The CCPA is California’s data privacy law and has transformed how businesses collect their website users’ data since it took effect in January 2020.
Businesses that service California residents must comply with the CCPA’s mandated data protection rules or face harsh penalties for noncompliance.
A business must be the entity that determines the purpose and method used to process personal information and meet one of the following criteria:
The focus of the CCPA is not on California businesses; instead, the focus is on protecting California residents. Therefore, any business that collects and processes the personal information of California residents falls under the purview of the CCPA.
This means a business across the world in Asia or Europe could be subject to the CCPA if they collect the personal information of Californians.
This private right of action is the right to initiate civil action against a business that failed “to implement and maintain reasonable security procedures and practices” which caused the consumer to suffer damages.
Damages recovered are set in the amount of at least $100 and not more than $750 per consumer per incident or actual damages, whichever is higher.
A business can also be held liable by the state (Section 1798.155).
The California Attorney General can hold a business civilly liable for no more than $2,500 per violation or $7,500 for each intentional violation.
These penalties can accumulate quickly.
For example, if a business violated the CCPA rights of 10,000 consumers and the injured consumers bring a civil suit, they could be liable for $7,500,000. If the California AG brings the suit, the business could face penalties of $25,000,000 or $75,000,000.
The CCPA has conferred specific rights to consumers. These rights concern the control consumers maintain over their personal information and include the following:
A consumer has the right to request that the business discloses to them what personal data they collected, used, shared, or sold about them. Further, the reason why the business used personal information must also be given.
When asked, businesses must provide the consumer with this information for the prior 12-month period.
A consumer has the right to request that a business delete any of the personal information (with a few exceptions) collected from the consumer. Once notified, the business has 45 days to respond. Response can be prolonged up to 90 days under certain conditions.
A consumer has the right to request that a business stops selling their personal data. This is also called the right to “opt-out.” After receiving this request, the business cannot sell the consumer’s personal data without receiving consent.
The opt-out request has a lifespan of 12 months. After that period, a business can ask the consumer to opt-in again.
A business is not permitted to sell a consumer’s personal information if the business has “actual knowledge” that the consumer is under 16 years old. A business is only permitted to sell this information if the consumer “opted-in.”
Under the CCPA, consumers between the ages of 13 and 16 can opt-in to the selling of personal information, while parents or guardians must opt-in for a child under 13.
A business cannot discriminate against a consumer because the consumer exercised a right given to them under the CCPA.
For example, if a consumer exercises their right to opt-out of the selling of their personal information, the business cannot offer substandard service or substandard products to the consumer. Nor can a business charge different prices or deny service because a consumer exercised this right.
The right to opt-out is conferred to consumers under the CCPA. A consumer can request that a business not sell their personal information to third parties.
This link must be “clear and conspicuous” and easily accessible on the business’s website or app. It must take the consumer to a webpage where they are allowed to opt out of the sale of their personal information.
Under the CCPA, personal information is defined as information that identifies, relates to, describes, or could be linked or associated with a consumer or household, and can include the following:
In furtherance of consumers’ ability to take active steps to control their personal information, the CCPA notice requirements mandate that businesses disclose what categories of personal information they share or sell with third parties and why.
The CCPA mandates you to provide a notice of collection to consumers, explaining what personal information you collected from them in the past 12 months.
Companies must disclose the categories of personal information they collected about the consumer. The categories include the following:
If there is some personal information collected that does not seem to fit in any category, it must still be disclosed to be fully compliant.
Businesses must also disclose the sources from which personal information is collected. Examples of common sources include:
Businesses must disclose the business purpose of collecting or selling personal information of California residents.
Lastly, businesses must disclose the categories of third parties with whom the personal information is shared. Some examples of third parties include:
All of this information does not have to be given more than twice to a consumer in a 12-month period.
The CCPA is not alone in the data privacy legal sphere. Other countries have enacted similar laws to protect the personal information of their residents.
This section will cover the CCPA and other data privacy laws and highlight some major differences and similarities between them.
One of the main differences between the CCPA and the other data privacy laws — like the GDPR — is user consent.
The CCPA, on the other hand, does not mandate consent before data collection. Instead, consumers can exercise their right to opt out of data collection.
The GDPR, on the other hand, protects anyone who resides the European Union, Island, Norway, Lichtenstein or Switzerland.
For example, a student studying abroad for a semester is temporarily in the EU, so they are covered under the GDPR. Residency does not matter — being located inside the EU suffices to be covered under the GDPR.
The other data privacy laws are more similar to the GDPR. For example, the LGPD protects individuals located in Brazil and doesn’t differentiate between permanent and temporary residents.
Thus, the CCPA protects a much narrower group of people.
Any business — regardless of location — can be subject to the CCPA if it’s a for-profit company that processes data of California residents and meets the criteria we outlined in an earlier section.
The GDPR, on the other hand, applies to any entity that processes personal data. This includes all for-profit companies, non-profit companies, and even governmental bodies if they process data of individuals in the EU.
The POPIA ad LGPD also apply to both the private and public sectors.
On the other hand, PIPL and PIPEDA apply only to the private sector, like the CCPA.
The CCPA and other data privacy laws are changing how businesses collect data. As a result, consumers have more power than ever, so transparency is vital and helps them understand how you collect and use their personal data.