Information Center

What You Need to Know About the California Consumer Privacy Act (CCPA)

Over the last decade, cyber threats have been arguably the biggest concern for businesses and consumers. This is why privacy when using the internet is a major concern for 92% of Americans. In response, California passed the California Consumer Privacy Act (CCPA) on June 28, 2018, to give consumers more control over their data.

The law was enacted on January 01, 2020, and is enforced by the California Attorney General's office. And businesses that collect personal data from California residents must comply.

In this article, you will learn everything you need to know about the CCPA and its impact on your business.

What Is CCPA?

The California Consumer Privacy Act (CCPA) is a law that gives California residents the right to know what personal information is being collected about them, the right to have that information deleted, and the right to refuse its sale.

The law applies to any for-profit business that conducts business in California and meets one or more of the following criteria:

  • Has annual gross revenues over $25 million;
  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or
  • Derives more than 50% of its annual revenues from selling consumers’ personal data.

What Are The CCPA Requirements?

There are four main requirements for businesses:

  • Disclosure – Businesses must disclose the categories of personal information they collect, use, or sell.
  • Access – Consumers have the right to request that a business disclose the personal information it has collected about them.
  • Deletion – Consumers have the right to request that a business delete their personal information.
  • Opt-Out – Businesses must provide consumers with an opt-out option if they sell their personal information.

In addition, businesses must provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information” that takes consumers to an opt-out page.

What Types of Data Does the CCPA Cover?

Compared to the GDPR, CCPA has a broader definition of sensitive data. The GDPR focuses on protecting specific data, whereas California's Data Protection Act is more concerned with what constitutes sensitive information.

For example, olfactory data, website browsing history, and user activity records are all included. According to AB 375, "personal information" refers to:

  • Any identifier that is unique to consumers. These include a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number (SSN), driver's license number (DLN), passport number, or other similar identifiers
  • Biometric information
  • Commercial information relating to goods or services acquired, considered, or planned, as well as other purchasing or consumption histories or trends
  • Information related to professional employment
  • Geolocation data
  • Information regarding a consumer's online or other electronic network presence, including but not limited to surfing history, search history, and information about a customer's website encounter
  • Any information conveyed through audio, electronic, visual, or thermal means
  • The protected classifications under California or federal law
  • Education information, which is not publicly available
  • Inferences drawn from any data described in this section to develop a consumer profile based on tastes, traits, psychological tendencies, preferences, predispositions, actions, beliefs, intelligence, talents, and abilities

CCPA Enforcement

The California Attorney General's office enforces any violation of the CCPA and can result in civil penalties of up to $2,500 per violation or $7,500 per intentional violation.

The CCPA also gives consumers the right to file a private right of action if their personal information is breached due to a business's failure to implement reasonable security measures. In such cases, consumers can recover damages of up to $750 per consumer per incident or actual damages, whichever is greater.

What Is a Third Party Under CCPA?

A "third party" is defined as a person or entity not subject to the CCPA. This includes businesses that are exempt and any service providers that process personal information on behalf of a business.

Third parties may also include data brokers, which are companies that buy and sell personal information. Data brokers are not currently subject to CCPA but will be in 2023.

What Are the CCPA Exemptions?

The most notable exemption is for businesses governed by other privacy laws, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).

Other CCPA exemptions include:

  • Personal information collected by financial institutions governed by GLBA
  • Personal information collected in connection with employment, including background checks and wage information
  • Personal information collected for non-profit activities, such as fundraising or political campaigning
  • Publicly available personal information, such as court records or phone numbers listed in a directory

CCPA also exempts businesses with less than $25 million in annual revenue, businesses that do not sell personal information, and businesses that collect only a limited amount of personal information.

The CCPA provides some leeway for businesses to comply with the law. However, it’s important to note that the law applies to all businesses that collect the personal information of California residents.

How Does CCPA Differ from GDPR?

It's not uncommon for people to refer to CCPA as California's GDPR. However, that's not true. Aside from protecting the rights to data privacy for EU citizens, the General Data Protection Regulation has several differences from CCPA.

First, CCPA only applies to personal information, while GDPR applies to any data. This includes both personal and non-personal data.

Second, it gives consumers the right to know what personal information is being collected about them, the right to delete their personal information, and the right to opt out of having their personal information sold. GDPR gives consumers all of these rights plus the right to access their personal data, the right to change their mind (opt-in), and the right to receive a copy of their data in a portable format.

Third, CCPA applies only to businesses that collect or sell the personal information of California residents. GDPR applies to any business that processes or intends to process the data of EU citizens, regardless of where the business is located.

