The CCPA or the California Consumer Privacy Act is a comprehensive state-level privacy act passed by the California State Legislature and signed into law in 2018. The Act provides California residents rights over their personal data and regulates how businesses can process it.
Effective from: 1 January 2020 Official text: SB-1121 California Consumer Privacy Act of 2018
What is CCPA?
The CCPA is the first-of-its-kind data privacy legislation in the US and gives Californian residents controls over how companies use their personal data. These include the right to access the data, the right to ask for its deletion, and the right to prevent its sale to third parties. The CCPA came into effect in January 2020 and in July 2020, the California Attorney General (AG) began enforcing the Act.
Who does CCPA apply to?
The CCPA applies to all for-profit organizations that conduct business in California, collects consumers’ personal information and meet any of the following requirements:
- Has gross annual revenue of $25 million or more
- Buys, receives, or sells personal data from more than 50,000 California consumers, households, or devices
- Earns 50% or more of its annual revenue from the sale of personal data
The law also applies to any business that is controlled by a business covered by CCPA or shares common branding such as a shared name, service mark, or trademark with such a business.
Does CCPA apply to businesses outside California?
The CCPA can apply to any organization “doing business in California”. So, businesses outside California that engage in collecting, selling or disclosing the personal information of California residents can fall under the scope of the CCPA. This means, if you have customers from California, you can be subject to CCPA compliance.
What is personal information in CCPA?
The CCPA defines personal information as any information that: “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
CCPA takes a broad approach to define personal information (PI) and specifies different categories that constitute PI.
- Identifiers such as a real name, alias, postal address, email address, social security number, driver’s license number, passport number, or online identifiers, IP address and other similar identifiers
- Electronic network activity information, including, browser history, search history, and any information regarding a consumer’s interaction with a website, app or advertisement
- Geolocation data, audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Information that is protected classifications under California or federal law such as race, ancestry, national origin, religion, age, mental and physical disability, sex, sexual orientation, gender identity, medical condition, genetic information, marital status, or military status
While the definition of PI is broad, CCPA has several exemptions such as “publicly available” information that is lawfully made available from federal, state, or local government records and pseudonymized or de-identified information that cannot be reasonably linked to an individual.
What are the key definitions of CCPA?
Service provider: Any organization that processes personal information on behalf of a business for a business purpose pursuant to a written contract is a service provider. They are prohibited from retaining, using, or disclosing personal information for any other purpose.
Sale: Sell, selling or sale is broadly defined in the CCPA and it means the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information by a business to another business or a third party for monetary or other valuable consideration.
Third-party: The CCPA defines third parties in the negative. Any entity that is neither the business that collected personal information from the consumer nor a service provider pursuant to the contract is a third party.
What are the consumer rights provided by the CCPA?
The CCPA grants California consumers the following rights regarding the use and sale of their personal data.
The right to access information: Consumers have the right to request a business to disclose the categories of personal information that was collected or sold, the specific pieces of information collected, the business purposes for collecting, the sources from which it was collected, the third parties with who the information is shared.
The right to delete information: Consumers have the right to request a business to delete the personal information it has collected about them. Businesses who receive verifiable consumer requests are required to delete the consumer’s personal information from its records and direct any service providers to delete the same.
The right to opt-out: Consumers have the right to direct a business to not sell their personal information to third parties. Businesses also cannot sell the personal information of consumers under 16 years of age unless the consumer or their parent/guardian consents to it or opts in.
The right to non-discrimination: Consumers have the right to be not discriminated against for exercising their CCPA consumer rights. This may include practices like denying goods or services, charging different prices, providing a different level or quality.
06 Steps to comply with CCPA
01 Map all the data you collect
Conduct a thorough data inventory and review your organization’s data collection practices. Analyze all collected data and create auditable records where the data is located and stored. Here are some specific questions that you need to take into account.
- What is the personal information you’re collecting?
- What is the purpose of the information you are collecting?
- Is the information used only for the purpose it was intended for?
- Where is the information stored?
- Do you collect any sensitive information?
- How does personal information flow through your network?
- Is the information being shared with any third parties and why?
After mapping all the data, conduct a risk assessment to determine where data practices fit within the legal framework for CCPA. Depending on the types of data your organization has acquired, you may have to take steps like organizing, deleting, or anonymizing personal information. If your business works with third parties or vendors, ensure that there are contracts in place to establish their liability for any failures to comply with CCPA.
02 Display a ‘Do Not Sell My Personal Information’ link
The CCPA’s right to opt-out applies where a business sells personal information relating to Californian consumers.
- The Act requires businesses to provide a conspicuous “Do Not Sell My Personal Information” (DNSMPI) link on your website’s homepage or mobile application, or on any webpage where you collect personal information.
- Place the DNSMPI link on your website’s footer and link it to a dedicated page where they can opt out of the sale of their personal information.
- Your business is required to stop selling personal information when the consumer opts out unless the consumer provides explicit consent to do so at a later stage.
- You have to restrict from asking the consumer’s permission to sell their personal information again till 12 months after the consumer opts out.
- Provide two or more methods for consumers to opt out. These can include a toll-free telephone number or a designated email address.
03 Display an opt-out cookie notice
While CCPA does not involve opt-in consent, if you sell personal information with third parties for tracking, analytics or cross-site behavioural advertising, you have to enable users to opt-out.
