What is the CCPA (California Consumer Privacy Act)?
The CCPA (California Consumer Privacy Act) is a data privacy law that took effect on January 1, 2020 in the State of California.
It applies to businesses that collect California residents’ personal information, and its privacy requirements are similar to those of the EU’s GDPR (General Data Protection Regulation).
Who does the CCPA apply to?
The CCPA applies to any legal entity that does business in the State of California (regardless of where they are located), collects consumers’ personal information, and:
- Has $25 million or more in gross annual revenue;
- Buys, receives, sells, or shares the personal information of 50,000 or more consumers , households, or devices a year; or
- Derives 50% or more of its annual revenue from selling consumers’ data.
Understand the new data privacy law with our free green paper.
Discover the basics of the CCPA, how expertise in the EU GDPR can help your understanding of the act and the key aspects your organization may want to consider.
Under the CCPA, what is considered personal information? What are consumers' rights under the CCPA?
The CCPA grants California residents (‘consumers’) four privacy rights, which businesses must facilitate:
1. The right to be informed (Sections 1798.100, 1798.110, and 1798.115)
At or before the point of collection, businesses that collect consumers’ personal information must inform them of:
- The categories of person information they will collect; and
- The purposes for which the personal information will be used.
Within 45 days of receiving a verifiable consumer request, businesses that collect consumers’ personal information must inform them of:
- The categories of personal information they have collected;
- The categories of sources from which they collected the personal information;
- The business or commercial purpose for which they collected the personal information; and
- The categories of third parties with whom the personal information has been shared.
Businesses that sell consumers’ personal information, or disclose it for a business purpose, must inform them of:
- The categories of personal information they have collected;
- The categories of personal information they have sold and the categories of third parties to whom they sold it;
- The categories of personal information they have disclosed for a business purpose; and
- The business or commercial purpose for which they sold the personal information.
2. The right to access/data portability (Section 1798.100)
Upon receiving a verifiable consumer request to access their personal information, businesses that have collected it must “promptly take steps to disclose and deliver” it to the consumer.
Businesses are not required to provide this information more than twice in a 12-month period.
The information must be provided free of charge, and can be delivered electronically or by mail. If provided electronically, the information should be in a portable format that allows the consumer to transmit it to another entity.
3. The right to deletion (Section 1798.105)
Upon receiving a verifiable consumer request, businesses must delete the consumer’s personal information, unless it is necessary to retain it to:
- Complete a transaction, provide goods or services, or otherwise perform a contract between the business and the consumer;
- Detect security incidents or protect against malicious activity;
- Debug to identify and repair errors;
- Ensure the exercise of free speech or another right provided by law;
- Comply with the CalECPA (California Electronic Communications Privacy Act);
- Engage in scientific, historical, or statistical research – subject to consumer consent;
- Enable “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business”;
- Comply with a legal obligation; or
- Otherwise use it, internally, “in a lawful manner that is compatible with the context in which the consumer provided the information”.
4. The right to opt out (Section 1798.120)
Consumers have the right to direct businesses not to sell their personal information to third parties.
Businesses must notify consumers if they sell their personal information to third parties, and inform them of their right to opt out of the sale of their personal information via a “clear and conspicuous link” on the business’s homepage titled “Do Not Sell My Personal Information”.
Businesses must not sell information relating to under-16s unless they or, in the case of under-13s, their parents or guardians have opted in.
Consumers must not be discriminated against for exercising these rights (Section 1798.125).
We're here to help
Whether you’re looking to educate your employees about the CCPA through our online training course, or assess your organization’s current level of compliance with the Act and help identify key work areas that you must address to be compliant, IT Governance has a solution for you.
Speak to an expert
The CCPA vs the EU GDPR
The CCPA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation). Just like the GDPR, the CCPA gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.
However, there are many differences between the two laws, so even if your organization complies with the GDPR, it might not meet certain CCPA requirements.
Contact us to discuses your CCPA compliance needs >>
Definitions of key terms used in the CCPA
Business: a for-profit legal entity that collects personal information, or on whose behalf personal information is collected, and:
- Has an annual revenue of more than $25 million;
- Annually buys, receives, sells, or shares 50,000 or more consumers’, households’, or devices’ personal information; or
- Derives 50% or more of its annual revenue from the sale of personal information.
Collection: buying, renting, gathering, obtaining, receiving, or accessing personal information.
Consumer: a natural person who is a resident of California as defined in Section 17014 of Title 18 of the California Code of Regulations.
Personal information: any “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device”. This includes:
- Names, aliases, postal and email addresses, unique personal identifiers, account names, social security numbers, driver’s license numbers, passport numbers, etc.
- Biometric data
- Internet or other electronic network activity information
- Geolocation data
- Psychometric information
- Professional or employment-related information
Publicly available information – i.e. “information that is lawfully made available from federal, state, or local government records” – is not included in this definition.
CCPA enforcement and penalties
California’s Attorney General can bring injunctions against non-compliant businesses if they fail to address their non-compliance within 30 days of being notified. Civil penalties are capped at $2,500 per violation, or $7,500 for intentional violations.
In addition, consumers may bring a civil action to recover between $100 and $750 in damages, or actual damages (whichever is greater); injunctive or declaratory relief; or “any other relief the court deems proper”. Again, they must wait 30 days after serving written notice to allow the business to address any violation of the law.
What are the benefits of CCPA compliance?
The CCPA introduces greater visibility and responsibility when it comes to collecting and processing consumers’ personal data, and brings many benefits, including:
- Greater customer trust
- Enhanced brand image and reputation
- Improved data governance
- More robust information security
- Increased competitive advantage
CCPA compliance solutions from IT Governance
IT Governance, a leading global provider of IT governance, risk management, and compliance solutions, is at the forefront of helping businesses address the challenges of CCPA compliance.