This blog post was updated on June 24, 2024
It was originally published on December 1, 2019
The California Consumer Privacy Act (CCPA) takes a broad view of what constitutes private data in its pursuit of empowering consumers by giving them ownership of their data, which companies have stored. At the same time, it holds businesses responsible for the security of the personal information they possess. Typically, the key CCPA compliance challenge for businesses includes identifying, locating, and securing that data.
This blog post aims to help you gain a firm understanding of CCPA so that you can become CCPA-compliant while maintaining a balance between privacy and business efficiency.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a California state statute that aims to give consumers greater control over their data, which is stored or shared by companies. The bill also intends to make the companies more accountable for consumer data security and handling.
The CCPA seeks to strengthen the privacy rights of consumers residing in California, United States. The bill, officially called AB-375, was passed and signed into law on June 28, 2018.
Key CCPA Terms And Definitions You Need To Know
Here’s a list of key terms and definitions that will help you better understand the CCPA:
Business — A for-profit organization that meets the criteria to be covered by the CCPA (covered later in this blog post).
Consumer — A person who is a California resident.
California resident — A natural person whose permanent home is in California or who is in the state for anything other than a temporary or transitory purpose.
Collection — “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.”
Selling — “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating by any means” a consumer’s personal information to any party in exchange for any kind of compensation.
Data breach — An instance of an unauthorized party gaining access to unencrypted and unredacted sensitive personal information, which may harm consumers, as a result of a business’s failure to implement and maintain reasonable security procedures and practices.
What does CCPA do?
The CCPA gives consumers in California robust privacy rights, giving them more control over the personal information that businesses collect. Here are the key privacy rights enshrined in the CCPA for consumers:
It gives consumers ownership of their personal information that a business collects about them. They have the right to know about the personal information collected, how it is used, and shared.
They have the right to opt-out, i.e. they can direct a business not to sell or share their personal information.
They also have the right to have the personal information collected from them deleted, with some exceptions.
It protects consumers from being discriminated against if they exercise their right to opt out.
The CCPA was amended in November 2020 to include additional privacy protections that began on January 1, 2023. These new rights include:
The right to correct inaccurate information that a business has about them, and
The right to limit the use and disclosure of sensitive information collected about them.
When will the CCPA become applicable?
The CCPA took effect on January 1, 2020. However, businesses were expected to have their data tracking systems by the beginning of 2019. This is because consumers could ask to access all their personal information collected over the preceding 12 months.
What does CCPA mean by personal data?
According to CCPA personal information is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes identifiers such as a real name, alias, postal address, IP address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
Personal information also includes the inferences drawn from any of the above information to create consumer profiles that reflect their preferences, characteristics, behavior, etc. Personal information, however, does not include publicly available information, i.e. information available and maintained from government records.
does CCPA apply to my Company?
The CCPA applies to any business that does business in California that satisfies any one of the following criteria:
Has annual gross revenues of more than twenty-five million dollars ($25,000,000);
Collects or sells the personal information of 100,000 or more consumers, or households; or
Earns 50% or more of its annual revenue from selling the personal information of consumers.
The CCPA also applies to data brokers, i.e. those business that collect and sell to third parties the personal information consumers with whom they do not have a direct relationship. Such businesses typically source information from various sources, including websites, other businesses, and public records.
What happens if my business isn’t compliant with the CCPA?
If a consumer wishes to file a private right of action (“PRA”) against a business that has violated the CCPA, they need to provide the business 30 days’ written notice of the violation. Companies get a 30-day window to comply with the law after they are notified of a violation. Failing to comply within the time frame will result in a penalty. A business will have to pay a fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation.
Companies that suffer a data theft or other forms of data breaches can be ordered to pay damages between $100 to $750 per incident or actual damages, whichever is greater. This would be in addition to any other relief the court deems proper.
CCPA vs. GDPR?
The first point of difference is the scope of these respective laws. While the CCPA applies to businesses collecting data from California residents, the GDPR (General Data Protection Regulation applies to organizations collecting and using the personal data of EU residents.
As far as the law itself is concerned, the main difference between CCPA and GDPR lies in their definitions of personal information. While CCPA excludes personal data that was purchased by or acquired through third parties from its definition of personal information, GDPR doesn’t make that distinction.
Another difference between them is that the CCPA gives customers much greater access to their personal records saved by a business. A California consumer has the right to find out what information the company collects about them, whether it is sold, if yes, to whom, and if it was sold over the past 12 months, the company must give the names and addresses of the third parties they sold the data to. The company will have just 45 days to furnish this comprehensive report.
