17 Apr, 2023

CCPA: California Consumer Privacy Act

Compliance and Governance Service

Helps organizations meet regulatory requirements and industry standards.

Introduction to CCPA

The California Consumer Privacy Act (CCPA) is a landmark privacy law that was enacted in California, United States, in 2018. It grants California residents certain rights and imposes obligations on businesses that collect, use, or share their personal information. The CCPA aims to enhance consumer privacy and data protection by giving individuals more control over their personal information and requiring businesses to be transparent about their data practices. 

CCPA has been a significant development in the realm of privacy regulations, setting a new standard for data privacy in the United States and beyond. It has implications for businesses that operate in California or process personal information of California residents, regardless of their physical location. Understanding the scope, requirements, and compliance implications of CCPA is crucial for businesses to protect consumer privacy, avoid penalties for non-compliance, and maintain trust with their customers. 

In this blog, we will delve into the intricacies of CCPA, covering its key provisions, consumer rights, compliance requirements, enforcement, best practices, and emerging privacy trends. By gaining a comprehensive understanding of CCPA, businesses can navigate the evolving privacy landscape, adapt their data practices, and ensure compliance with this significant privacy regulation. 

Who does CCPA apply to? 

The California Consumer Privacy Act (CCPA) applies to certain businesses that meet specific criteria, as well as to consumers who are residents of California. The following entities are subject to CCPA: 

• Businesses: CCPA applies to businesses that operate in California or that collect, use, or share personal information of California residents, and meet one or more of the following thresholds: 

Annual gross revenues of $25 million or more. 

Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices. 

Derive 50% or more of their annual revenue from selling consumers’ personal information. 

• Service Providers: CCPA also applies to service providers that process personal information on behalf of a business and that receive personal information from a business subject to CCPA. 

• Third Parties: CCPA applies to third parties to whom a business discloses personal information for a business purpose, and who are not considered service providers. 

• Consumers: CCPA grants privacy rights to consumers who are residents of California. Consumers have the right to know, right to delete, right to opt-out, and right to non-discrimination with respect to their personal information. 

It’s important to note that CCPA has a broad extraterritorial scope, which means that businesses located outside of California but that collect, or process personal information of California residents may also be subject to CCPA compliance requirements. 

Understanding who CCPA applies to is crucial for businesses to determine their compliance obligations, implement necessary measures to protect consumer rights, and avoid potential penalties for non-compliance. Businesses subject to CCPA should assess their data practices, update their privacy policies and disclosures, and establish mechanisms to handle consumer requests in accordance with CCPA requirements. 

Rights to user provisioned under CCPA 

The California Consumer Privacy Act (CCPA) grants several privacy rights to consumers who are residents of California. These rights are designed to give consumers more control over their personal information and include the following: 

Right to Know: Consumers have the right to know what personal information is being collected, used, disclosed, or sold by a business. This includes the right to request and receive detailed information about the categories of personal information collected, the sources of personal information, the purposes for which personal information is collected and used, and the categories of third parties with whom personal information is shared. 

Right to Delete: Consumers have the right to request the deletion of their personal information held by a business. This right allows consumers to request the deletion of personal information that is no longer necessary for the purposes for which it was collected, or that has been collected or used without a legitimate business purpose. 

Right to Opt-Out: Consumers have the right to opt-out of the sale of their personal information. This means that consumers can request that a business not sell their personal information to third parties. Businesses are required to provide a clear and conspicuous opt-out mechanism on their websites or through other means and are prohibited from selling personal information of consumers who have opted out, unless an exception applies. 

Right to Non-Discrimination: Consumers have the right to not be discriminated against for exercising their CCPA rights. This means that businesses are prohibited from denying goods or services, charging different prices, providing a different level or quality of goods or services, or suggesting that consumers will receive a different price or level or quality of goods or services based on their exercise of CCPA rights, unless the differential treatment is reasonably related to the value provided by the consumer’s data. 

Right to Access: Consumers have the right to request access to their personal information held by a business. This includes the right to request and receive a copy of the specific pieces of personal information collected by the business, in a readily usable format, and to have the information transmitted to another entity upon request. 

Right to Opt-In for Minors: CCPA also includes a special provision for minors under the age of 16. Businesses are required to obtain opt-in consent from a minor, or the parent or guardian of a minor under the age of 13, before selling their personal information. 

