Passed in 2018, the California Consumer Privacy Act was the first state-level comprehensive consumer data privacy law to pass in the U.S., and it inspired over twenty-five other states to pass similar pieces of legislation, and counting.
The CCPA outlines several guidelines businesses must follow to collect, process, and use personal information from California residents and households.
Below, I describe the business obligations outlined by the CCPA, including who must comply, what information it protects, and how it impacts businesses and consumers.
What Is the California Consumer Privacy Act (CCPA)?
The CCPA is the original and the strictest state-level data privacy law in the U.S.
It outlines requirements and guidelines for the collection, use, and processing of personal data from people in California.
Sometimes called the ‘California GDPR’, this state-level law shares some similarities with the European General Data Protection Regulation, like granting similar rights to consumers.
But its scope is not as broad as the GDPR, and its guidelines are more business friendly.
CCPA Key Terms and Definitions
To help you better understand the CCPA, below I’ve provided some key terms and their definitions as they appear in the text of the law.
Whenever these terms are used throughout this guide, it’s with the above definitions in mind.
Important Dates
The CCPA entered into force on January 1, 2020.
It was officially amended by the California Privacy Rights Act (CPRA) on January 1, 2023.
The CPRA amendments introduced new rights for users regarding their sensitive personal data and increased the data collection threshold of the law.
It also introduced the concept of data sharing, which users have the right to opt out of.
Who Does the CCPA Protect?
The CCPA protects the personal information of natural persons who are California residents as defined in Section 17014 of Title 18 of the California Code of Regulations.
Who Must Comply With the CCPA?
Any for-profit business that does business in California and meets one of the following thresholds must comply with the CCPA:
- Earned an annual gross revenue of $25,000,000 in the preceding calendar year,
- Buys, sells, or shares the personal information of 100,000 or more Californian consumers or households,
- Derives 50% or more of annual revenues from selling or sharing Californian consumers’ personal information.
Consumer Privacy Rights
The CCPA gives Californian consumers the following rights over their personal information:
- Request to access all data a business collects about them
- Request to correct inaccuracies in the data
- Request to delete their data
- Opt out of the selling or sharing of their data
- Opt out of having data processed for targeted adverting
- Opt out of profiling
- Nondiscrimination for following through on their privacy rights
They also have the right to pursue civil action against a business that collects their personal information, and that data gets leaked or illegally accessed.
CCPA Business Requirements
Below, I describe the primary business requirements outlined by the CCPA.
Privacy Policy Guidelines
The CCPA requires covered businesses to present consumers with a privacy policy that includes the following information:
- A description of consumer’s privacy rights,
- Two or more ways for consumers to follow through on their rights,
- A list of the categories of personal data you collect,
- Your purpose for collecting, selling, or sharing the consumers’ data,
- The categories of third parties who the data is shared with.
- The date at which the privacy policy was last updated
You must update the policy at least once every 12 months, so include a ‘last updated’ date on your policy.
Your business must post and maintain the privacy policy through a link that contains the word “privacy” in it, such as “Privacy Policy.”
Keep old versions stored in an archive in case of a privacy audit.
Consent Management
Businesses under the CCPA must manage user consent preferences in a legally compliant manner for certain types of data processing.
For example, the law gives consumers the right to:
- Opt out of the selling or sharing of their data
- Opt out of targeted advertising
- Limit the use of their sensitive personal information
You should present users with a compliant cookie consent banner featuring a cookie policy so they can read about the cookies your site deploys and choose to agree to their use or not.
The law also requires you to have the following links in the footer of your site leading to specific pages for Californians to follow through on their rights:
- “Do NOT sell or share my personal information”
- “Limit the use of my sensitive personal information”
You’re permitted to use a single link that leads to a form where users can follow through on both opt out rights.
Contractual Obligations
Businesses under the CCPA must use compliant agreements if they go into contract with a third party for the purposes of data processing.
Both parties must sign the contract, and it must include the following provisions:
- Specify that the personal data is sold/disclosed only for a limited, specific purpose,
- Obligate the third party to comply with the obligations and security requirements outlined by the CCPA,
- Grant the business rights to take reasonable steps to ensure the third party uses the personal information in a manner consistent with the CCPA requirements,
- Require the third party to notify the business if they determine they can no longer meet the CCPA requirements,
- Grant the business the right to take steps to stop and remediate unauthorized use of the personal information,
- Require the third party to implement reasonable security procedures to protect the information from unauthorized access.
Verifiable Consumer Requests
Businesses must have a process in place for verifying consumer requests to follow through on their privacy rights.
Technically, consumers can submit these requests through any channel they choose, including:
- An online web form
- Social media
- Phone
To verify their identities, compare the information they provide you with to information you’ve already collected about them.
You shouldn’t ask for additional details unless it’s absolutely necessary.
It’s best to set up a workflow for receiving these requests, because your business must keep track of processed requests.
It also makes the process more straightforward for your consumers.
User-enabled Global Privacy Controls
Consumers under the CCPA are permitted to follow through on their opt-out rights via user-enabled global privacy controls and businesses must honor these requests.
For example, they can use Global Privacy Controls (GPC) on their browsers to denote that they want to opt-out of targeted advertising.
It then sends their consent preference to your website’s consent management platform, automatically respecting their choice and preventing the associated cookies from deploying.
To learn more, you can read the CCPA guidance notes provided by the California Attorney General’s office.
Data Security Guidelines
The CCPA required businesses to keep all collected personal data safe from illegal, unauthorized access, leaks, breaches, or other types of loss.
California users can pursue civil action against your business if their data is breached while in your possession.
The law doesn’t dictate how you must protect the data, but common methods include:
- Data encryption
- Firewalls
- Limiting access
- Ensuring the data is password protected using multi-factor authentication
Penalties for Violating the CCPA
A CCPA violation can lead to the following fines:
- $2,500 per affected California resident for unintentional violations
- $7,500 per affected California resident for intentional violations
It’s enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General’s office.
Consumers also have a private right of action under California’s data privacy law.
They can pursue civil action against you if certain information about them is breached or accessed without authorization.
Using Termly for CCPA-Compliance
Termly provides compliance solutions to help businesses simplify meeting the requirements outlined by the CCPA.
Our Privacy Policy Generator includes all necessary details as outlined by the law. All you do is answer simple questions about your business, denote that you want your policy to be CCPA compliant, and answer questions honestly.
It then makes a unique policy based on your answer, which you can embed on your website.
We also provide a Consent Management Platform that’s configurable to meet all consent requirements outlined by the CCPA. It even features regional support settings specific for your California users.
It also comes with a free DSAR form that you can embed on your website so your users can more easily submit verifiable requests to follow through on their privacy rights.
Summary
The CCPA is one of the strictest consumer data privacy laws in the U.S.
Businesses under this law must ensure they have a compliant privacy policy and consent management platform configured to meet the opt-out requirements described by the law.
It’s also a best practice to add a DSAR form to your website to help users more easily follow through on their privacy rights.
To simplify CCPA compliance, sign up for Termly’s comprehensive suite of privacy solutions.
More about the author
Written by Josh Langeland, CIPM
Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author
