The California Consumer Privacy Act (CCPA): Ensuring Compliance in 2023
The California Consumer Privacy Act (CCPA) is a data privacy law that sets out to protect the personal information of individuals in California. It was enacted on January 1, 2020, and CCPA compliance is required for qualified businesses collecting Californians' data.
Businesses operating under the scope of the CCPA must understand what kind of consumer data they collect and take the necessary steps to protect them. A failure to do so could result in significant fines and penalties imposed upon business entities if found non-compliant with regulation standards set forth by this act.
Read below for an overview of the CCPA, its key provisions, challenges, how to become CCPA compliant, and more.
Overview: What is the California Consumer Privacy Act?
The California Consumer Privacy Act is a state law that provides consumers with more protection and transparency regarding the collection of their personal information by businesses worldwide For-profit businesses that collect, share, or sell personal information must comply with the CCPA guidelines.
Here is a CCPA disclaimer notice example:
“The website or its third-party tools process personal data. You can opt out of the sale of your personal information by clicking on the “Do Not Sell My Personal Information” link.”
The CCPA is similar in some respects to the European Union's General Data Protection Regulation (GDPR), which provides similar privacy protections for EU citizens.
However, the CCPA has some unique features, such as its focus on the sale of personal information and its inclusion of a private right of action for consumers affected by data breaches.
When did the CCPA go into effect?
The CCPA went into effect on August 14, 2020, and was further amended on March 15, 2021. This legislation came before the California Privacy Protection Agency (CPRA) that took effect on January 1, 2023. The CPRA amended the CCPA and added additional rules to it.
What are the CCPA regulations?
The CCPA California regulations allow Californians:
- The right to opt out of personal information collected.
- The right to request disclosure of personal information collected.
- The right to request deletion of personal information collected.
- The right to equal services and prices for exercising CCPA privacy rights.
- The right to correct a business's inaccurate personal information about them.
- The right to limit the usage and disclosure of sensitive personal information.
The California data privacy law restricts businesses from prohibiting service for exercising one of the six CCPA rights listed above. Businesses must comply with the regulations and follow all consumer requests if they meet one of the three criteria.
How is the CCPA Enforced on Businesses?
The CCPA laws are enforced by the attorney general of California. The attorney general is responsible for determining whether a business successfully implements the regulations of the CCPA.
In cases where a consumer claims their information was not handled properly or securely by a business, the attorney general will decide the penalty.
The attorney general will assess the security systems that the business put in place and how the information was handled per the CCPA and issue fines or penalties accordingly.
CCPA/CPRA Fines and Penalties
CCPA regulation states that businesses failing to comply with the CCPA act will be fined $7,500 per intentional non-compliance violation and $2,500 per unintentional non-compliance violation. Some examples of CCPA fines are listed below:
Zoom had to pay an $85 million settlement for the recurring instances of “Zoombombing.” Hackers would use the consumer data that Zoom sold to other sites to take over random Zoom meetings and disturb them.
A data broker attempted to comply with the CCPA and added an opt-out button to their site, but the link did not work. The site also required much information to be submitted by the consumer before they could successfully opt-out. The broker was informed of the issues and made appropriate changes to the site.
There was also no way to request the information. The business was informed by the attorney general and made the appropriate changes.
T-mobile was hit with a lawsuit claiming they had insufficient security measures to protect consumers' data. Due to this, many consumers’ phone numbers and names were accessible to hackers. T-mobile offered reparations for the breach, but the case has not been closed.
Key Provisions of the CCPA & CPRA
The California Consumer Privacy Act (CCPA) grants Californian consumers new rights and places obligations on businesses that collect, use, or sell their data.
The CPRA law adds additional rights to this as well that are added to this list. CPRA stands for the California Privacy Rights Act. The key requirements for compliance include the following:
- The right to disclosure: Businesses must disclose the types of information they collect and sell, who they are selling it to, and what specific pieces of personal data are being collected and sold for which purposes. They have 45 days after a request has been made to provide consumers with this information. Businesses must give consumers two ways to submit a request (e.g., link, email address, or phone number).
- The right to delete data: Businesses must notify consumers that they have the right to request the deletion of their data. They must comply with this request and ensure third-party data collectors also delete all information associated with a consumer when requested.