So, even if your business is GDPR compliant, you still have some way to go to become CCPA compliant, as you need to meet additional requirements regarding data handling, access, and security.
How can my company Become CCPA compliant?
Here are the steps you need to take to get your business on the path to CCPA compliance:
1. Identify and inventory the personal information your business collects.
Make sure that the personal information you inventory is as defined by CCPA. It has a very broad definition of personal data that includes such data as the browsing history, search history, and interactions with your website, app, or advertisement.
2. Clearly define how you are sending personal information to other entities
CCPA requires a business to give consumers an option to opt-out of the sale of their personal information. Consumers can request companies to disclose what information it collects about them, whether it is sold, if yes, to whom, and if it was sold over the past 12 months, the company must give the names and addresses of the third parties they sold the data to. The sale doesn’t need to include the exchange of money. Any transfer of personal information in exchange for something of value constitutes a sale and would necessitate providing an opt-out option for consumers.
How CCPA defines a business can also present challenges for some companies. For instance, if your affiliates do not share common branding with your business, they can be considered a separate business. In such a case, data sharing with such an affiliate would constitute a sale, hence requiring an opt-out option for consumers.
3. Prepare processes for executing access and deletion requests.
CCPA grants consumers the ownership of their personal information that companies store. So, businesses need to be able to access and delete all such personal information upon the request of the consumer. The law requires businesses to make available at least two methods for consumers to request access to their personal information.
The ability of your business to respond quickly to such requests is critical as such requests come with a time frame. Failing to comply with the time frame can result in penalties. Not only will your business need to locate the personal information of the requester stored across multiple platforms, but you also need to verify the identity of the requester.
4. Review whether you collect personal data from children
Special consent is required if your business sells the personal information of consumers under the age of 16. If applicable, you will need to ensure that your compliance with the CCPA is aligned with the federal Children's Online Privacy Protection Act.
5. Review your company’s data security policy
The CCPA increases the responsibility of your company to safeguard the personal information of consumers stored in their databases. You will need to control the privacy of the personal information that flows between platforms, machines, or virtual environments.
This is a major challenge for all businesses, especially if the data is stored with cloud providers. Tightening your data security will minimize the frequency and severity of data-security-related litigations you may face.
6. Review your company’s IT security policy
Data security is relatively narrow in its focus. It deals with the protection of data from accidental or unauthorized modification, destruction or disclosure of data. It uses physical, administrative, logical controls, and other measures to limit access. But, vulnerabilities can arise out of elements that are outside the realm of data security.
Therefore, you also need to focus on IT security, which is concerned with protecting the data as well as the systems involved in moving, storing, and authenticating that data. This is a good time to conduct an IT security audit of your company. Your broader IT security policy should include data security, network security, and cybersecurity.
7. Stay up-to-date with changes to CCPA
The core tenets of the law are unlikely to change but it is still a work in progress. As CCPA starts getting implemented challenges may arise that require amendments. Updates may also arise from new federal laws and how CCPA interacts with them. Unsurprisingly many large tech companies such as Google and Facebook have been opposed to this law and some new dimensions may be brought up in the public hearing. So it is advisable to stay up-to-date with the law so that you can adapt to any changes efficiently.
How can Jones IT Help You With CCPA Compliance?
At Jones IT, we have a history of helping businesses comply with various regulatory and security standards. We also practice what we preach and maintain compliance with SOC 2 and ISO 27001. To help our current and future clients, we also publish compliance-related resources on our blog posts that you can freely access here: Compliance blog posts
We help your business implement and maintain robust security measures, processes, and practices to protect your data. In addition to data security measures and best practices, we also help improve the overall security posture of your organization, making it easier to become CCPA-compliant as well as mitigating the risks of data breaches and associated financial loss.
Conclusion
With the CCPA, California may be taking a bit of a visionary leap in the direction of consumer rights and privacy. In doing so, it has brought many challenges for companies, especially those that deal with consumer data. It is also curious that CCPA takes within its ambit a much broader view of what private data includes. This includes biometric information, browsing history, search history, interactions with the website, apps, or ads, audio, electronic, or visual information, professional, employment-related, or education information.
Although it appears to focus on large enterprises, its definition of a business includes any entity that “possesses the personal information of 50,000 or more consumers, households, or devices”. That figure isn’t that big if you consider that, in the United States, there will be 13.6 networked devices per capita by 2022.
So how can we tackle these challenges?
The most important action that you can take right now is to set your data security and IT security in order. CCPA requires you to "implement and maintain reasonable security procedures and practices" for protecting consumer data. Having a comprehensive IT security system in place will not only make you compliant but will also mitigate the risk of data breaches and resulting penalties.
If you liked the blog, please share it with your friends