What Is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a first-of-its-kind state law that became effective in 2020. It outlines requirements for businesses that collect personal data about California residents, how and when they can do so, and what they can do with that information.
Meanwhile, the forthcoming California Privacy Rights Act (CPRA) amends and expands what the CCPA requires and goes into effect on January 1, 2023. However, until the CPRA effective date comes, it’s just as important as ever for certain organizations doing business in California to remain CCPA-compliant to avoid the risks of costly fines, litigation, and the exposure of sensitive customer information and data privacy.
The article below will break down everything you need to know for CCPA compliance.
What Does the CCPA Accomplish?
The California Consumer Privacy Act of 2018 (CCPA) was enacted to give California residents more control and consumer rights over how businesses and organizations collect and handle their sensitive personal information.
That personal information could include:
- Geolocation data
- Email addresses
- Social security numbers
- Driver’s license numbers
- Biometric information
- Employment information
- Audio information
- Inferences drawn from collected information to create a profile about the consumer
In a nutshell, if the data collected can be traced back to an individual person, directly or indirectly, it probably applies under the CCPA—but it doesn’t stop there. One aspect that makes the CCPA unique is that the protections cover information from Californian consumers that could be connected to a particular household.
This is extremely important because household-specific information may be much more difficult for businesses to monitor within their environment than data tied to a specific individual.
What Rights Does the CCPA Establish for Consumers?
The CCPA bestows California residents with a broad range of California privacy laws regarding what businesses can do with their personal information—and whether they can use this data discovery in the first place. Those rights can be broken into four main components:
- The right to know
- The right to delete
- The right to opt-out
- The right to non-discrimination
These consumer rights come with certain exceptions, but the following is an overview of each.
The Right To Know
CCPA regulations give California consumers the right to know what personal information a business collects about them and how the business will use and share it. Consumers can request certain businesses to report what information of theirs, if any, has been collected.
The Right to Delete
Californian consumers have the right to request the deletion of personal information a business has collected about them.
The Right to Opt–Out
While many businesses rely on collecting and selling users’ personal information, the CCPA allows California residents to opt –out of the practice.
If a business sells users’ personal information, the CCPA requires that they provide a “Do Not Sell My Personal Information” link on its website for consumers to submit an opt-out request. And these links cannot be strategically hidden—the law requires their placement to be clear and noticeable.
The Right to Non-Discrimination
The CCPA also protects Californians from the right to non-discrimination for exercising the rights the act grants them.
What Businesses Does the CCPA Apply to?
CCPA compliance and regulation applies to for-profit businesses that conduct business in California or with California residents and meet the following criteria:
- The business has a gross annual revenue of more than $25 million
- The business buys, stores, collects, sells, or otherwise handles the personal information of 50,000 or more California residents—as well as their households or devices
- More than half of the business’s annual earnings come from selling Californians’ personal information
Two types of organizations that CCPA requirements don’t apply to include nonprofit organizations and government agencies.
Is CCPA Compliance Still Required?
It’s important to remember that the California Privacy Rights Act (CPRA) will go into effect on January 1, 2023, which, as stated above, will amend and expand every CCPA requirement that is currently in place.
Additionally, when the CPRA takes effect, California consumers can make personal information requests for personal data usage that occurred during 2022, so the sooner you comply with CPRA requirements, the better.
By taking steps to become CCPA compliant, you’ll be better prepared to meet many of the additional requirements that will come with the CPRA.
How to Reach CCPA Compliance Requirements
What is CCPA compliance, and what does it look like? The steps to satisfying CCPA compliance requirements may vary depending on what personal information your business collects, what it does with it, and what processes are part of your business procedures.
The following are a sampling of items you may need to add to your own CCPA compliance checklist:
- Assign and train an individual or team to manage data security.
- Inventory data and data types your organization will collect—if your business has already made accommodations to comply with other requirements like HIPAA or GDPR requirements, you’ll be off to a good start, but note the CCPA has its own unique requirements.
- Perform a risk assessment of the data collected and how it’s handled.
- Identify potential impacts if said information were to be compromised.
- Identify missing or inadequate contractual arrangements with vendors and other parties.
- Adjust existing systems and procedures or introduce new ones as necessary to enhance security and satisfy other privacy law requirements.
- Respond to consumer data requests in a manner compliant with CCPA requirements.
- Keep a record of data collecting and sharing, particularly if data is being “sold” – specific obligations apply.
What Are the Penalties for Violating the CCPA?
A business generally has to correct a CCPA violation within 30 days of receiving notice of alleged noncompliance from the California attorney general’s office. Moving forward, the California Privacy Protection Agency has assumed oversight responsibilities.
If the problem is not corrected, violations can come with a fine of up to $2,500 per violation. However, if that violation is determined to be intentional or, per CPRA, if consumers under 16 are involved, that maximum increases to $7,500 per violation.
Businesses that fail to comply could also be subject to litigation from consumers or the state of California.
Stay Compliant Now and Later With DataGrail
Understanding the requirements of the CCPA and how they compare with those to come from the CPRA can be confusing, but it doesn’t have to be. You can achieve CCPA compliance now and prepare to meet CPRA requirements before they take effect in 2023 with help from DataGrail.
DataGrail was purpose-built specifically to help businesses simplify and comply with data privacy laws such as CCPA/CPRA and GDPR.
DataGrail’s 300+ pre-built connectors enable you to quickly discover business systems with personal data, map and inventory that data in real time, and automate the processes required to comply with consumer requests, all while keeping detailed compliance logs of activities.
Our platform was designed with the flexibility to scale and adapt as new regulations emerge over time to give you peace of mind that your business is continuously compliant.
Ready to explore how DataGrail’s services can help your business? Request a demo today.
California Legislative Information. California Consumer Privacy Act of 2018. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
Office of the Attorney General (California). California Consumer Privacy Act Regulations. https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf
State of California Department of Justice. California Consumer Privacy Act. (CCPA) https://oag.ca.gov/privacy/ccpa