California Consumer Privacy Act (CCPA)

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) grants consumers rights related to the collection, use, and sale of their personal data—and prevents businesses from discriminating against them for exercising those rights.

Signed into law in June 2018, the new regulation comes as a response to a multitude of businesses, targeting Silicon Valley firms that are making headlines for mishandling or exploiting private data. The CCPA focuses on making sure organizations have a business purpose for why they need personal information while enabling Californians to readily request, delete, or protect their personal information (PI) collected and governed by a business.

Who Must Comply with the California Consumer Privacy Act?

Organizations that simply conduct business with California residents and satisfy one of three thresholds must be CCPA-compliant:

Has an annual gross revenue in excess of $25 million
Buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
Derives 50 percent or more of its annual revenue from selling

If a company meets one of the criteria above, then it will need to inform consumers of the type of personal information collected and the purpose at the point of data collection.

How can Businesses be in Compliance with the CCPA?

The CCPA requires businesses to give consumers certain information in a “notice at collection.” A notice at collection must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. (To find out how you can learn what specific information a business has collected about you, see the Right to Know section.) If the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell link. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.

Overview of a Business Responsibilities to be CCPA Compliance

Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes.
“Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information.
Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number.
Update privacy policies with newly required information, including a description of California residents’ rights.
Avoid requesting opt-in consent for 12 months after a California resident opts out.

How can a Business know if they are CCPA Compliance?

The 3 “Vital Signs” of CCPA Compliance

Consulting firm PriceWaterhouseCoopers (PwC) created CCPA Watch to report on emerging benchmarks. It’s a place to see how well you measure up as PwC continually analyzes how companies are meeting CCPA requirements. Their research covers three specific areas:

Offering a do-not-sell (DNS) link on company websites. A PwC team analyzed the websites of the 600 largest publicly traded companies and the 100 largest private corporations. As of mid-February, 16% of companies offered such a link, actually higher than was predicted.

However, there is a heated debate over what counts as a data “sale.” Legal experts in the ad tech industry note that “The question of whether, and under what circumstances, the use of third-party cookies, pixels, tags, etc. constitutes a ‘sale’ and how to provide [Do Not Sell My Info] choices is a flashpoint in the debate over how to interpret the CCPA…There is a growing consensus that only a lawsuit or a government enforcement action will resolve this matter.”
Offering CCPA rights of access and deletion beyond California residents. PwC recommends organizations “plan for the long term” by providing these same rights to all consumers. However, their research found that the majority of companies have yet to do this. On the other hand, many well-known brands, such as Amazon, Apple, Facebook, Google, Microsoft, Netflix, and Starbucks do offer these rights to all Americans.

Companies can extend CCPA rights to all their customers by allowing opt-out requests to be made online and by implementing an automated system for processing these requests. CCPA’s right to delete provision is similar to GDPR’s “right to be forgotten.” This similarity illustrates the importance of offering these rights to all consumers, wherever they live.
Operating a CCPA privacy rights portal: A business uses a portal to verify a customer’s identity before processing a request to delete, access, or opt-out of the sale of personal information. PwC researchers found “operational” CCPA rights portals on 40% of the 600 company websites they examined.

According to CCPA, companies need to verify a user’s identity to a “reasonable degree of certainty.” For some businesses, this means simply asking for an email address to send the data. Other companies require consumers to upload their driver’s license or state ID.

How are Consumers affected by CCPA?

The CCPA grants consumers the right to request a business to disclose any of the following:

All data collected about the consumer
The categories of sources from which that information is collected
The business purpose for collecting or selling that information
Third parties with which the information is shared

In this case, business purposes is defined as:

Auditing or verification related to transactions
Detecting security incidents, fraud prevention or illegal activity
Debugging to identify and repair errors
Short-term transient use
Performing services on behalf of the business or service provider

The California law requires companies to include a form (Section 1798.135) on their websites, asking consumers to opt-in or out of data sharing. Otherwise, consumers can take legal action if they’re unable to find out how their information has been collected or get copies of that information.

What Rights are Consumers entitled to by CCPA?

This landmark law secures new privacy rights for California consumers, including:

The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.

Businesses are also required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

What are the punishments for Breaking CCPA Rules?

Effective January 1, 2020, organizations have 45 days to respond to any verified consumer request under the CCPA. In the event that a business fails to address a violation within 30 days of notification, the California general attorney may impose a maximum penalty of up to $7,500 for each violation. If there is an unauthorized infiltration of data, consumers can assert a private right of action to recover damages up to $750 per violation.

GDPR has a tiered approach to fines with the EU law on data protection and privacy. Depending on the violation occurred, the penalty may be either: 4 percent of the global annual turnover from the prior year or $20 million, whichever is greater, or 2 percent of global annual turnover or $10 million, which is greater.