The California Consumer Privacy Act (CCPA), amended and expanded by the California Privacy Rights Act (CPRA), came into effect in January 2020. Since then, CCPA compliance has become a must for any for-profit business that does business in California and meets one of the following criteria:
The main aim of the CCPA is to protect Californian consumers’ right to privacy and their personal data.
A California resident is someone who lives in the state and is not just visiting or on vacation. If they are a resident, they are covered even if they are temporarily away.
The CCPA doesn’t cover non-profit organizations and government bodies. However, that changes if they are affiliated with a for-profit organization or conduct enough commercial activities to tip them over into the for-profit category.
The CCPA defines personal information as “information that identifies, relates to, or could reasonably be linked with you or your household.” This could include information such as:
Personal information doesn’t include anything publicly available in government records, like professional licenses or records of property ownership.
Sensitive personal information is a subsection of personal information. It includes any user data that poses a higher risk of harm if exposed. Data like financial information, genetic data, medical history, citizenship and immigration status, precise geolocation data, ethnicity, or sexual orientation fall under this category. As such, it requires more protection than personal information.
Under the CCPA, any personal information you obtain from a data subject belongs to them. As the owners of the data, they have certain rights over it:
The data subject has the right to know “the categories and/or specific pieces of personal information” you collect from them, as well as the “categories of sources for that personal information.” They can also ask what you do with the information and what you sell or disclose to third parties. In addition, data subjects have the right to be informed that you’re storing their information—and what you intend to do with it—either before or at the time of collection. Legally, they can ask for this information up to twice a year without being charged a fee.
The consumer can request that you and your third-party vendors delete any collected personal information. You’ll need to comply with these requests except under certain circumstances where you need it for legal reasons. For example, you might need their transaction data to comply with tax regulations.
Additionally, businesses can reject any data subject request if it’s manifestly unfounded or vexatious (e.g., if a data subject is submitting the same request over and over again). However, the business must be able to prove that the requests are unfounded or vexatious.
While users allow your business to collect their personal information, they can request that you don’t sell or share it with third parties. They should be able to make this request through a universal opt-out mechanism like the Global Privacy Control and a link on your homepage labeled “Do Not Sell or Share My Personal Information.”
Once they opt out, you cannot transfer or disclose their personal information to third parties unless they decide to opt in again.
The data subjects have the right to ask your business to update—or correct any gaps or inaccuracies in—their personal data.
A consumer can ask your business to limit the use of certain sensitive personal information. They can ask you not to use it for anything other than the service you provide and not for targeted advertising or sharing with third-party services. Businesses should provide a link on their homepage reading “Limit the Use of My Sensitive Personal Information” to facilitate these requests.
You cannot ask consumers to waive their rights under the CCPA or discriminate against them should they choose to exercise them.
In addition to these rights, the CCPA requires businesses to have sufficient security measures to protect the data they collect.
What does "Do not sell my personal information" mean? Find out here.
If your business falls under the CCPA, you need to let your users know what data you're collecting and why. You also need to tell them who you’re sharing their data with. This informed consent should include the option of opting out of the sale or sharing of their personal information and limiting the use of their sensitive personal information.
If users request access to their personal data that you’ve stored, you’re expected to provide the information within 45 days. They should also be able to update their information and choose how they want it to be used.
You also need adequate security measures to protect the information you’ve collected from your users.
When working with third parties, you’re not directly responsible for their actions, like you would be under the GDPR. The CCPA does expect you to conduct some due diligence when selecting compliant vendors. For example, the regulation expects you to have data privacy addenda in your contracts, clearly stating how user data can be used.
While the CCPA mainly requires an opt-out mechanism, selling or sharing data requires an opt-in process if the users are minors. You need explicit opt-in consent from users between 13 and 16 years of age before you can sell or share their data. If they're under 13, you need consent from their parents or guardians.
In short, to be CCPA compliant, you should:
As you can see, meeting CCPA data compliance requirements means examining your business and its policies and procedures for handling consumer data.
Let’s take a look at how this affects your business and its operations.
One of the biggest impacts of the CCPA on your business is the need for transparency. You need to inform your consumers about your data collection practices—what personal information you’re collecting and why you need it.
Most importantly, this should be communicated to them before or at the time of collection.
You know the rights consumers have under the CCPA, so you’re aware that transparency about information collection is just one part of how you’d build CCPA compliance into your business.
