CCPA: California Consumer Privacy Act Explained

On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) became the law in California. This law created the strictest data privacy and digital consumer rights law in the US.

‌Following in the footsteps of the General Data Protection Regulation (GDPR) of the European Union, the CCPA brings data privacy efforts forged by the EU into US legislation, setting the stage for a new era in American digital regulation.

‌But what exactly is the CCPA, and what are CCPA requirements? Why have people called it the “California GDPR?” What is CCPA compliance? How are the CPRA, regulations, and court cases shaping the CCPA? And what does it all mean for your business?

Let’s find out.

Table of Contents

1. What is CCPA (California Consumer Privacy Act of 2018)?
2. The “California GDPR”
3. California Privacy Rights Act of 2020 (CPRA)
4. CCPA Compliance — How to Meet the Law's Requirements
5. CCPA Amendments
6. CCPA Penalties and Fines
7. CCPA California Attorney General Enforcement Updates
8. Conclusion

1. What is CCPA (California Consumer Privacy Act of 2018)?

By holding businesses accountable for data protection through strict guidelines and threatening consequences, the California Consumer Privacy Act sets the foundation for US data privacy in 2021.

The California Consumer Privacy Act of 2018 (CCPA) is a data privacy law that outlines standards for data collection, consequences for businesses that cannot protect user data, and rights that California consumers can exercise over their data.

What are the CCPA regulations?

To help businesses understand CCPA compliance, including instructions for companies to inform customers about their new rights, the California Attorney General drafted CCPA regulations to provide guidance on how to implement the law.

The AG initially introduced these regulations on October 11, 2019, and revised them three times on February 10, 2020, March 11, 2020, and March 15, 2021, before California’s Office of Administrative Law approved the final version. Each revision followed feedback from interested parties, including activists, California citizens, and industry representatives.

It is important to follow the guidance in the regulations in addition to the law itself because a violation of the regulations constitutes a violation of the law. You can review the current version of the CCPA regulations.

When is the California Consumer Privacy Act effective date?

The CCPA has been in effect since January 1, 2020.

However, companies were given a grace period until July 1, 2020, at which point the California Attorney General began issuing fines for noncompliance. The regulations took effect immediately after the final version was approved on August 14, 2020, with additional amendments going into effect on March 15, 2021. 

The new California Privacy Rights Act of 2020 will go into effect on January 1, 2023.

Who needs to worry about CCPA compliance?

According to section 9 (Sec. 9. 1798.140) of the bill, “businesses” that collect “consumer” data are subject to CCPA compliance. But how does the law define “business” and “consumer”?

Let’s take a look.

Consumer — A “consumer” is a California resident.

Business — A “business” is a for-profit entity that collects “consumer” data and meets at least one of the following thresholds:

It’s important to note that the CCPA applies to all businesses and parties, as defined above, that collect data from California residents — regardless of the headquarters of the business itself. In addition, businesses that deal with the information of 4 million or more consumers have additional responsibilities under the law.

Given the breadth of the California Consumer Privacy Act’s definition of business and consumer, companies across all states that collect user data and deploy cookies have a high chance of having to comply with the law.

For example, tech companies such as Facebook, Microsoft, Samsung, Apple, and Amazon are subject to CCPA compliance.

What data does the CCPA protect?

Businesses must protect consumer data as part of CCPA compliance.

A business must show that they are protecting records that consumers agree to share with them. They must also stop collecting and sharing personal data when consumers decline or remove permission.

According to the CCPA, protected data includes:

• Names, addresses, phone numbers
• Email addresses, IP addresses, passwords
• Age, income, education, political affiliations
• Driver’s licenses, social security numbers
• Account names and numbers, browsing history, geolocation data
• Commercial information and other identifiable information

The California Privacy Rights Act of 2020 (CPRA) will create a broader range of individual privacy rights, including adding the right to correction and expanding the right to delete. In addition, businesses must now notify third parties who access the data to delete it as well.

This new law also protects “sensitive data,” a new category. Sensitive, personally identifiable information distinguishes between information marked “sensitive” and information that is not.

Sensitive data includes:

• Race, ethnicity, religion
• Biometrics, health, sex life
• Content of mail, email, and text messages
• Debit and credit card numbers and login data
• Audio, electronic, visual, or thermal information
• Inferences drawn from this information to create consumer profile recording preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

2. The “California GDPR”

‌The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, throughout the EU. The GDPR — with its extensive guidelines for handling user data and its worldwide reach — redefined information privacy regulation.

The following month, California passed its privacy law as a ballot initiative. With this privacy law, the US made its first effort to follow in the footsteps of the EU. The CCPA has earned names like “California GDPR” and “GDPR Lite” because of its similarities to the GDPR.

Both laws seek to:

• Grant users rights over their data through access, transfer, editing, and deletion requests
• Give consumers the ability to opt-out of certain data-processing practices
• Establish greater consequences for businesses that do not protect records adequately
• Shift accountability for data protection onto businesses that collect and handle user information‌

While the CCPA of California is notably lighter than its European counterpart, the consumer rights law introduces the goals of the GDPR to the US. See our CCPA vs GDPR infographic for more details on the differences between these laws.

3. California Privacy Rights Act of 2020 (CPRA)

Made into law in 2020, the CPRA goes into effect on January 1, 2023. 

In addition to expanding the types of data protected, the CPRA creates new rights, including the right to rectification, where the consumer has more power to correct inaccurate information. Furthermore, the new right to restriction gives consumers the ability to limit the use and disclosure of sensitive data.

