provide a broad picture of the company’s online as well as offline practices.

A CCPA-compliant privacy policy must be clear and easy to understand and use straightforward language. Your privacy policy should include:

  • Categories of personal information the company collected in the last 12 months
  • The commercial purposes for which such personal information will be used
  • The sources from where the information is collected
  • The categories of personal information that you have shared with third parties
  • An explanation of a consumer’s rights under the CCPA

Ensure that the CCPA related privacy information is marked clearly, so California users have easy access to it. You can also create a CCPA-specific privacy policy and link it to your ‘Do not sell’ page and your cookie notice. 

You can use a free privacy policy generator to create a custom privacy policy for your site’s CCPA compliance.

05 Provide consumer request forms

CCPA gives individuals the right to request information about the way companies handle their personal information. Consumers can make this request via email, an online form, toll-free number or any method designated by the business. The easiest way is to add a form to your website.

A CCPA ‘Do not sell’ page with a request form for consumers.
Op4G uses the ‘Do not sell’ page to provide a request form for consumers.

Request forms should enable consumers to exercise their right to access their personal information. The business then needs to verify the requestor’s identity and existence within their database and respond “without undue delay” and within 45 days to follow the compliance guidelines of CCPA.

Businesses must also inform the consumer in case of no action regarding consumer requests. They should also provide the information free of charge unless the request is excessive. Similar to the right to opt-out, provide consumers with alternative methods to request access to information.

06 Review your security measures

CCPA does not specify what security measures need to be implemented to protect personal information, but the Act specifies that penalties can be applied for a “violation of the duty to implement and maintain reasonable security procedures and practices.” 

In 2016, the California Office of the Attorney General published a Data Breach Report which listed safeguards that constitute “reasonable security” practices, emphasizing a set of 20 data security controls published by the Center for Internet Security as the universal baseline for any information security program. These can therefore serve as a guide to the CCPA data security requirements. 

CCPA security safeguards for compliance
Source: California Data Breach Report, February 2016

CCPA compliance checklist

Here’s a quick recap of all the things you need to do to fulfil CCPA requirements.

  • Conduct data assessment of your collection practices
  • Review security measures and improve technical safeguards
  • Display ‘Do not sell’ link and a dedicated page on your website
  • Give users multiple methods to opt-out of sale
  • Add cookie notice to your website and link your cookie policy
  • Revamp your privacy policy for CCPA-specific updates
  • Provide consumer request forms to exercise their CCPA rights

What is the penalty for CCPA violation?

Under the CCPA, businesses will be notified of any alleged violations and will have 30 days to cure the non-compliance. If a business fails to do so, it may be subject to a civil penalty of up to $2,500 for each unintentional violation or $7,500 for each intentional violation. 

The CCPA also provides for a private right of action for damages resulting from a data breach involving certain defined types of personal information. To recover damages, consumers can get penalties of $100 and $750 per incident. Alternatively, consumers can claim for actual damages, whichever is greater. 

Consumers who are seeking only statutory damages must provide a defendant business 30-day written notice of the alleged CCPA violation. If the business “cures” the alleged violation within 30 days, then the consumer may not sue. However, if consumers are seeking to recover actual damages (monetary loss as a result of a breach) they can proceed to file without any written notice.

What is Consumer Privacy Rights Act (CPRA)?

In November 2020, California voters passed Proposition 24—the California Privacy Rights Act (CPRA). It amends and strengthens the CCPA and moves California’s privacy laws toward GDPR standards, including the creation of a  data protection authority, the California Privacy Protection Agency (CPPA).

CPRA also strengthens its focus on businesses that involves internet advertising, automated decision-making technologies, collection and use of sensitive personal information or children’s data.

The CPRA’s is set to go into effect on January 1, 2023. However, CPRA has a 12-month “look-back” provision i.e. it will impact personal information collected on or after January 1, 2022. This means businesses should be substantially in compliance with CPRA by January 1, 2022. 

You can read this guide to Consumer Privacy Rights Act.

FAQ on CCPA

Who enforces the CCPA?

California’s Office of Attorney General, California Department of Justice will enforce the CCPA and will have the power to issue non-compliance fines. 

What data is exempt from CCPA?

CCPA’s exemptions include personal information that is collected and used “wholly outside” of California, employee information (collected from employees, job applicants, owners, directors, officers, medical staff, members or contractors of a business), personal information collected about B2B contacts; related to certain warranties and recalls; or subject to other state and federal laws. The CPRA extends the current CCPA exemption for employment and business-to-business data until January 1, 2023. 

What does CCPA say about cookies?

CCPA considers “unique personal identifiers” such as cookies that can be used to “recognize a . . . device that is linked to a consumer or family, over time and across different services” as personal information. Since this definition is very broad, cookies can be considered personal information.

Depending on how the cookie categories are used by your business, certain first-party cookies and third-party cookies used for advertising or marketing purposes can be interpreted as ‘sale’ of personal information as per the CCPA.

Does CPRA replace CCPA?

The CPRA will significantly expand the requirements of the CCPA and add new provisions such as the creation of a new Privacy Protection Agency in California to enforce California’s privacy laws. However, it is unclear whether the law will continue to be known as the CCPA or will instead be known as CPRA, effective January 1, 2023.

Is GDPR compliance enough for CCPA compliance?

No, but GDPR compliance gives you a considerable advantage over CCPA compliance, as at its core both the regulations are set up to protect individuals’ personal data and provide them with rights over their data.

Focussing on their key differences can help you to take steps to ensure compliance with both. Check out this GDPR vs CCPA blog for the same.

Steps like implementing a cookie notice that can be geo-targeted as per the user’s browser location can help you easily comply with both GDPR and CCPA at the same time. Tools like CookieYes will help you achieve compliance with multiple privacy laws at the same time.

Does CCPA apply to children?

CCPA has “opt-in” requirements for children. Businesses can only sell the personal information of minors between the ages of 13 and 16 with the child’s consent and can only sell the personal information of children below 13 with the consent of their parent or guardian. If you collect any children’s personal information ensure that you turn only sell such personal information if you obtain consent.