You’ll need to give consumers a way to access their personal information and request that it be deleted, along with a process to handle those requests. Implementing a data subject access request (DSAR) form is one way to facilitate these requests. You should also offer “do not sell or share my information” and “limit the use of my sensitive personal information” links so they can exercise their rights easily.
If you’re sharing consumer data with third-party vendors, you need to properly vet them. So long as you’ve implemented the required contractual provisions with your vendors, they’ll be liable for CCPA violations that they commit. But their bad behavior can raise your risk for a breach, uncover non-compliance at your organization you weren’t aware of, or otherwise disrupt your operations. To protect your business, you’ll want to carefully vet vendors for their data privacy practices.
Make sure that the consumer data you collect is well-organized and stored logically. Otherwise, it’ll be hard to retrieve it if a data subject requests access. You also want to make sure your data is mapped and organized to help keep it secure.
If your business works with consumers under the age of 16, you’ll need an additional process to get their or their parents’ or guardians’ explicit opt-in consent.
Most businesses invest in data security because of the high number of cyber threats they face. If your business doesn’t have such a solution, it’s time to get one—CCPA compliance means you have to provide “adequate security” for the consumer data you collect.
A business relies on consumer data for its marketing activities. If you have too many users opting out of data sharing, you won’t be able to rely as much on targeted ads. There are ways to overcome this, of course, but you would have to change up your strategy to compensate. Collecting first-party and zero-party data, for example, can be a way to get information on your prospects with less of an impact on their privacy rights.
On the face of it, CCPA compliance can seem tedious and expensive. However, it does provide an opportunity for you to demonstrate to your users your commitment to protecting their privacy and rights. Consider making your dedication to data privacy an aspect of your brand, promote your organization’s trust center and/or privacy documents in customer communications, or see where and whether privacy impacts the customer journey.
Failure to comply with the CCPA means you could face penalties from the California Attorney General’s office and the California Privacy Protection Agency (CPPA). Also, if consumer data was compromised due to your lack of adequate security, you could be held liable in court.
This would not only be a financial hit in terms of fines and penalties, but it would also damage your reputation.
Find out how CPRA and CCPA work to protect the rights of California consumers here.
States with data privacy laws empower their Attorney General to enforce them. California is unique in that its CCPA is also enforceable by the California Privacy Protection Agency (CPPA). This agency, created under the CPRA, specifically focuses on enforcing privacy regulations.
The caveat is that while the agency can enforce CCPA regulations, its actions are limited by the Attorney General’s authority. If the Attorney General decides to take over an investigation or enforcement action, the agency has to step back.
Also, businesses cannot be penalized by both enforcers for the same CCPA violation. As it stands, the penalty for violating the CCPA can be quite substantial.
A business can be fined up to $2,500 for every unintentional violation and up to $7,500 for every intentional violation. This can add up quite quickly if there are multiple violations affecting multiple consumers.
The law also lets consumers sue businesses for data breaches and receive damages between $100 and $750. However, they can only do so if the business hasn’t done anything to fix any violations from the breach within 30 days.
Both CCPA and the EU’s General Data Protection Regulation (GDPR) are data privacy regulations, but they aren’t quite the same—and not just because they apply to different parts of the world.
The CCPA is responsible for protecting the data and privacy of permanent California residents and households only. So, tourists, students from out of state, and temporary residents are not included.
The GDPR, on the other hand, protects anyone within the European Union or European Economic Area (EEA) when their data is collected or processed, even if they were passing through. In other words, the law doesn’t just apply to permanent EU residents.
Under the CCPA, the default is “yes to data collection,” and consumers must opt out if they don’t want their personal data shared or sold. The only exception is if they’re minors, in which case they or their parents/guardians must give consent first.
The GDPR, on the other hand, follows the opt-in model. Under this regulation, businesses must get the user’s consent before collecting their personal information.
As we saw earlier, the CCPA doesn’t apply to your business if you don’t meet the qualifying criteria. So, if you didn’t earn more than $25 million in annual gross revenue, for example, you may not have to comply.
The GDPR doesn’t have any such qualifying criteria. If you collect and process consumer data, you must comply with the data privacy and protection provisions.
Under the GDPR, there must be a valid legal basis for collecting personal data from consumers. It must fall under one of these categories:
There are no such legal bases required for data collection under the CCPA. As long as you uphold the consumers’ data privacy rights, you can collect their personal information.