It’s important to note that consumers can exercise their CCPA rights by submitting verifiable requests to businesses, and businesses are required to provide mechanisms for consumers to submit such requests and verify their identities. Businesses are also required to respond to consumer requests within specific timelines and provide the requested information or take appropriate actions, such as deleting personal information or stopping the sale of personal information, as required by CCPA. 

Understanding the CCPA rights for consumers is crucial for businesses to ensure compliance with this privacy law, protect consumer privacy, and avoid potential penalties for non-compliance. Businesses subject to CCPA should establish processes and mechanisms to handle consumer requests, update their privacy policies and disclosures, and ensure that their data practices align with CCPA requirements. 

Obligations for businesses under CCPA 

The California Consumer Privacy Act (CCPA) is a comprehensive data privacy law that imposes various obligations on businesses that collect, use, or disclose personal information of California residents. Some of the main obligations for businesses under CCPA include: 

1. Notice Requirement: Businesses are required to provide notice to consumers at or before the point of collection of personal information. This notice must inform consumers about the categories of personal information being collected, the purposes for which the information is collected, and the categories of third parties with whom the information is shared. 

2. Right to Know: Businesses must allow consumers to request and obtain information about the specific pieces of personal information that the business has collected about them, the categories of personal information collected, the categories of sources from which the personal information is collected, the purposes for which the personal information is used, and the categories of third parties with whom the personal information is shared. 

3. Right to Delete: Businesses must allow consumers to request the deletion of their personal information that the business has collected, subject to certain exceptions. 

4. Opt-Out of Sale: Businesses must provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website or mobile app, allowing consumers to opt out of the sale of their personal information. 

5. Non-Discrimination: Businesses are prohibited from discriminating against consumers who exercise their rights under CCPA, which means that businesses cannot deny goods or services, charge different prices, or provide a different level or quality of goods or services based on a consumer’s exercise of their CCPA rights. 

6. Minors’ Privacy: If a business sells personal information of consumers who are under the age of 16, the business must obtain opt-in consent from a parent or guardian before selling the personal information. For consumers who are between the ages of 13 and 16, the consumer themselves must opt in. 

7. Data Security: Businesses must implement reasonable security measures to protect the personal information they collect from unauthorized access, destruction, use, modification, or disclosure. 

8. Vendor Management: Businesses that disclose personal information to third-party vendors or service providers must have written contracts in place that require those vendors or service providers to comply with CCPA and handle personal information in a manner consistent with the law. 

9. Employee Training: Businesses must provide training to employees who handle personal information about the requirements of CCPA and the business’s privacy practices. 

10. Record-Keeping: Businesses must maintain records of consumer requests and their responses related to CCPA for a period of 24 months (about 2 years). 

It’s important to note that CCPA applies to businesses that meet certain thresholds, such as having annual gross revenues of $25 million or more, buying, receiving, or selling personal information of 50,000 or more California residents, households, or devices, or deriving 50% or more of their annual revenues from selling personal information of California residents. It’s recommended that businesses subject to CCPA seek legal advice to ensure compliance with the law. 

What is the CPRA, and what is the difference between it and the CCPA

The CPRA stands for the California Privacy Rights Act, which is a privacy law that was passed in November 2020 as a ballot initiative in California, United States. It amends the existing California Consumer Privacy Act (CCPA) and expands privacy rights for California residents. 

The main differences between the CPRA and CCPA are as follows: 

• Creation of a new enforcement agency: The CPRA establishes the California Privacy Protection Agency (CPPA), which is a regulatory body responsible for enforcing privacy laws in California. The CCPA, on the other hand, does not have a dedicated enforcement agency. 

• Expansion of consumer rights: The CPRA provides additional rights to consumers, including the right to correct inaccurate personal information, the right to limit the use of sensitive personal information, and the right to opt-out of the sharing of personal information for cross-context behavioral advertising. The CCPA does not explicitly provide for these rights. 

• Introduction of the concept of “sensitive personal information”: The CPRA introduces a new category of personal information called “sensitive personal information,” which includes data such as social security numbers, financial account information, and precise geolocation information. The CPRA imposes additional requirements on businesses when processing sensitive personal information, including obtaining explicit consent from consumers for its collection and use. 

• Changes to business obligations: The CPRA imposes additional obligations on businesses, such as conducting regular cybersecurity audits, and requires businesses to enter into contracts with service providers that include certain privacy protections. The CCPA does not have these requirements. 