- The right to opt-out: Businesses must provide consumers with the right to opt-out of the collection and selling of their data. They must notify consumers that they have this right and provide a link titled “Do Not Sell My Information” for consumers to access this option easily. Businesses must also comply with requests from individuals who wish their information not to be used or shared.
- The right to equal services and pricing: Businesses must not discriminate against consumers who exercise their rights under the CCPA. This includes providing the same quality of service and charging them no more than other consumers for exercising these rights. All consumers can request that personal information be deleted or opt-out of having their data collected and sold to third parties.
- The right to initiate a private cause of action for data breaches: Businesses must notify consumers of their right to initiate a private cause of action for data breaches that result in unauthorized access or exfiltration, theft, alteration, or destruction of personal information. Consumers can seek statutory damages from businesses found liable under the CCPA and may be entitled to compensation if they suffer losses as a consequence.
- The right to correct a business's inaccurate personal information about them: Businesses must provide consumers with the right to access, update, and correct their personal information. They should also ensure that third parties they share data with have procedures for correcting inaccurate information associated with a consumer’s profile.
- The right to limit the usage and disclosure of sensitive personal information: Businesses must limit the use and disclosure of sensitive personal information, such as Social Security numbers or biometric data. They should only disclose this type of information with a consumer’s explicit consent unless it is necessary for providing them with services or products they have requested.
Scope and Applicability of the CCPA & CPRA
The California Consumer Privacy Act (CCPA) applies to both consumers and businesses. The CCPA provides consumers with more rights over their data than any other state or federal law regarding access, use, and information sharing by business entities.
Consumers have a right to know the personal information that businesses collect. They can also request that companies delete such data upon demand if it is no longer necessary for purposes stated at collection time or authorized later. They may also opt out of businesses sharing their sensitive preferences beyond legal requirements without explicit consent.
The CCPA rules apply to for-profit businesses that meet one or more of the following criteria. The first is they have annual revenue above $25 million. Second, they collect, share, or sell personal information from at least 50,000 consumers' devices. The third and final criterion is earning over fifty percent (50%) of their total income by selling consumer data.
Examples of data covered by the CCPA:
- Social security number
- Financial information such as credit card numbers
- Biometric Information like fingerprints & facial recognition scans
- Precise geolocation information
Definition of Key Terms in the CCPA
Understanding the definition of key terms in the CCPA is essential for businesses to ensure compliance. It is crucial to understand how CCPA defines certain words because the definitions of these terms determine who and what entities are subject to compliance with this new law.
A thorough understanding of CCPA key terms allows businesses to take an informed approach to their compliance strategy. Awareness of the rights and obligations outlined in this law helps organizations identify potential risks and develop strategies for risk mitigation.
Additionally, understanding the definitions of key terms can help organizations minimize their legal liabilities when it comes to data privacy and consumer protection laws.
‘Consumers’ in the CCPA
According to the CCPA, a ‘consumer’ is any natural person who is a California resident. This includes individuals who lived in the state for part of their lifetime or the last 12 months and anyone living outside the United States who provided personal information to businesses within this period.
Examples of data covered by CCPA include:
- Personal identifiers (name, email address)
- Financial details (credit card numbers)
- Internet activity records (IP addresses & browsing history)
- Geolocation data
- Audio/electronic/visual recordings
‘Sale of data’ in the CCPA
According to the CCPA, ‘Sale of data’ refers to any exchange or transfer of personal information for monetary or other valuable consideration. This includes exchanging consumers' contact details with another business in return for money, offering discounts in exchange for consumer information, and selling user data on a third-party platform.
‘Businesses’ in the CCPA
The California Consumer Privacy Act (CCPA) applies to any for-profit business that meets specific criteria, including:
- Has annual gross revenues of over $25 million
- Purchases or receives the personal information of 50,000 or more consumers annually
- Derives at least half its yearly revenue from selling consumer data collected through its products and services offered online within a 12-month period prior to January 1st, 2020.
Certain businesses are exempt from CCPA regulations, such as those with fewer than 20 employees, nonprofit businesses, government agencies, political action committees, and specific healthcare provider companies that may already have special patient privacy laws protecting medical records.
Additionally, educational institutions where the user's sensitive information is required by law to be protected under FERPA are exempt since they must strictly follow federal guidelines concerning student record confidentiality regardless if the students reside in California or not.