- Categories of personal information the company collected in the last 12 months
- The commercial purposes for which such personal information will be used
- The sources from where the information is collected
- The categories of personal information that you have shared with third parties
- An explanation of a consumer’s rights under the CCPA
05 Provide consumer request forms
CCPA gives individuals the right to request information about the way companies handle their personal information. Consumers can make this request via email, an online form, toll-free number or any method designated by the business. The easiest way is to add a form to your website.
Request forms should enable consumers to exercise their right to access their personal information. The business then needs to verify the requestor’s identity and existence within their database and respond “without undue delay” and within 45 days to follow the compliance guidelines of CCPA.
Businesses must also inform the consumer in case of no action regarding consumer requests. They should also provide the information free of charge unless the request is excessive. Similar to the right to opt-out, provide consumers with alternative methods to request access to information.
06 Review your security measures
CCPA does not specify what security measures need to be implemented to protect personal information, but the Act specifies that penalties can be applied for a “violation of the duty to implement and maintain reasonable security procedures and practices.”
In 2016, the California Office of the Attorney General published a Data Breach Report which listed safeguards that constitute “reasonable security” practices, emphasizing a set of 20 data security controls published by the Center for Internet Security as the universal baseline for any information security program. These can therefore serve as a guide to the CCPA data security requirements.
CCPA compliance checklist
Here’s a quick recap of all the things you need to do to fulfil CCPA requirements.
- Conduct data assessment of your collection practices
- Review security measures and improve technical safeguards
- Display ‘Do not sell’ link and a dedicated page on your website
- Give users multiple methods to opt-out of sale
- Provide consumer request forms to exercise their CCPA rights
What is the penalty for CCPA violation?
Under the CCPA, businesses will be notified of any alleged violations and will have 30 days to cure the non-compliance. If a business fails to do so, it may be subject to a civil penalty of up to $2,500 for each unintentional violation or $7,500 for each intentional violation.
The CCPA also provides for a private right of action for damages resulting from a data breach involving certain defined types of personal information. To recover damages, consumers can get penalties of $100 and $750 per incident. Alternatively, consumers can claim for actual damages, whichever is greater.
Consumers who are seeking only statutory damages must provide a defendant business 30-day written notice of the alleged CCPA violation. If the business “cures” the alleged violation within 30 days, then the consumer may not sue. However, if consumers are seeking to recover actual damages (monetary loss as a result of a breach) they can proceed to file without any written notice.
What is Consumer Privacy Rights Act (CPRA)?
In November 2020, California voters passed Proposition 24—the California Privacy Rights Act (CPRA). It amends and strengthens the CCPA and moves California’s privacy laws toward GDPR standards, including the creation of a data protection authority, the California Privacy Protection Agency (CPPA).
CPRA also strengthens its focus on businesses that involves internet advertising, automated decision-making technologies, collection and use of sensitive personal information or children’s data.
The CPRA’s is set to become operative on January 1, 2023. However, CPRA has a 12-month “look-back” provision i.e. it will impact personal information collected on or after January 1, 2022. This means businesses should be substantially in compliance with CPRA by January 1, 2022.
You can read this guide to Consumer Privacy Rights Act.
FAQ on CCPA
Who enforces the CCPA?
California’s Office of Attorney General, California Department of Justice will enforce the CCPA and will have the power to issue non-compliance fines.
What data is exempt from CCPA?
CCPA’s exemptions include personal information that is collected and used “wholly outside” of California, employee information (collected from employees, job applicants, owners, directors, officers, medical staff, members or contractors of a business), personal information collected about B2B contacts; related to certain warranties and recalls; or subject to other state and federal laws. The CPRA extends the current CCPA exemption for employment and business-to-business data until January 1, 2023.
What does CCPA say about cookies?
CCPA considers “unique personal identifiers” such as cookies that can be used to “recognize a . . . device that is linked to a consumer or family, over time and across different services” as personal information. Since this definition is very broad, cookies can be considered personal information.
Depending on how the cookie categories are used by your business, certain first-party cookies and third-party cookies used for advertising or marketing purposes can be interpreted as ‘sale’ of personal information as per the CCPA.
Does CPRA replace CCPA?
The CPRA will significantly expand the requirements of the CCPA and add new provisions such as the creation of a new Privacy Protection Agency in California to enforce California’s privacy laws. However, it is unclear whether the law will continue to be known as the CCPA or will instead be known as CPRA, effective January 1, 2023.
Is GDPR compliance enough for CCPA compliance?
No, but GDPR compliance gives you a considerable advantage over CCPA compliance, as at its core both the regulations are set up to protect individuals’ personal data and provide them with rights over their data.
Focussing on their key differences can help you to take steps to ensure compliance with both. Check out this GDPR vs CCPA blog for the same.
Steps like implementing a cookie notice that can be geo-targeted as per the user’s browser location can help you easily comply with both GDPR and CCPA at the same time. Tools like CookieYes will help you achieve compliance with multiple privacy laws at the same time.
Does CCPA apply to children?
CCPA has “opt-in” requirements for children. Businesses can only sell the personal information of minors between the ages of 13 and 16 with the child’s consent and can only sell the personal information of children below 13 with the consent of their parent or guardian. If you collect any children’s personal information ensure that you turn only sell such personal information if you obtain consent.