What Is the California Consumer Privacy Act (CCPA)?

TrueVault-What-is-the-CCPA

As the United States' first comprehensive data privacy law, the California Consumer Privacy Act (CCPA) is a landmark piece of legislation. It promotes transparency on the part of businesses and gives Californians more control over how their personal data is collected, used, and sold.

For consumers, this means they will be able to find more details in a business's privacy policy regarding what personal information is being collected, why it is collected, and whether that information is disclosed to other parties. They also have the right to make certain privacy requests: requests to know what personal information has been collected, requests to delete that information, and requests to opt out of the sale of their personal information.

For businesses, being CCPA compliant means honoring these consumer privacy rights. They must carefully examine their data collection and usage practices, make all the necessary disclosures in their privacy policy, and respond to privacy requests in a way that meets all legal requirements. They must also institute reasonable cybersecurity measures to prevent data breaches.

Here are the CCPA's key features at a glance.

Want to learn more? Read our Complete CCPA Guide.

Who Has Rights Under the CCPA?

As a California law, the CCPA grants privacy rights to California residents ("consumers"), defined as:

  • Every individual who is in the state for other than a temporary or transitory purpose
  • Every individual domiciled in the state who is outside the state for a temporary or transitory purpose

It's an inclusive definition that does not require a business-customer relationship. Employees and job applicants are considered consumers, just like anyone else.

Which Businesses Must Follow the CCPA?

The CCPA's definition of a business is a for-profit entity that collects personal information, does business in California, and meets at least one of these three thresholds:

  1. Gross annual revenue in excess of $25 million
  2. Annually buys, sells, or shares the personal information of 100,000 or more consumers or households
  3. Derives more than 50% of its annual revenues from selling or sharing consumers' personal information

The third threshold requirement can be a bit deceptive. Under the CCPA’s definition, “sharing” personal information covers a lot of everyday activity, including the use of interest-based advertising. For example, when a customer clicks on a retargeting ad and makes a purchase, that revenue is “derived” from selling consumers’ personal information and should be included in this threshold calculation.

In some limited circumstances, the CCPA can also apply to nonprofit organizations.

 

Read more:

Calculate If Your Business Meets the 100,000 Record Requirement

Calculate if Your Business Meets the 50% of Revenue Requirement

What is Considered Personal Information?

The CCPA only applies to "personal information", which is defined in the statute as:

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The key component to this expansive definition is the connection between the information and a particular person or household. Here are just a few examples of data that the CCPA considers to be personal information.

  • Names, email addresses, social security numbers, IP addresses, and other similar identifiers
  • Geolocation data
  • Biometric information
  • Browsing history, search history, interactions with a website, and other internet activity
  • Protected classifications such as race, gender, and sexual orientation
  • Employment-related information

There are a few categories of data that are specifically not personal information. These include publicly available information and information collected in accordance with federal laws such as HIPAA, GLBA, and FCRA.

Read more:

What is "Personal Information"?

CCPA Exemptions: Publicly Available Information

CCPA Exemptions: HIPAA, GLBA, and FCRA

What Rights Do Consumers Have?

Under the CCPA, consumers have four distinct data privacy rights:

  1. Right to Know - This covers both the disclosures that businesses must make in their privacy policy and the consumers' right to request a report on what personal information a business has collected about them.
  2. Right to Delete - Upon request, businesses must delete any personal information that doesn't fall under an exception, such as information that is deidentified or in the aggregate.
  3. Right to Opt Out - If a business sells consumers' personal information, then consumers have the right to opt out of that sale. These businesses also must include a "Do Not Sell My Personal Information" link on their homepage.
  4. Right to Non-Discrimination - Businesses can't treat consumers differently for exercising their CCPA rights, such as by offering a different level of quality of services or charging a different price.
  5. Right to Correct Inaccurate Personal Information - businesses are required to use "commercially reasonable efforts" to correct information as directed by the consumer.
  6. Right to Limit Use and Disclosure of Sensitive Personal Information - Consumers have the limit the use of sensitive personal information to that which is necessary to perform the services or provide the goods requested by the consumer.

Read more:

CCPA Consumer Rights

Responding to CCPA Privacy Requests

How to Verify a Consumer Request

What is a "Sale" of Personal Information?

How Is the CCPA Enforced?

The California Attorney General currently has the exclusive authority to enforce the CCPA. Any business thought to be in non-compliance must be given 30 days to cure any violations. After that period, violators can face injunctions and fines of up to $2,500 per violation or up to $7,500 per intentional violation.

Starting in 2023, the newly created California Privacy Protection Agency (CPPA) is primarily responsible for enforcement of the data privacy law. This first-of-its-kind state agency is already fully funded and is expected to significantly increase CCPA enforcement actions.

Read more:

CCPA Enforcement and Penalties

The California Privacy Protection Agency

Does the CCPA Have a Private Right of Action?

The CCPA does not create a private right of action for consumers to sue businesses over violations of their privacy rights. However, it does create a private for consumers in the event of a data breach. According to the CCPA, consumers can sue a business if their nonencrypted and nonredacted personal information is subject to unauthorized access due to the business's failure to implement and maintain reasonable security procedures. Plaintiffs can recover statutory damages of up to $750 per consumer per incident, or actual damages, whichever is greater. This provision is likely to give rise to a new type of class-action lawsuit.

Read more:

CCPA Private Rights of Action

Is CCPA the Same as GDPR?

The CCPA takes a lot of inspiration from the European Union's General Data Protection Regulation (GDPR), but they are not identical. They use different definitions, have slightly different consumer rights, and are enforced differently. In many ways, the GDPR is more stringent, so businesses that are already compliant with the European law should find it easy to become CCPA compliant.

Read more:

Getting CCPA Compliant

Learn GDPR

 

How to Prepare Your Business for CCPA Compliance

Becoming CCPA compliant requires an examination of your business's current data practices from every angle, as well as a complete understanding of how the law's various components work together. The process can be divided into four steps:

  1. Data Mapping - This is an in-depth analysis of where your business collects consumer data, how the information is stored, and when it is disclosed to outside parties. Your compliance team must also decide what data qualifies as personal information, and what falls under the law's exceptions (publicly available information, HIPAA medical information, etc.).
  2. Classifying Vendors - Businesses must review their contracts with every vendor that receives consumers' personal information and determine whether the vendor qualifies as a CCPA service provider. Otherwise, the transaction may be considered a sale of personal information.
  3. Updating Privacy Policies - The CCPA requires businesses to inform consumers as to what information is being collected and how it is used, and include it all in their privacy policy. Though this step seems relatively straightforward, it can't be fully implemented until the previous two steps are completed.
  4. Responding to Consumer Requests - Depending on your business, consumer requests may be more or less frequent, but they all have a number of rules and exceptions that businesses should be aware of. Planning out responses in advance will help ensure they meet all of the legal requirements.

Read more:

Getting CCPA Compliant

Staying CCPA Compliant

Getting Started with CCPA Compliance

CCPA compliance is a major project, but TrueVault US makes it much more manageable. Designed by attorneys, this innovative automation tool guides your team through every step, helping you reach compliance in less time and with less expense. Contact us today to learn more.

Schedule Call