Fourth, it applies to businesses with annual revenue of over $25 million. GDPR applies to any business that processes or intends to process the data of EU citizens, regardless of the size of the business.

What are the Penalties for Companies That Don't Comply with the CCPA?

Regulators will notify companies that violate the law, and they will have 30 days to fix the issue. If it isn't resolved within that time frame, the company will be fined up to $7,500 for each record.

While $7,500 may seem like an affordable fee for large corporations, it's not necessarily the case. This figure can rise exponentially if you account for the number of records affected per breach.

In addition, CCPA allows consumers to file a private right of action if their non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to the business' violation of CCPA.

This means that individual consumers could sue companies for damages, which can be expensive. In addition, the attorney general has the right to file a civil action against companies for law violations.

So, not only are there financial penalties for companies that violate CCPA but there are also reputational risks. Consumers are becoming increasingly aware of their data privacy rights and are more likely to take action against companies that violate them.

Furthermore, California privacy law dictates that companies give consumers an opt-out option from data sharing using a clearly visible footer on websites. Failure to do so can result in penalties of between $100 and $750 per violation. Moreover, it opens up another avenue for consumers to file lawsuits.

Beyond penalties and lawsuits, you'll also face other breach-related costs. These can include notifying consumers of the breach, providing them with credit monitoring services, and dealing with the fallout from a PR perspective.

All these costs can add up, and they underscore the importance of CCPA compliance. Understanding the law and taking steps to comply can help protect your business from costly penalties and reputational damage.

With so much at stake, companies must understand CCPA and take the necessary steps to ensure compliance.

Strategies for Complying With CCPA

CCPA compliance is no easy feat, but companies can take a few steps to ensure they comply with the law.

1.  Determine Whether CCPA Applies to You

The first step is to determine whether CCPA applies to your business. It applies to any for-profit business that does business in California and meets one or more of the following criteria:

  • Has annual gross revenues above $25 million
  • Buys, receives, sells, or shares the personal information of 50,000 or more California consumers, households, or devices
  • Earns more than half of its annual revenues from selling the personal information of California consumers

If CCPA applies to your business, then you need to take steps to ensure compliance.

2.  Identify the Personal Information You Collect and Store

The next step is to identify the personal information you collect and store. CCPA defines personal information as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

These include names, addresses, email addresses, phone numbers, social security numbers, driver's license numbers, and more. Once you've identified the personal information you collect and store, you need to take steps to protect this information.

CCPA requires businesses to take reasonable security measures to protect consumers' personal information from unauthorized access, destruction, use, modification, or disclosure. This includes encrypting personal information and ensuring that only authorized employees have access to this information.

3.  Audit Your Privacy and Information Security Framework

You must also audit your privacy and information security framework to ensure CCPA compliance. This includes ensuring you have a data retention policy, understanding how personal information is collected and used, and ensuring that consumers can exercise their rights under the law.

The CCPA gives consumers the right to know what personal information is being collected about them, the right to know how this information is being used, the right to have this information deleted, and the right to opt out of data sharing.

You must ensure that you have policies and procedures to address these rights.

4.  Involve all Teams and Departments

CCPA compliance is a team effort. It's important to involve all teams and departments in the CCPA compliance process, from the IT department to the marketing department.

Each team will have different CCPA-related responsibilities. For example, the marketing team will need to ensure that they're not collecting or using personal information in a way that CCPA prohibits. The IT team will need to ensure that personal information is properly secured.

5.  Develop a CCPA Compliance Plan

Once you've involved all teams and departments, you must develop a CCPA compliance plan. This plan should include the steps you're taking to comply, who is responsible for CCPA compliance, and how you will monitor compliance.

It's important to note that CCPA is a fluid law. It's constantly evolving, and new regulations can be added anytime. As such, it's important to regularly review your CCPA compliance plan and ensure it's up-to-date.

6.  Establish a Designated CCPA Roll Out Task Force

When preparing to become CCPA compliant, you can expect disruption at all levels of the organization. To ensure a successful CCPA rollout, it's important to establish a designated task force.

This CCPA task force should be responsible for developing and implementing the CCPA compliance plan. The task force should also be responsible for educating employees about CCPA and ensuring that all employees know their obligations under the law.

7.  Implement CCPA Compliance Policies and Procedures

Once you've developed a CCPA compliance plan, you must implement CCPA compliance policies and procedures. These policies and procedures should be designed to help your business comply with the law.

