What is CCPA?
The California Consumer Privacy Act of 2018 (CCPA) is a privacy law designed to provide consumers residing in the state of California more control over their personal data, how it’s collected, and how it’s used by businesses.
According to CCPA, personal information includes:
- Personal identifiers including names, addresses, IP addresses, email addresses, social security numbers, driver’s license numbers, and passport numbers.
- Personal property records, products and/or service purchases, as well as consumer histories or behavioral tendencies;
- Network activity data, which includes browsing or search history, and website, application, or advertisement engagement;
- Geolocation information;
- Biometric data;
- Audio, olfactory, electronic, thermal, visual, or similar data;
- Employment-related data; and
- Educational data.
Overview of CCPA
For businesses with customers who reside in California, CCPA provides guidelines on how to implement the regulation and clearly specifies consumer privacy rights that must be observed, including:
- The right to know what personal information a business is collecting about them collects about them and how the business users or shares that data;
- The right to delete any of the personal data that has been collected from them (with a few exceptions);
- The right to opt-out of the sharing or sale of their personal data; and
- The right to non-discrimination for exercising the rights given to them by CCPA.
In addition to adhering to these rights, businesses are also required to create and supply customers with certain notices detailing their privacy practices.
What are the requirements of CCPA?
To be compliant with CCPA, businesses must:
- Keep their privacy policies updated.
- Maintain a data inventory, as well as documentation of their data processing activities, and any other business processes, vendors, products, applications, or devices that handle or process consumer personal information.
- Implement and document the protocols in place to ensure Consumer’s CCPA rights are upheld
- Implement “reasonable” security protocols to protect consumer data. This includes assessing risk, identifying vulnerabilities, and mitigating high-risk gaps first.
- Update third-party contracts for any third-party companies who process your consumers’ data. This includes contractual clause language; requiring data inventories from vendors; using security questionnaires; documenting this process; requiring onsite audits, and mapping of the specific data shared with each third party.
- Properly educate and train employees handling consumer data on CCPA requirements.
If “non-encrypted or non-redacted” consumer data is exposed due to a security failure, the consumer has the right to pursue legal action for damages ranging from $100 to $750 per infraction or actual damages, whichever is more.
Additionally, the Attorney General may also pursue statutory fines in excess of $7,500 per infraction.
Who does CCPA apply to?
CCPA applies to for-profit companies that do business in California (or with California residents) and meets any of the following criteria:
- Earn a gross annual revenue over $25 million;
- Purchase, receive, or sell the personal data of 50,000 or more California residents, households, or their devices; or
- Derive 50% or more of their annual revenue from the sale of California consumers’ personal data.
CCPA vs GDPR
One of the main differences between CCPA and GDPR is the consumers it impacts. While CCPA applies to businesses that target companies or residents of the state of California, GDPR applies to those businesses that operate in the EU or with EU citizens.
Furthermore, while GDPR impacts all businesses doing business within the EU or with EU residents, CCPA only impacts for-profit businesses that meet the specified criteria, as explained above.
Additionally, GDPR broadly covers all personal data regardless of why or how it’s processed with two exceptions:
- Data that is personally gathered on a manual basis and is not going to be filed,
- Data that is collected by individuals for their personal use.
CCPA, however, is more specific about what types of information are protected and under what circumstances. In general, we could say that GDPR is broader and more strict than CCPA.
CCPA vs CPRA
In essence, the California Privacy Rights Act (CPRA) is a supplement to CCPA which modifies some privacy rights under CCPA. It was passed in 2020 and has the following modifications to its predecessor:
- The right to opt-out of third-party sales and sharing: CPRA extends this right to include the sharing of their personal data, instead of just the sale of it.
- The right to know: CPRA extends the timeline provided in CCPA beyond the prior 12-month period.
- The right to delete: CPRA extends this requirement and mandates that businesses route the request to third parties that have also received or purchased the consumer’s personal data.
- The right to data portability: Under CPRA, consumers can ask to have their data routed to another party “to the extent technically feasible, in a structured, commonly used, machine-readable format.”
- Opt-in rights for minors: CPRA now requires businesses to wait a year before asking a minor for consent to share or sell their personal data after they have declined.
Additionally, CPRA also introduces new privacy rights including:
- The right to correct information.
- The right to limit the use and disclosure of sensitive personal information
- The right to access information about automated decision making, and
- The right to opt-out of automated decision-making technology.
- CCPA applies to businesses that meet certain criteria and do business in California or with California residents.
- CCPA provides certain rights to California consumers including the right to know, the right to delete, the right to opt-out, and the right to non-discrimination.
- The CCPA requires businesses to meet certain requirements around their privacy policies as well as implement reasonable security controls to protect that data.
- Violations of a consumer’s CCPA rights can cause fines up to $7,500 per violation.