What is California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a Californian data protection law that governs how businesses are allowed to collect, process and share the personal information of California residents. The CCPA was enacted on January 1st, 2020 and enforcement began on July 1^st, 2020, and is the most recent law to set the standard for ensuring data privacy in the United States of America.

Does my business fall within the scope of CCPA?

The CCPA applies to all companies that handle the private information of California residents, regardless of their location, and meet at least one of the following three criteria:

The business’ annual gross revenue exceeds $25 million.
The business handles the personal data of at least 50,000 California residents.
The business earns at least 50% of its revenue from the sale of personal data.

The scope of CCPA is broad and businesses of shapes and sizes will be subject to CCPA if they meet at least one of these conditions.

What new rules now affect data processing under CCPA?

The CCPA has not replaced previous data privacy laws in California, such as the California Online Privacy Protection Act (CalOPPA), but has rather introduced new regulations alongside these existing laws.

For example, CalOPPA requires businesses to display a privacy notice on their website that explains the basics of their data privacy policy. This includes sharing the categories of personal information that will be collected, such as the individual’s name or payment details, and the categories of third-parties who may receive this information, such as ‘a mail carrier’. There is no need to name the specific third-parties, however.

CalOPPA also requires businesses to provide information on the process consumers might have to review and request changes to what personal information is held on them. However, businesses are not required to have such processes under CalOPPA, so this rule only applies to businesses that have voluntarily offered these processes.

Businesses that fall within the scope of CCPA, however, must comply with much stricter rules that seek to increase the rights of private individuals over their personal data. Under CCPA, businesses must help individuals access their rights, including:

The right to know the specific types of personal data the business has collected, sold or shared about them.
The right to deny a business the right to sell their personal data.
The right to request that their data be deleted by the business.

This information must be disclosed in the privacy policy shown on the business’ website. Notably, businesses subject to CCPA must also provide a link titled ‘Do Not Sell My Personal Information’ to a page where a California resident can request that their private data not be sold with third parties. This is a new rule that was not previously covered by CalOPPA.

Another major change is that businesses subject to CCPA must obtain consent from a minor before selling their personal data. Individuals between 13-16 years old must be contacted for consent before selling their data, while consent must be obtained from the parents or guardians of anyone below the age of 13. This is not the case with CalOPPA, which has no rules around obtaining prior consent.

What are the penalties for failing to comply with CCPA?

Businesses that fail to comply with CCPA risk facing large fines, particularly businesses that mishandle the data of thousands of customers. The Attorney-General can pursue a civil case against a business if any aspect of CCPA has not been followed, with the potential fine for each violation being $7,500. This means that the fine for mishandling the data of 100 people could result in a fine of $750,000. CCPA violations subject to a civil penalty include:

Failure to maintain a CCPA-compliant privacy policy.
Failure to provide adequate notice when collecting personal data.
Discriminating against an individual who has exercised their right to privacy under CCPA.

Consumers could also pursue civil legal claims against a business, but only in cases where their data has been breached.

What does CCPA define as personal data?

CCPA defines personal data as any information that identifies or relates to, either directly or indirectly, an individual or household. This does not include publicly available information, meaning any information that can be found in freely available governmental records. Here are some examples of personal data protected by CCPA:

Identifiers (email address, social security number, real name)
Commercial information (recent purchases)
Internet activity (browsing history)

How does CCPA differ from GDPR?

Both CCPA and GDPR are laws designed to give individuals more control over how their personal data is collected, stored and sold by businesses. However, GDPR only relates to EU data subjects, while CCPA only relates to California residents. There are other differences too, some of which include:

GDPR requires that businesses must have a legal basis for collecting and using personal data, something which is not established under CCPA.
CCPA does not require that businesses appoint a data protection officer (DPO), although it is advised as best practice.
The privacy policies required under CCPA and GDPR are different.
Businesses subject to CCPA must provide a ‘Do Not Sell My Personal Information’ button on their websites and apps, something which is not needed under GDPR.

Data privacy considerations for CCPA

Ensuring CCPA compliance is an ongoing process, needing regular risk assessments and consultancy. Calligo’s CCPA Compliance Service highlights areas at risk of non-conformance and provides a roadmap to work on areas for improvement.

Calligo is a privacy-led managed service provider working with businesses active in California and across the globe. Our expert team of data privacy and infosecurity specialists provide ongoing, unbiased consultancy on all major data privacy regulations, including CCPA.