Inspired by Europe’s GDPR, the CCPA is the most substantial statewide privacy law change in a generation. Thanks to the CCPA, Californians can now ask to see all kinds of personal information that a business operating in the state holds on them.
Large companies like Microsoft have created self-service privacy dashboards where users can access all the relevant CCPA information. Many other companies, however, are lagging behind. With hefty fines and lawsuits the results of non-compliance, it’s vital your company adopts the necessary changes before it’s too late.
What is the CCPA?
The CCPA (aka AB 375) is the California Consumer Privacy Act. It’s a new privacy law (on top of GDPR compliance) that lets Californians demand to see all the personal information a company has saved on them, as well as a full list of third parties with whom their data has been shared.
The CCPA became effective on January 1, 2020, but consumers have the right to request all the data a company has collected on them over the previous 12 months. This means companies need to have had the necessary data privacy tracking systems in place since the start of 2019.
Who Does the CCPA Protect?
The law protects all California residents by giving them a higher level of ownership over their consumer data. A California resident is defined by the CCPA as anyone in California for more than “a temporary or transitory purpose” and anyone “domiciled in the state” but outside of the state for a “temporary or transitory purpose.” So, for example, a consumer who is from California but out of state for college, would still be covered by the CCPA.
Who Does the CCPA Apply To?
Unlike the GDPR, the CCPA doesn’t apply to everyone. Businesses are only subject to the CCPA if one or more of the following three statements are true.
The business has a gross annual revenue of $25 million or more.
The business annually buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices, to include biometric data.
The business derives 50% or more of its annual revenue from selling consumers’ personal information.
The CCPA applies to all businesses serving California residents, whether the business is based in California or not. And, if a business handles the personal information of more than 4 million consumers, then it will be subject to some additional obligations, regardless of its annual gross revenue.
Notable exceptions to the CCPA include insurance institutions, agents, and support organizations, as they’re already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).
Definition of Personal Information
With ‘personal information’ at the core of the CCPA, we must break down exactly which specific pieces of personal information fall within this category. It’s a wide-ranging list and includes:
- Identifiers such as name, alias, postal address, username, password, email address, social security number, driving license number or passport number
Characteristics of protected classifications under California or federal law such as race, religion, sex/gender, and sexual orientation
Commercial information such as records of personal property and products purchased, obtained, or considered
Biometric information
Internet browsing history, search history, and information regarding a consumer’s interaction with websites, apps, or ads
Geolocation data
Audio, electronic, visual, thermal, olfactory, or similar information
Employment data
Education data (that’s not publicly available)
Any inference that could be used to create a consumer profile such as preferences, characteristics, predispositions, behavior, intelligence, or aptitudes
CCPA Consumer Rights
The CCPA grants four new privacy rights to Californians. They are:
- The Right to Know
Consumers have the right to know what personal information a business has collected, used, shared, or sold. It needs to be able to provide every specific piece of personal information it has gathered, and not just the categories.
Businesses have 45 days to respond to consumer requests regarding the sale of personal information. And, the consumer’s personal information provided has to cover the previous 12 months.
- The Right to Delete
Consumers have the right to demand that businesses delete all the personal information that they, or any of their associated companies, holds for business purposes. Businesses need to have mechanisms in place to remove a user’s information from the data sold to third parties. If that’s not possible, they shouldn’t sell the data at all.
- The Right to Opt Out
Consumers have the right to opt-out of the sale of their personal information for commercial purposes. The situation is a bit more complicated when it comes to children: Under-16s must provide opt-in consent, while under-13s must have the consent of a parent or guardian.
- The Right to Non-Descrimination
Consumers have the right to non-discrimination - businesses can’t charge different prices or offer different levels of service to those that exercise their rights under the CCPA.
CCPA Penalties
Unintentional violators face a $2,500 fine, while intentional violators will have to cough up $7,500. Businesses have 30 days to comply with the rules once notified by authorities or the heftier of the two fines is levied.
Individuals have the right to sue businesses that don’t comply with the law. If violations aren’t rectified within 30 days of a written complaint, and the California Attorney General declines to prosecute, then a business could be hit with a class-action suit.
Differences between CCPA and GDPR
CCPA vs. GDPR: If you're compliant with one regulation are you compliant with the other? TLDR: Somewhat. This article goes into depth on the similarities and differences between CCPA and GDPR, but we'll summarize it for you here.