Challenges behind CCPA compliance
The California Consumer Privacy Act (CCPA) is a complex piece of legislation, and businesses struggle to meet its requirements. Here are several challenges that companies face when trying to make a CCPA website that’s compliant:
- Identifying applicable data: This involves understanding which types of consumer information are subject to protection under this law, as well as where and how it is stored within a business’s systems. Additionally, with so many potential sources of sensitive information, businesses must be aware of what type of data needs special protection in compliance with the law. Otherwise, they risk facing fines if caught out by an audit.
- Managing costs: Businesses must spend time and money researching relevant regulations, investing in technologies for securely storing personal information, and developing procedures for collecting consent from consumers regarding their data usage.
- Developing appropriate procedures: Developing appropriate procedures for handling personal information is crucial to CCPA compliance. This includes ensuring that data is documented and stored in secure locations and implementing processes to respond promptly to consumers' or regulators' requests regarding their data use.
- Implementing necessary technologies: Businesses must invest in security systems that allow them to store and manage consumer data safely. This includes encrypting all sensitive information and monitoring networks for potential threats. Companies should also have clear policies on how long they will retain consumer data to avoid unnecessary storage while meeting legal requirements for retention periods set out by CCPA regulations.
- Finding a dependable partner: Working with an experienced provider with expertise in meeting privacy regulations, such as the CCPA, is essential. The most reliable partners provide comprehensive services from start to finish – including consulting on best practices, advising on appropriate technologies necessary for compliance, and assistance in the implementation process. Hence, businesses can stay up-to-date even after the initial set-up is complete.
Achieving CPRA compliance & CCPA Compliance
Businesses can achieve compliance with the California Consumer Privacy Act (CCPA) by taking several steps to ensure their practices and processes align with CCPA standards.
Update Privacy Policies
Businesses must update privacy policies to include the rights granted to consumers by the CCPA. The policies should include previous guarantees and the updated provisions in the “key provisions” section.
Provide Clear Opt-Out Options For Consumers
To protect consumers’ rights, businesses must provide a clear and visible option, such as a link, that disallows businesses to sell their information. The opt-out link should be very easily seen and accessed by consumers.
Implement Measures to Secure Consumer Data
Businesses must protect consumers' information with a standard of security established by the CCPA. The security of the consumers’ information must involve risk assessment and protect the data's availability, integrity, and confidentiality.
Establish Your Record-Keeping Systems & Protocols
A business’s records and collections of consumer data must be updated to match the new protocols set in place by the CCPA. Records must contain all data processing, buyers of data, and any application handling data. Businesses must also add elements defining if the information is sold and what information was sold.
Records should be updated regularly, show the exact pathing a consumer's data has taken, and be available upon request.
Train Your Staff on CCPA Regulations
The final step is to provide training to staff on the updated regulations. Staff that deal with consumers’ requests and data need to be knowledgeable about the regulations to avoid any sanctions and maintain integrity, confidentiality, and safety.
Why Is CCPA Important?
The California Consumer Privacy Act (CCPA) is an important and groundbreaking piece of consumer protection legislation that provides Californians with unprecedented control over their personal data. CCPA also grants individuals the right to sue businesses for violations resulting in damages up to $7,500 per incident.
What Are Examples Of CCPA Violations?
A business can violate the CCPA by failing to follow consumers’ requests to delete their data. Another example is selling a consumer's information without their explicit consent.
What Is The Significance Of The CCPA?
The CCPA allows consumers more control over the information a business has collected from them and where they have sold the information. This increases transparency and gives power and awareness to consumers of how businesses handle their information.
What Data Is Protected Under The CCPA?
The data that the CCPA protects is information related to the consumer's personal identity. This includes names, driver licenses, addresses, social security numbers, and IP addresses.
How Does The CCPA Affect Employees?
Employee data is also protected under the CCPA. There is an exemption for businesses under the guise that they use the information for contacting other businesses in the employment process.
The CCPA was enacted to protect consumer data and allow the monitoring of selling consumer information from businesses to third parties.
To ensure your business complies with the CCPA, use this article from Captain Compliance as a reference. If your business collects consumer information and sells it to third parties, compliance with the CCPA is a must to avoid fines and sanctions that can damage your business.
If you want to check if you qualify for any exemptions from the CCPA, use this list of exemptions from Captain Compliance. You must check these exemptions before making assumptions about whether your business qualifies.