• Extension of the “business” threshold: The CPRA raises the threshold for a business to be subject to the law from the CCPA’s criteria of 50,000 consumers or households to 100,000 consumers or households. Additionally, the CPRA introduces a new concept of “sharing” personal information, which may subject businesses to additional compliance requirements. 

• Increased fines for non-compliance: The CPRA increase the fines for violations related to the privacy rights of minors and tripled the fines for intentional violations of the privacy rights of consumers compared to the CCPA. 

The CPRA expands and strengthens privacy rights and requirements for businesses compared to the CCPA and introduces some new concepts and provisions. Businesses operating in California or handling personal information of California residents should carefully review and comply with both the CCPA and the CPRA to ensure compliance with California’s privacy laws. 

Can complying with GDPR assure CCPA? 

Complying with the General Data Protection Regulation (GDPR), which is a data protection law in the European Union, does not automatically assure compliance with the California Consumer Privacy Act (CCPA), which is a separate privacy law in California, United States. While there may be some similarities between the GDPR and CCPA in terms of their principles and requirements for protecting personal data, they are distinct laws with specific provisions and scope that apply to different geographical regions. 

There are some areas of overlap between the GDPR and CCPA, such as requirements for transparency, data subject rights, and security measures. For example, both laws generally require businesses to be transparent about their data practices, obtain consent for certain types of data processing, and provide data subjects with rights to access, delete, and correct their personal information. Additionally, both laws may require businesses to implement reasonable security measures to protect personal data. 

However, there are also significant differences between the GDPR and CCPA. For example: 

Scope: The GDPR applies to businesses that process personal data of individuals in the European Union, regardless of their location, while the CCPA applies to businesses that collect or sell personal information of California residents, regardless of their location or whether they have a physical presence in California. 

Opt-in vs. Opt-out: The GDPR generally requires opt-in consent for data processing, while the CCPA generally requires providing consumers with the right to opt-out of the sale of their personal information. 

Rights and requirements: While there are similarities in data subject rights and requirements for transparency and security, there are also differences in the specific details and provisions of the GDPR and CCPA, such as the requirements for data breach notifications, financial incentives, and additional obligations for businesses under the CCPA. 

Enforcement and penalties: The GDPR and CCPA have different enforcement mechanisms and penalties for non-compliance. The GDPR empowers data protection authorities in the EU to impose fines of up to €20 million or 4% of global annual revenue, whichever is higher, for certain violations. The CCPA, on the other hand, provides for fines of up to $7,500 per violation or actual damages, whichever is greater, for certain data breaches. 

While compliance with the GDPR may provide a foundation for building a privacy program, it does not guarantee compliance with the CCPA or vice versa. Businesses that are subject to both the GDPR and CCPA should carefully review and understand the requirements of each law separately and ensure they have appropriate measures in place to comply with both laws, considering their unique provisions and scope. Consulting legal counsel and privacy professionals can be helpful in navigating the complexities of both the GDPR and CCPA compliance.

Who can audit for CCPA?

The CCPA does require covered businesses to maintain reasonable security measures to protect personal information, and they may be subject to audits or assessments by various entities, including: 

External auditors: Businesses may choose to engage external auditors, such as certified public accountants (CPAs) or cybersecurity firms, to conduct audits or assessments of their CCPA compliance. These auditors can assess a business’s compliance with the CCPA requirements, including its data protection practices, policies, and procedures. 

Regulatory agencies: The California Attorney General’s office, which is responsible for enforcing the CCPA, has the authority to conduct audits or assessments of businesses’ compliance with the law. If a business is subject to an investigation or inquiry by the California Attorney General’s office, it may be required to provide documentation and evidence of its CCPA compliance. 

Internal auditors: Businesses may also use their internal audit teams or compliance departments to conduct internal audits or assessments of their CCPA compliance. These internal auditors can review and assess the business’s data protection practices, policies, and procedures to ensure compliance with the CCPA requirements. 

It’s important to note that while the CCPA does not mandate a specific type of auditor or certification, businesses should ensure that the auditors they engage are qualified and experienced in privacy and data protection matters, and that they follow generally accepted auditing standards and practices. Additionally, compliance with the CCPA may also require legal expertise to interpret the law’s requirements and ensure proper implementation. Businesses should consult legal counsel and privacy professionals to ensure they are meeting their CCPA obligations.