If a business violates the GDPR, it can face some of the highest penalties for data protection in the world. Fines for certain penalties can be 2% of the company’s annual turnover or 10 million euros, whichever is higher. For more serious violations, the fine can be 4% or 20 million euros, whichever is higher.
Penalties for violating the CCPA are relatively smaller, but they can add up, as each consumer affected counts as a separate violation.
Data subjects under GDPR can request access to all their personal data, including broader categories like inferred and internal profiling data. The scope of data access under CCPA is less extensive, as users can only ask to access categories of collected data.
To comply with GDPR, businesses must inform users about the specific purposes of data processing, who it will be shared with, its retention period, and the bases for collection.
CCPA compliance requires disclosing upon request:
If a business handles a lot of sensitive data or operates on a large scale, it must have a data protection officer (DPO) under the GDPR. While you’re required to designate individuals or departments to handle consumer requests and compliance efforts, the CCPA doesn’t require a designated DPO.
Businesses regulated by the GDPR are obligated to inform authorities within 72 hours of a data breach. They must also inform consumers if their sensitive data has been compromised so they may change their passwords or monitor their accounts for unusual activities.
In short, they should give the affected parties a heads-up as soon as possible so that they can take action to minimize damage.
While the CCPA doesn’t have a similar requirement, it does allow affected users to take legal action against the business if it didn’t secure their data adequately. Note that California law does have a separate data breach notification law.
The GDPR applies to any business that processes data of individuals within the EU/EEA, regardless of whether it operates there. The CCPA is primarily for businesses that operate within California, with some exceptions.
Anonymized data cannot be linked to the user because it has been deidentified or stripped of any identifiers that might link it to its owner. Pseudonymized is partially deidentified but can be linked to the individual if other contextual information is provided.
Another term that might be relevant here is aggregated, which means the information of many users is combined in a way that no one person can be identified in the data set.
Data that has been properly anonymized is not subject to GDPR. Pseudonymized data, on the other hand, is regulated.
While CCPA doesn’t specifically address the issue of anonymized and pseudonymized personal information, it does exclude deidentified and aggregated data.
Worried there are other data privacy laws that might apply to your business? Find out which ones might be relevant to you.
Despite the many differences between the two legislations, the GDPR and CCPA are quite similar in many ways.
Both the GDPR and CCPA:
We’ve already prepared a detailed CCPA compliance checklist, but let’s quickly recap the important steps involved.
Identify and map out the personal data you collect from your consumers; find out where and how you use it and who you share it with. This is where you will also segment consumer information into personal and sensitive personal data.
While CCPA expects you to have “adequate” security, investing in a comprehensive solution will definitely be beneficial for your business overall. Look for a solution that uses automation for vulnerability management, threat detection, and remediation. Such a solution can help you proactively protect your data.
Create a comprehensive privacy policy that outlines exactly how your business collects, processes, and discloses data. Remember to update this as your compliance operations evolve.
Under the CCPA, consumers have the right to request access to their personal information, ask your business to update or delete it, and make other requests. California is one of the few states to extend these rights to employees, too.
You need a process that lets them do this easily, whether it’s through DSAR forms, an email address dedicated to this purpose, or a toll-free number. This, of course, means you might have to set up a department or assign an employee to handle these requests.
You also need a system to verify the identity of the user exercising their right, as you don’t want to hand over personal information to just anyone!
Finally, there should be a process to document these requests for audits and regulatory inquiries.
If you’re sharing consumer information with vendors and service providers, you’ll need to negotiate appropriate data protection requirements in your contract.
As we said earlier, you might not be directly held accountable for their actions, but if their lack of compliance leads to a data breach and it’s found that they didn’t have proper safeguards in place, you may still be investigated.
Implement the two important opt-out links:
Since you also need to accept universal opt-out signals, like the Global Privacy Control, you’ll have to configure your systems to immediately stop data sales or sharing once the signal is detected.
As your business grows and evolves, so will your data collection and processing. It’s important not to let your data privacy policies stagnate because that way lies the risk of non-compliance. We all know what happens if you’re not CCPA compliant.
Why not simplify the process by using CCPA compliance software like Osano? Automate your privacy compliance processes, including consent management, data mapping, DSAR workflow, privacy impact assessments, and more.
The best part is that Osano supports compliance in over 50 countries, whether you’re under the GDPR or CCPA. Plus, we offer a “No fines, No penalties,” pledge for added peace of mind.
Keep your business CCPA-compliant with Osano.