Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up here

Start Now

What is California Consumer Privacy Act (CCPA)

After the promulgation of the General Data Protection Regulations (GDPR) in the European Union (EU), the California Consumer Privacy Act (CCPA) was the next data privacy regulation that had a significant impact for organizations all across the world.

The CCPA is a data privacy law that mandates companies to become better custodians of their consumers' personal information and is often seen as the U.S. counterpart of the GDPR. The law came into effect on January 1, 2020 and has been enforced from the 1st of July 2020.


  • The CCPA has garnered a lot of attention due to California's historical influence in prompting other states to adopt new and progressive legislation.
  • It is expected that many states will adopt CCPA-like legislation in the face of the global debate relating to data privacy regulation and protection.
  • Several drafts being considered by Congress for a Federal data privacy law are reportedly very similar to the CCPA.
    The CCPA was recently amended in November 2020 by the California Privacy Rights Act (CPRA) which provides additional obligations for covered entities and additional rights and protections to California consumers - the amendments will not come to force till January 1, 2023 though.

Here is an overview of this critical privacy regulation.


What are the Rights Under the CCPA?

Consumers who are protected and provided rights under the CCPA are the estimated 40 million residents of California. These rights include:

Right to Notice

The right to notice requires an organization to provide consumers with notice of the company's practices regarding collecting, using, selling, and sharing personal information at or before the point of collection of their personal information.

Right to Erasure

The right to erasure gives consumers the right to request deleting all their data stored by the organization. Organizations are supposed to comply within 45 days and must deliver a report to the consumer confirming the deletion of their information.

Right to Opt-in for Minors

Personal information containing minors' personal information cannot be sold by a business unless the minor (age of 13 to 16 years) or the Parent/Guardian (if the minor is aged below 13 years) opt-ins to allow this sale. Businesses can be held liable for the sale of minors' personal information if they either knew or wilfully disregarded the consumer's status as a minor and the minor or Parent/Guardian had not willingly opted in.

Right to Continued Protection

Even when consumers choose to allow a business to collect and sell their personal information, businesses' must sign written contracts with service providers and/or any other entities who process the data on behalf of the company or are sold the business's data for a specific business purpose. Businesses must also transmit consumer’s opt-out requests to their service providers and associated third parties.

Right to Awareness

The privacy policies of businesses must necessarily specify consumers' erasure rights, collections and sales/disclosure of personal information, opt-in/opt-out rights for data sales, and privacy-based discrimination restrictions, consumer request metrics.

Right to Sell

Businesses are allowed to offer financial incentives to consumers, including payment as compensation, for the sale/collection of their personal information as long as the consumers at all times are able to revoke this permission and request deletion of all previously collected or sold confidential information.

Right to Multiple Request Mechanisms

Businesses must provide consumers with a minimum of two designated methods/channels for submission of consumer requests for personal information disclosure, including a toll-free number. Companies that exclusively operate online and have a direct relationship with their consumers may provide only an email.

Right to No Discrimination

The CCPA strictly requires businesses not to discriminate against their consumers for exercising their rights under the CCPA. Companies are allowed to vary their services or change the price of goods and services if the difference in service or price is reasonably related to the value of the consumers' personal information to the business.

Right to Access

The right to access allows consumers to request organizations to disclose the following personal information:

  • Information collected about them within the last 12 months
  • Sources from where the data was collected
  • Business or commercial use of information
  • Categories of third parties with which the information is shared
  • Types of personal information that was sold or disclosed by the company
This all needs to be provided within 45 days of the request.

Right to Opt-out

The right to opt-out mandates businesses to set up a "Do Not Sell My Information" button on the company's website and implement procedures to comply with its corresponding requirements. A business cannot re-ask a consumer for consent if they have chosen to opt-out for a period of 12 months. Consumers also retain the right to opt-out of the sale of their personal information, even after permitting its sale to a business, if a third party that bought the personal information wishes to sell it to another party.

What is Personal Information Under CCPA?

The CCPA has given an expanded definition for the term 'Personal Information, which protects under the statute. Any information that identifies a particular consumer or household is considered 'Personal Information’.