How to get certified with CCPA? 

The California Consumer Privacy Act (CCPA) is a privacy law that sets forth requirements for businesses that collect or sell personal information of California residents, and it does not require formal certification. 

However, there are organizations and privacy professionals that offer voluntary certifications or assessments related to CCPA compliance. These certifications or assessments are not officially recognized or mandated by the CCPA, but they can provide businesses with a way to demonstrate their commitment to privacy and data protection best practices. Here are some general steps you can take to pursue CCPA compliance certification: 

Understand the CCPA requirements: Familiarize yourself with the CCPA’s provisions, including its requirements for data collection, consumer rights, and data security. Review the CCPA text, official guidance, and interpretations from the California Attorney General’s office to ensure a thorough understanding of the law. 

Assess your current practices: Conduct an internal assessment of your current data practices, policies, and procedures to identify any gaps or areas that need improvement in relation to CCPA compliance. This may include reviewing your data collection practices, privacy policies, consent mechanisms, data subject rights processes, and data security measures. 

Engage privacy professionals: Consider engaging privacy professionals, such as privacy consultants or legal counsel with expertise in privacy and data protection, to assist with your CCPA compliance efforts. They can provide guidance and recommendations tailored to your specific business operations and help ensure compliance with the CCPA requirements. 

Implement necessary changes: Based on the results of your internal assessment and guidance from privacy professionals, implement any necessary changes to your data practices, policies, and procedures to align with CCPA requirements. This may involve updating your privacy policies, implementing opt-out mechanisms, establishing data subject rights processes, and enhancing your data security measures. 

Consider voluntary certifications or assessments: Some organizations or privacy professionals offer voluntary certifications or assessments related to CCPA compliance. These certifications or assessments may involve a review of your data practices, policies, and procedures, and can provide a third-party validation of your compliance efforts. Research and select a reputable certification or assessment program that aligns with your business needs and requirements. 

Maintain ongoing compliance: CCPA compliance is an ongoing process, and businesses should continually monitor and update their data practices, policies, and procedures to ensure ongoing compliance with the CCPA requirements. 

It’s important to note that while certifications or assessments can provide a way to demonstrate your commitment to CCPA compliance, they are not a guarantee of compliance, as the CCPA requirements may evolve over time, and certification programs are not officially recognized or mandated by the law. Businesses should always ensure that they are fully compliant with the CCPA requirements as outlined in the law itself and any official guidance from the California Attorney General’s office. Consulting legal counsel and privacy professionals can be helpful in navigating the complexities of CCPA compliance. 
 

What penalties can be imposed for CCPA noncompliance?

The California Consumer Privacy Act (CCPA) provides for the imposition of fines for non-compliance. The specific fines and penalties for CCPA violations are outlined in the CCPA itself, and they may vary depending on the nature and severity of the violation. the CCPA establishes two types of fines: 

Civil Penalties: The California Attorney General’s office has the authority to enforce the CCPA and can impose civil penalties for violations of the CCPA. The CCPA provides for civil penalties of up to $2,500 for each violation or up to $7,500 for each intentional violation, whichever is greater. These penalties can be imposed for each violation, which means that fines can add up quickly if multiple violations are found. 

Private Right of Action: The CCPA also provides for a private right of action for certain data breaches. Consumers whose personal information has been subject to unauthorized access and exfiltration, theft, or disclosure due to a business’s failure to implement reasonable security measures may seek statutory damages ranging from $100 to $750 per consumer per incident or actual damages, whichever is greater. 

It’s important to note that fines and penalties under the CCPA can be imposed by the California Attorney General’s office or through private lawsuits, depending on the nature of the violation. It’s also worth mentioning that the California Privacy Rights Act (CPRA), which is a ballot initiative that was approved by California voters in November 2020 and is slated to become effective in 2023, introduces additional fines and penalties for certain violations of its provisions. 

It’s recommended for businesses subject to the CCPA to ensure compliance with the law’s requirements to mitigate the risk of fines and penalties. This may involve implementing appropriate data collection practices, providing required notices to consumers, honoring consumer rights, and maintaining reasonable data security measures. Consulting legal counsel and privacy professionals can be helpful in ensuring compliance with the CCPA and managing the risks associated with non-compliance. 

Other Services

Ready to secure?

Let's get in touch