As the United States' first comprehensive data privacy law, the California Consumer Privacy Act (CCPA) is a landmark piece of legislation. It promotes transparency on the part of businesses and gives Californians more control over how their personal data is collected, used, and sold.
Here are the CCPA's key features at a glance.
Want to learn more? Read our Complete CCPA Guide.
As a California law, the CCPA grants privacy rights to California residents ("consumers"), defined as:
It's an inclusive definition that does not require a business-customer relationship. Employees and job applicants are considered consumers, just like anyone else.
The CCPA's definition of a business is a for-profit entity that collects personal information, does business in California, and meets at least one of these three thresholds:
The third threshold requirement can be a bit deceptive. Under the CCPA’s definition, “sharing” personal information covers a lot of everyday activity, including the use of interest-based advertising. For example, when a customer clicks on a retargeting ad and makes a purchase, that revenue is “derived” from selling consumers’ personal information and should be included in this threshold calculation.
In some limited circumstances, the CCPA can also apply to nonprofit organizations.
Calculate If Your Business Meets the 100,000 Record Requirement
Calculate if Your Business Meets the 50% of Revenue Requirement
The CCPA only applies to "personal information", which is defined in the statute as:
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The key component to this expansive definition is the connection between the information and a particular person or household. Here are just a few examples of data that the CCPA considers to be personal information.
There are a few categories of data that are specifically not personal information. These include publicly available information and information collected in accordance with federal laws such as HIPAA, GLBA, and FCRA.
What is "Personal Information"?
CCPA Exemptions: Publicly Available Information
Under the CCPA, consumers have four distinct data privacy rights:
Responding to CCPA Privacy Requests
How to Verify a Consumer Request
The California Attorney General currently has the exclusive authority to enforce the CCPA. Any business thought to be in non-compliance must be given 30 days to cure any violations. After that period, violators can face injunctions and fines of up to $2,500 per violation or up to $7,500 per intentional violation.
Starting in 2023, the newly created California Privacy Protection Agency (CPPA) is primarily responsible for enforcement of the data privacy law. This first-of-its-kind state agency is already fully funded and is expected to significantly increase CCPA enforcement actions.
CCPA Enforcement and Penalties
The CCPA does not create a private right of action for consumers to sue businesses over violations of their privacy rights. However, it does create a private for consumers in the event of a data breach. According to the CCPA, consumers can sue a business if their nonencrypted and nonredacted personal information is subject to unauthorized access due to the business's failure to implement and maintain reasonable security procedures. Plaintiffs can recover statutory damages of up to $750 per consumer per incident, or actual damages, whichever is greater. This provision is likely to give rise to a new type of class-action lawsuit.
The CCPA takes a lot of inspiration from the European Union's General Data Protection Regulation (GDPR), but they are not identical. They use different definitions, have slightly different consumer rights, and are enforced differently. In many ways, the GDPR is more stringent, so businesses that are already compliant with the European law should find it easy to become CCPA compliant.
Becoming CCPA compliant requires an examination of your business's current data practices from every angle, as well as a complete understanding of how the law's various components work together. The process can be divided into four steps:
Getting Started with CCPA Compliance
CCPA compliance is a major project, but TrueVault US makes it much more manageable. Designed by attorneys, this innovative automation tool guides your team through every step, helping you reach compliance in less time and with less expense. Contact us today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.