The CCPA is California’s answer to the EU’s GDPR (General Data Protection Regulation.) Both aim to guarantee strong protection for individuals regarding their data. And, both apply to businesses that collect, use, or share personal information. Like the GDPR, the CCPA’s impact will be felt worldwide, given California’s status as the fifth largest global economy. Here are five of the most significant differences:
The CCPA protects “consumers”, who are people who reside in California. The GDPR focuses on “data subjects”, and that includes anybody whose personal data is being collected, held or processed, regardless of whether they are an EU citizen or not.
The GDPR guards against breach of ‘personal information’, which includes any information, documents, or electronic data relating to an identified person. The CCPA guards against a breach of “personal data”, which includes any information linked to a specific consumer or household. The household data doesn’t have to be connected to an individual.
Under the CCPA, businesses must give consumers the right to opt-out of the sale of their personal information. Under the GDPR, there are no such restrictions on the sale of personal data, provided businesses are complying with the principles of the GDPR.
The GDPR applies to every person or business that has the means of processing personal data. The CCPA only affects companies of a certain size.
The GDPR mandates penalties for non-compliance and data breach of up to 4% of a company’s global turnover or 20 million euros (whichever is highest). The CCPA fines are applied per violation (up to $7,500.)
How You Should Prepare for the CCPA: CCPA Compliance Checklist
- Update Privacy Notices and Policies
Your privacy policy must be updated every 12 months to comply with the California Consumer Privacy Act and should include:
A description of the new rights afforded California residents
The methods for submitting a personal information or erasure request
A link to an opt-out page on the website
The types of personal information collected in the past 12 months
The types of personal information sold in the past 12 months.
The types of personal information disclosed for a business purpose in the past 12 months.
The categories of sources for each piece of personal data.
The purpose of use for each category of collected information
- Update Data Strategies, Inventories, and Business Processes
Data inventories are directories for managing sensitive data throughout a business. These inventories have to be well managed and maintained to be CCPA-compliant. If your business is already GDPR compliant, then its data inventory will mostly be sufficient for the CCPA’s privacy regulations. Still, there are a few columns that will have to be added to the offline data inventory or data inventory web page. These include:
Identifying data uses that involve the “sale” of information
Identifying categories of information that are transferred to third parties
Identifying categories of personal information that are covered by HIPAA, the FCRA, or another law that would exempt the data from the CCPA’s scope
Identifying if the data was collected more than 12 months ago and, thus, is potentially exempt
- Use Protocols to Ensure Consumer Rights
The CCPA crystalizes certain consumers’ rights (discussed above - see “CCPA Consumer Rights”), and a business must have protocols in place to ensure that these rights are granted.
At a minimum, businesses have to provide a toll-free telephone number and an “interactive webform” that handles access requests and opt-out requests. A clearly labeled “Do Not Sell My Personal Information” link must also be posted on the business’s homepage.
- Make Security Updates
Businesses covered by the CCPA must protect personal data with “reasonable” security. This means assessing threats to data within the organization, ranking the detected vulnerabilities in order of risk, and addressing the highest risks first. How far down the list your business goes depends on your budget and attitude to risk.
- Update Third-Party Contracts and Processor Agreements
When building a website, you'll likely use multiple vendors for CRM, analytics, CMS, and more. First, create a list of all the vendors, service providers, and other third parties that receive data from your organization. Then, update third-party contracts and processor agreements to include things like the provision of processing records, requirements for the syncing of consumer response processes, and more.
Third-parties that have paid your business for information must go a step further. They should have processes in place to accommodate consumer requests to opt-out of selling and make it easy to delete the relevant data.
Ensure that all vendors are CCPA compliant and have a disclosure that ensures that they are compliant. If they process or hold any PII, be aware of their processes and how they house, distribute, or sell consumer data. Better yet: select a CMS that allows you to fully own your customers data that will ensure your compliance.
- Educate Employees
Ensure that employees have the necessary training to make sense of the CCPA requirements. Not only will this protect a business against fines, it’s required by law. Employees handling consumer inquiries must have good knowledge of the statute and know how to direct consumers to exercise their rights.
This may seem like a lot to add to your to-do list, but we've made it easier to manage. Downlolad the checklist for a printable PDF to keep track of your CCPA readiness!