What is CCPA & How to Comply with It?

By Anas Baig | Reviewed By Omer Imran Malik
Published أغسطس 14, 2023

  • The CCPA has garnered a lot of attention due to California's historical influence in prompting other states to adopt new and progressive legislation.
  • It is expected that many states will adopt CCPA-like legislation in the face of the global debate relating to data privacy regulation and protection.
  • Several drafts being considered by Congress for a Federal data privacy law are reportedly very similar to the CCPA.
    It was recently amended in November 2020 by the California Privacy Rights Act (CPRA), which provides additional obligations for covered entities and additional rights and protections to California consumers - the amendments will not come to force till January 1, 2023 though.

Here is an overview of this critical privacy regulation.

what is ccpa

What are the Rights Under the CCPA?

Consumers who are protected and provided rights under the CCPA are the estimated 40 million residents of California. These rights include:

What is California Consumer Privacy Act (CCPA)

Right to Notice

The right to notice requires an organization to provide consumers with notice of the company's practices regarding collecting, using, selling, and sharing personal information at or before the point of collection of their personal information.
What is California Consumer Privacy Act (CCPA)

Right to Erasure

The right to erasure gives consumers the right to request deleting all their data stored by the organization. Organizations are supposed to comply within 45 days and must deliver a report to the consumer confirming the deletion of their information.
What is California Consumer Privacy Act (CCPA)

Right to Opt-in for Minors

Personal information containing minors' personal information cannot be sold by a business unless the minor (age of 13 to 16 years) or the Parent/Guardian (if the minor is aged below 13 years) opt-ins to allow this sale. Businesses can be held liable for the sale of minors' personal information if they either knew or wilfully disregarded the consumer's status as a minor and the minor or Parent/Guardian had not willingly opted in.
What is California Consumer Privacy Act (CCPA)

Right to Continued Protection

Even when consumers choose to allow a business to collect and sell their personal information, businesses' must sign written contracts with service providers and/or any other entities who process the data on behalf of the company or are sold the business's data for a specific business purpose. Businesses must also transmit consumer’s opt-out requests to their service providers and associated third parties.
What is California Consumer Privacy Act (CCPA)

Right to Awareness

The privacy policies of businesses must necessarily specify consumers' erasure rights, collections and sales/disclosure of personal information, opt-in/opt-out rights for data sales, and privacy-based discrimination restrictions, consumer request metrics.
What is CCPA

Right to Sell

Businesses are allowed to offer financial incentives to consumers, including payment as compensation, for the sale/collection of their personal information as long as the consumers at all times are able to revoke this permission and request deletion of all previously collected or sold confidential information.
What is California Consumer Privacy Act (CCPA)

Right to Multiple Request Mechanisms

Businesses must provide consumers with a minimum of two designated methods/channels for submission of consumer requests for personal information disclosure, including a toll-free number. Companies that exclusively operate online and have a direct relationship with their consumers may provide only an email.
What is California Consumer Privacy Act (CCPA)

Right to No Discrimination

The CCPA strictly requires businesses not to discriminate against their consumers for exercising their rights under the CCPA. Companies are allowed to vary their services or change the price of goods and services if the difference in service or price is reasonably related to the value of the consumers' personal information to the business.
What is California Consumer Privacy Act (CCPA)

Right to Access

The right to access allows consumers to request organizations to disclose the following personal information:

  • Information collected about them within the last 12 months
  • Sources from where the data was collected
  • Business or commercial use of information
  • Categories of third parties with which the information is shared
  • Types of personal information that was sold or disclosed by the company
This all needs to be provided within 45 days of the request.
What is California Consumer Privacy Act (CCPA)

Right to Opt-out

The right to opt-out mandates businesses to set up a "Do Not Sell My Information" button on the company's website and implement procedures to comply with its corresponding requirements. A business cannot re-ask a consumer for consent if they have chosen to opt-out for a period of 12 months. Consumers also retain the right to opt-out of the sale of their personal information, even after permitting its sale to a business, if a third party that bought the personal information wishes to sell it to another party.

What is Personal Information Under CCPA?

The CCPA has given an expanded definition for the term 'Personal Information, which protects under the statute. Any information that identifies a particular consumer or household is considered 'Personal Information’.

THIS INCLUDES A HUGE VARIETY OF DATA SUCH AS:

Identifiers

(real names, alias, residential address, IP, email address, account name, social security number, driver's license number, passport number, etc.);

Professional or employment-related information

Information about employees from personal details, job title, contracts (if any), benefits, and any related professional data.

Commercial information

(records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, etc.);

Education information

Information that the person presents can not be found publicly. This does not apply to publicly accessible educational information on the individual.

Biometric information

Biometrics is the technical term for body measurements and calculations. It refers to the metrics related to human characteristics to verify the identity or gain access.

Inferences are drawn from any of the information mentioned above to create a consumer profile

reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Internet or other electronic network activity information

(browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement, etc.);

Other information

includes geolocation, audio, electronic, visual, thermal, olfactory, or similar information that may be in possession of the organization.
Exceptions

The only exceptions are publicly available information (made public by federal or state authorities) or de-identified consumer information.

Who needs to comply?

If a for-profit entity which does business in California fulfills any one of the following three conditions, they are required to abide by the CCPA regulations.

who needs to comply

Has $25 million in gross annual revenue;

personal information

Obtains or shares personal information of at least 50,000 California residents, households, and/or devices per year;

personal info

At least 50% of their annual revenue is generated from selling California residents’ personal information.

