The California Consumer Privacy Act (CCPA) is a data privacy law for California. The CCPA regulates how businesses handle the personal information of every California resident.
The CCPA law came into effect on January 1st, 2020. The California Attorney General began enforcement action on July 1st, 2020. It was the first data protection law in the United States.
What does CCPA Compliance Mean?
The CCPA law empowers Californians to take control of their consumer data. Residents have the right to ask businesses to delete or disclose data. Residents also have the right to opt out of third-party data sales.
What is CCPA and GDPR?
The CCPA legislation intends to improve the data privacy of Californian residents. Residents can know how and when their consumer data is collected and sold. It also gives them the right to “opt-out” of providing personal data.
The General Data Protection Regulation (GDPR) is an EU law. It focuses on a “privacy by default” legal framework. It is binding for all EU member states. It controls how organizations and websites handle the data of every EU citizen.
Who is covered by CCPA?
The CCPA covers any for-profit enterprise that conducts business in California. For businesses that collect, share, or sell consumer data of a California resident. The company must also match one of three compliance thresholds:
- Annual gross revenue of more than $25 million.
- Possesses the personal information of 50,000 or more consumers, devices, or households.
- More than half of its revenue is from selling personal information.
What obligations do businesses have under the CCPA?
For companies to ensure they are CCPA compliant. There are seven primary areas they should take into account. These are:
- Checking contract obligations with their service providers
- Honoring all the privacy rights of consumers
- Maintaining a decent level of security for any personal information
- Managing notifications for any data breach
- Providing disclosures and notices to consumers as required
- Retaining relevant records
- Workforce training
What is required for CCPA Compliance?
It can be challenging to know if your business is compliant with CCPA and other regulations. Companies need to check and make necessary changes to avoid a hefty fine. Here are three areas to follow for CCPA compliance.
Update Your Privacy Policy
You must update your privacy policy. The policy needs to include information about CCPA law and your business practices. It needs to detail the consumers’ rights (as described below). Also, it should inform consumers about their right to opt-out.
Conduct a Personal Information Audit
CCPA Compliance requires your organization to understand how you are using personal information. By conducting an audit, you can determine:
- All the different types of personal data your organization collects and stores
- The sources of your personal information
- What personal information you are sharing and selling for business purposes
Set Up a Process for CCPA Consumer Rights
You can do this by detailing extra information in your privacy policy. You can include the right to know, the right to delete, the right to non-discrimination, and opt-out. Create an area where they can request this, e.g., a web page or phone number.
Create a “Do Not Sell My Information” Page
If you sell personal information as a business, you have to give your consumers the option to opt out of the sale. You must provide a web page that allows consumers to opt out of having their data sold.
How do you comply with Pipeda?
Pipeda or the Personal Information Protection Electronic Documents Act is a privacy law in Canada. The rule applies to private sector organizations. It concerns the management of personal information (PI).
An organization can follow Pipeda by obtaining consent from every individual. This consent should happen before they access any content. Individuals can also challenge the accuracy of the information that organizations get.
What are the rights provided by the CCPA?
The CCPA gives five primary rights to Californian residents. Also, the business cannot discriminate against you for exercising any of these rights. The rights are:
- The right to opt-out of third-party data sales.
- To know about any form of data collection.
- Being informed that you do have rights.
- To delete any data collected by the organization.
- The right to have any collected data disclosed.
What is the purpose of the CCPA?
A provision in the CCPA imposed a “purpose limitation” on any businesses subject to the law. This provision means for companies collect personal information. They can only use the information for one purpose.
Businesses must be clear on how they are using their data. The CCPA law gives California residents complete transparency on their consumer data. Residents have different rights they can use to manage their personal information.
What does CCPA mean for businesses?
CCPA focuses on the privacy and data protection of all Californian residents. The CCPA regulates how businesses can use this data. It also ensures that information is safe and secure and minimizes data breaches.
Businesses need to follow all the regulations of the CCPA. Non-compliance with CCPA can result in a fine from regulators of up to $7,500 per violation. A compliance team or dedicated person can track this to help the business stay compliant.
What data is covered under CCPA?
The CCPA covers any information that identifies consumers. CCPA defines the following areas as personal information:
- Direct Identifiers – real name, any alias, postal address, social security number, passport information, signature, and driver’s license.
- Indirect Identifiers – account names, beacons, cookies, IP address, pixel tags, telephone numbers
- Internet Activity – applications and advertisements, browsing history, data interaction on a webpage, search history
- Geolocation Data – information from devices about your location history
- Biometric Data – DNA, face, fingerprints, health data, retina, voice recordings
- Sensitive Information – behavior, employment and education, financial and medical information, personal characteristics, religious or political convictions, sexual preferences
Does CCPA apply to all businesses?
No, CCPA does not apply to all businesses. It applies to for-profit companies that match one of three compliance thresholds. It does not apply to nonprofit organizations or government agencies.
Do I need to comply with CCPA?
Yes, you must follow CCPA when you conduct business in California. You can check the three compliance thresholds (see above) and see if applicable. If you are unsure, comply anyway to avoid any issues with regulators.
Is CCPA the same as GDPR?
No, CCPA and GDPR are not the same data privacy laws. The CCPA relates to for-profit businesses that manage consumer data in California. GDPR applies to all companies and websites in the EU member states.
CCPA protection is for individual “data subjects” that live in California. The law affects for-profit businesses. In contrast, GDPR protects all data subjects. This protection is regardless of citizenship or where they live.
How much does CCPA compliance cost?
If you do not have CCPA compliance, the penalties are severe. Non-compliance can result in a fine of up to $7,500 per violation. If you receive a notification of non-compliance, you have up to 30 days to activate the changes.
You might receive a 45-day request. This request is to provide further information about your compliance status. You will have to reveal what kind of information you store and if you sell it. Also, if you sold it, who have, you sold it to in the last year.
What is the difference between CCPA and CPRA?
The California Privacy Rights Act (CPRA) was an amendment to the CCPA. The CPRA took effect on December 6th, 2020. It is also known as CCPA 2.0. Enforcement of the CPRA will not begin until July 1st, 2023.
The main changes are:
- It expanded the definition of “businesses” covered by the privacy act.
- A new classification of personal information called sensitive personal information (SPI)
- Companies holding high-risk data have to do annual cybersecurity audits. The results go to the California Privacy Protection Agency (CPPA).
- It expands on opting out process. It states that companies must allow consumers to opt-out of third-party sharing.
- It strengthens consumers’ rights in changing or deleting their personal information.
- Consumers’ right-to-know provisions are now more detailed in the CCPA.
- It made changes to data governance and transparency. This change also included contract requirements, data minimization, and storage limitations.
- It increased the penalties for violations of CPRA for consumers under the age of 16. Also, the CPRA can investigate violations itself.
What businesses are subject to CCPA?
The CCPA law affects for-profit businesses that carry out business in California. It refers to companies that collect, sell or share consumers’ data. The company also needs to match one of three compliance thresholds (as detailed above).
Double-Check That Your Business Is CCPA Compliant
When you conduct business in California, you must follow the CCPA. Check that your business is compliant before doing any business in this state. It will save you a potential fine and deep scrutiny from the regulators.