Some things you may want to include in your CCPA compliance policies and procedures include data retention policies, opt-out processes, and training programs.

8.  Treat Every Customer Like They are a California Resident

CCPA regulations apply to California residents. However, it does not make sense to have separate security frameworks if you also serve clients from outside the state or plan to do so. Therefore, you should treat every customer like they are a California resident to ensure CCPA compliance.

This involves ensuring that all personal information is properly secured and that only authorized employees can access this information. It also includes ensuring that consumers can exercise their rights under CCPA, regardless of their residence.

By doing so, you'll insulate the company from the hassle of adjusting to security frameworks from other states as they're implemented.

9.  Integrate CCPA Practices Into Your Culture

CCPA compliance should not be viewed as a one-time event. Instead, it should be integrated into your company culture. CCPA compliance should be an ongoing process that's regularly reviewed and updated as needed.

One way to do this is to make CCPA compliance part of your employee onboarding process. Doing so will help ensure that all new employees know and understand their obligations under the law.

By integrating CCPA compliance into your company culture, you can help ensure that CCPA compliance is treated as a priority and that employees are always aware of their obligations under the law.

10.  Conduct Regular Staff Training

As with other activities, employees will play a central role in your company's capacity to achieve and maintain CCPA compliance. It requires companies to take reasonable steps to ensure that employees understand CCPA and how it applies to their job functions.

One way to do this is by conducting regular CCPA training for all employees. This training should be designed to help employees understand CCPA and how it affects their day-to-day work.

By conducting regular staff training, you can help ensure that employees are always up-to-date on CCPA and that they understand their obligations under the law.

11.  Monitor CCPA Compliance

Finally, you need to monitor CCPA compliance. This includes regularly auditing your privacy and information security framework, ensuring that consumers can exercise their rights under CCPA, and monitoring changes.

By monitoring CCPA compliance, you can help ensure that your business remains compliant.

What Does CPRA Mean for CCPA?

In November 2020, Californians voted to approve Proposition 24, also known as the California Privacy Rights Act (CPRA). The CPRA amends CCPA in several key ways and goes into effect on January 2023.

One of the most significant changes is creation of a new enforcement agency, the California Privacy Protection Agency (CPPA). The CPPA will have the authority to investigate complaints, issue fines, and create regulations.

Another key change is the expansion of CCPA's private right of action. Under CCPA, only consumers whose non-encrypted or non-redacted personal information is subject to unauthorized access, and exfiltration, theft, or disclosure as a result of a business' violation could file a private right of action.

CPRA expands this private right of action to include any violation of CCPA, regardless of whether there is a risk of harm. Such a move means that more consumers will be able to sue companies for CCPA violations, and the potential damages will be higher.

Finally, CPRA strengthens CCPA's opt-out requirements. Under CCPA, businesses are required to provide a "Do Not Sell My Personal Information" link on their homepage.

CPRA goes a step further by requiring businesses to explicitly state in their privacy policies whether they sell consumers' personal information and what type of personal information they sell. If a business does sell personal information, it must also provide an opt-out button on every page where personal information is collected.

CPRA also gives consumers the right to opt out of the sale of their sensitive personal information, such as race, ethnicity, religion, and sexual orientation.

How Veritas Can Help

With concerns about data privacy increasing, you can expect more regulations to come up and existing ones to be updated. As such, you need to be more cautious and deliberate with how you handle consumer data.

Understandably, data compliance and governance can be intimidating, especially with emerging and evolving regulations. To begin with, you'll need an archiving capability that allows you to find relevant information quickly. In this regard, Veritas can help.

By leveraging the Veritas Digital Compliance portfolio, you'll gain greater visibility and control of data and regulations. It gives you the ability to capture, archive, and find relevant data from over 120 content sources. With this, you'll optimize data compliance and address any loopholes in your data governance.

Conclusion

The California Consumer Privacy Act is a groundbreaking law that gives consumers more control over their personal information. CCPA requires businesses to take steps to protect personal information and allows consumers to exercise several rights, including the right to opt out of the sale of their personal information.

But now, with CPRA on the horizon, you also need to start preparing for the new it. CPRA amends CCPA in several key ways and goes into effect on January 2023.

Contact us today to learn more about how we can help keep your organization in compliance.

 

Veritas customers include 95% of the Fortune 100, and NetBackup™ is the #1 choice for enterprises looking to protect large amounts of data.

Learn how Veritas keeps your data fully protected across virtual, physical, cloud and legacy workloads with Data Protection Services for Enterprise Businesses.