Businesses on which the CCPA applies also include any entity run or controlled by a business or shares common branding with a business. No distinction has been made between domestic and foreign entities, and a foreign parent company with a controlling interest in a U.S.-based subsidiary would itself also be subject to the CCPA.

exempted organizations

There are few industries exempted from CCPA, that are already sufficiently covered under other privacy laws, such as:

Health providers and insurers that are already covered under HIPAA


Financial companies covered by Gramm-Leach-Bliley


Credit reporting agencies under the Fair Credit Reporting Act

california consumer privacy act

The CCPA is based on an opt-out cookie consent regime. Under the CCPA, the following are the requirements for a cookie banner:

  • Information about the use of cookies and their purposes
  • Notice of the right to opt-out of the sale of personal information
  • A link to organization’s privacy policy
  • Opt-in consent for the sale of personal information belonging to minors

What are the Compliance Risks?

Given the rising frequency and severity of privacy scandals and data breaches, CCPA has laid some strict penalties for businesses failing to comply. The penalties are:

civil penalties

Maximum civil penalties of $7,500 for intentional violations of the CCPA brought by the State of California through the Attorney General's Office. Businesses will have only 30 days to cure the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to cure the violation within that time.


penalties

Maximum civil penalties of $2,500 for unintentional violations brought by the State of California through the Attorney General's Office. Businesses will have only 30 days to cure the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to cure the violation within that time.


private lawsuits

Consumers can file private lawsuits from between $100 to $750 or for actual damages for each incident of breach of their unredacted and unencrypted data stored in a businesses' server. Companies will have only 30 days to cure the violation upon being served a notice by the consumer or will face civil penalties.

The law has come into force from July 1st, 2020, and it is expected that CCPA and other data privacy litigations will only increase in the coming years. The CPRA has already amended the CCPA and increased obligations on businesses and protections to consumers starting from 2023.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

CCPA Compliance automation

Automating Compliance

Given the expanded definition of the term 'personal information and the tight time frame provided to businesses to respond to privacy disclosure, access, and deletion requests along with other requirements, complying with the CCPA can be very labor-intensive and costly.

Securiti's award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence, and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.

Securiti helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data access requests, assessments, consent management, and more.


Key facts

1

Nearly 500,00 organizations worldwide have been affected by the CCPA.

2

According to IAPP research, 95% of businesses are not prepared for the California Consumer Privacy Act.

3
The CCPA fines are a maximum of $7,500 per violation with no upper cap.
4
CCPA exempts organization complying with the following:
  • HIPAA
  • Gramm-Leach-Bliley
  • Fair Credit Reporting Act
5

Securiti uses award-winning automation, machine learning, and AI to help reduce costs, liabilities, and human effort while helping your business comply effortlessly.


Key Takeaways:

  1. Introduction of CCPA and CPRA: The CCPA, effective from January 1, 2020, with enforcement starting July 1, 2020, represents significant data privacy legislation in the U.S., akin to the EU's GDPR. The CPRA, an amendment to the CCPA passed in November 2020, adds further obligations and consumer rights, effective from January 1, 2023.
  2. Consumer Rights under CCPA: The CCPA grants California residents rights regarding their personal information, including the rights to notice, erasure, opt-in for minors, protection post-consent, awareness, data sale, multiple request mechanisms, non-discrimination, access, and opt-out of data sales.
  3. Definition of Personal Information: Under the CCPA, 'Personal Information' encompasses a broad range of data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
  4. Compliance Criteria: For-profit entities doing business in California must comply with the CCPA if they meet any of the following: annual gross revenues exceed $25 million; buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices annually; or derive 50% or more of their annual revenues from selling California residents' personal information.
  5. Exemptions: Certain organizations, such as health providers under HIPAA, financial institutions under Gramm-Leach-Bliley Act, and credit reporting agencies under the Fair Credit Reporting Act, are exempt from the CCPA.
  6. Cookie Law Compliance: The CCPA requires an opt-out regime for cookies, necessitating notices about cookie use, the right to opt-out of personal information sales, a privacy policy link, and opt-in consent for minors' information sales.
  7. Penalties for Non-Compliance: The CCPA imposes penalties for non-compliance, including civil penalties up to $7,500 for intentional violations and $2,500 for unintentional violations. Consumers can also file private lawsuits for data breaches, with damages ranging from $100 to $750 per incident.
  8. Automating Compliance with Securiti: Given the broad definition of personal information and the operational challenges in managing privacy requests and compliance, Securiti offers solutions based on PrivacyOps. This approach uses robotic automation, AI, and machine learning to automate compliance tasks, streamline privacy operations, and reduce the manual labor and costs associated with CCPA compliance.

Frequently Asked Questions (FAQs)

CCPA stands for the "California Consumer Privacy Act." It's a comprehensive data privacy law enacted in California, USA, designed to give California residents greater control over their personal information held by businesses.

GDPR and CCPA are two distinct privacy regulations. GDPR is the General Data Protection Regulation, a European Union regulation governing data protection and privacy for individuals within the EU. CCPA, on the other hand, is a state level law that provides privacy rights to residents of California, USA.

There isn't a specific "CCPA Protection Act." Instead, the privacy rights of Californians are primarily governed by CCPA and the California Privacy Rights Act (CPRA). The CPRA has further developed and expanded the CCPA by introducing additional requirements, enhancing consumer privacy rights, and establishing the California Privacy Protection Agency (CPPA) as the primary regulatory authority responsible for implementing and enforcing both the CPRA and the CCPA.

Share

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

What's
New