THIS INCLUDES A HUGE VARIETY OF DATA SUCH AS:

Identifiers

(real names, alias, residential address, IP, email address, account name, social security number, driver's license number, passport number, etc.);

Professional or employment-related information

Information about employees from personal details, job title, contracts (if any), benefits, and any related professional data.

Commercial information

(records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, etc.);

Education information

Information that the person presents can not be found publicly. This does not apply to publicly accessible educational information on the individual.

Biometric information

Biometrics is the technical term for body measurements and calculations. It refers to the metrics related to human characteristics to verify the identity or gain access.

Inferences are drawn from any of the information mentioned above to create a consumer profile

reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Internet or other electronic network activity information

(browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement, etc.);

Other information

includes geolocation, audio, electronic, visual, thermal, olfactory, or similar information that may be in possession of the organization.

Exceptions

The only exceptions are publicly available information (made public by federal or state authorities) or de-identified consumer information.

Who needs to comply?

If a for-profit entity which does business in California fulfills any one of the following three conditions, they are required to abide by the CCPA regulations.

Has $25 million
in gross annual revenue;


Obtains or shares personal information of at least 50,000 California residents, households, and/or devices per year;


At least 50% of their annual revenue is generated from selling California residents’ personal information.

Businesses on which the CCPA applies also include any entity run or controlled by a business or shares common branding with a business. No distinction has been made between domestic and foreign entities, and a foreign parent company with a controlling interest in a U.S.-based subsidiary would itself also be subject to the CCPA.

exempted organizations

There are few industries exempted from CCPA, that are already sufficiently covered under other privacy laws, such as:

Health providers and insurers that are already covered under HIPAA


Financial companies covered by Gramm-Leach-Bliley


Credit reporting agencies under the Fair Credit Reporting Act


Cookie Law Under CCPA

The CCPA is based on an opt-out cookie consent regime. Under the CCPA, the following are the requirements for a cookie banner:

  • Information about the use of cookies and their purposes
  • Notice of the right to opt-out of the sale of personal information
  • A link to organization’s privacy policy
  • Opt-in consent for the sale of personal information belonging to minors

What are the Compliance Risks?

Given the rising frequency and severity of privacy scandals and data breaches, CCPA has laid some strict penalties for businesses failing to comply. The penalties are:

Maximum civil penalties of $7,500 for intentional violations of the CCPA brought by the State of California through the Attorney General's Office. Businesses will have only 30 days to cure the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to cure the violation within that time.

Maximum civil penalties of $2,500 for unintentional violations brought by the State of California through the Attorney General's Office. Businesses will have only 30 days to cure the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to cure the violation within that time.

Consumers can file private lawsuits from between $100 to $750 or for actual damages for each incident of breach of their unredacted and unencrypted data stored in a businesses' server. Companies will have only 30 days to cure the violation upon being served a notice by the consumer or will face civil penalties.

The law has come into force from July 1st, 2020, and it is expected that CCPA and other data privacy litigations will only increase in the coming years. The CPRA has already amended the CCPA and increased obligations on businesses and protections to consumers starting from 2023.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

Automating Compliance

Given the expanded definition of the term 'personal information and the tight time frame provided to businesses to respond to privacy disclosure, access, and deletion requests along with other requirements, complying with the CCPA can be very labor-intensive and costly.

Securiti's award-winning solution revolves around the concept of PrivacyOps, which utilizes robotic automation, artificial intelligence, and machine learning to automate compliance tasks, freeing up crucial resources for other areas of business.

Securiti helps businesses discover data over a wide range of internal and external systems, build a People Data Graph to link personal data to each individual, automate data access requests, assessments, consent management, and more.


Key facts

1

The CCPA stands for California Consumer Privacy Act.

2

Nearly 500,00 organizations worldwide have been affected by the CCPA.

3

According to IAPP research, 95% of businesses are not prepared for the CCPA.

4
The CCPA fines are a maximum of $7,500 per violation with no upper cap.
5

CCPA exempts organization complying with the following:

  • HIPAA
  • Gramm-Leach-Bliley
  • Fair Credit Reporting Act
6

Securiti uses award-winning automation, machine learning, and AI to help reduce costs, liabilities, and human effort while helping your business comply effortlessly.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.