For businesses, the law will change the threshold of 50,000 customers to 100,000 customers. Businesses also get a trade secrets exemption.

A new enforcement agency is created

The CPRA created a new agency, the California Privacy Protection Agency (CPPA), to oversee consumer privacy. The CPRA allows the agency to:

• Fine businesses that don’t comply with the law
• Hold hearings
• Clarify and answer questions about the privacy guidelines

One major complaint about the CCPA is that a lot of the details of the law were vague and open to interpretation. The CPRA clarifies many existing points within the CCPA. It also created the CPPA and gave them the power to clarify the law and its regulations. This agency also has the power to update privacy laws as circumstances change.

Other changes include:

• Coverage of sharing (not only selling) information
• Greater protections for children
• Privacy rights for employees and independent contractors
• Bar on businesses’ future attempts to avoid the law, enforceable by the CPPA
• Removal of the 30-day time period for businesses to fix problems
• Limits to the legislature’s ability to make amendments to the law
• Changes many definitions under the law
• Exempts publicly available information
• Brings “contractors,” people who buy and use information, under the law with reporting requirements

4. CCPA Compliance — How to Meet the Law’s Requirements

Hearing that the CCPA is California’s GDPR may send some business owners into a panic. Fortunately, for those subject to comply, CCPA requirements are generally easier to meet than the European plan, even after the additional requirements of the CPRA.

CCPA compliance primarily addresses four areas: access, user control, protection, and non-discrimination. But what exactly do these rights mean for businesses that collect, store, share, and use the information of California citizens?

According to the CCPA text, Californians are now entitled to the following rights:

• To know what information is being collected about them
• To know if their personal information is sold or disclosed, and to whom
• To say “no” to the sale of personal information (or say “yes” if between 13 and 16 years old)
• To access and delete personal information
• To equal service and price, even if they exercise their privacy rights

Now California consumers can ask what information you have about them. Many websites offer users a contact form that can get filled out with the data request details.

Let’s break down each of these rights and how you, as a business owner, can comply.

Transparency

The CCPA aims to give users greater access to the information that is collected from them. Consumers can now know how businesses treat and share that information — creating a culture of transparency around consumer data. Under the CCPA, consumers may request that businesses disclose to them:

• Information collected
• Sources of the collected records
• Business purposes for collection
• If the business sells information, and for what purpose
• Third-party recipients of the files

Access to Data

You, on behalf of your business, need to be willing to divulge the above information to your users within 45 days upon “verifiable request.” The information you relay should cover the last 12 months of data collection, sharing, use, and sale, as it applies to that consumer’s personal information.

Here are CCPA requirements for businesses that collect consumer data:

• Let consumers know that data is collected.
• Allow consumers to opt-out and make privacy settings visible.
• Respond to consumer requests quickly.
• Double-verify identities of customers who want to check or delete their information.
• Tell the consumers what money you earn from data and what it is worth.
• Maintain records for two years.‌

According to the bill text, a “verifiable consumer request” is a request made by — a consumer, a consumer on behalf of a minor, or a person legally allowed to act on behalf of a consumer — that addresses records verifiably collected from or about that consumer.

User Control Over Data

In this age of increasingly severe mistrust in technology companies, new privacy laws — from the GDPR to the CCPA — notably give users more control over their data. From making data handling requests to having the ability to opt-out of data sales, the law provides users rights over their personal information that is new to the United States.

Let’s explore what you need to do to uphold these rights and controls.

Honor consumers’ data requests

You need to honor a user’s request to access information about the records collected from them. You also need to honor requests to delete that information entirely.

A DSAR (Data Subject Access Request) form can satisfy both the access and deletion aspects of user data management. Making such a form, link, or page available on your site will allow users to exercise any right they have over their data, comply with CCPA requirements, and keep you off the Attorney General’s radar.

Allow users to opt-out of the sale of their data

According to Section 1798.120 (a) of the California Consumer Privacy Act official text:

A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.

Not only are users allowed to refuse the sale of their data, but you need to advertise this right clearly through a conspicuous link on your homepage and in your California privacy policy, which reads: “Do Not Sell My Personal Information.” However, a recent study found that only 21.4% of businesses used this wording by the end of 2020. And 31% of retailers do not include any link.

This link should take the user to a Do Not Sell My Personal Information page that allows them to opt-out of the sale of their personal information.

Implement data sale opt-in for consumers between 13-16 years old

While the law grants most users the right to opt-out, as detailed above, it explicitly gives those under the age of 16 the “right to opt-in.”

Section 1798.120 (d) states:

A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, […], has affirmatively authorized the sale of the consumer’s personal information.

Non-discrimination

The CCPA text states:

A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the title.

But what exactly constitutes discriminatory practices against users who choose to opt-out?

According to the California law, such actions include, but are not limited to:

• Denying goods or services
• Charging different prices (including the use of discounts, penalties, or price benefits)
• Offering a different quality of goods or services
• Suggesting that the consumer will receive differential prices or qualities if they exercise their rights

As a caveat, a business can offer different prices or qualities of goods and services “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”

The law allows businesses some wiggle room in how they may reward users who relinquish control of their data. However, proceed with caution, given the high risk of consumer backlash.

Protection of Data

Consumers now have the right to sue over a loss of privacy resulting from a data breach.

Keeping consumer records secure comes down to caution and organization. Data is a precious commodity, and the damages your business can face for failing to keep it safe are bigger than ever.

Audit your data, evaluate the procedures with which you handle it, and adjust your strategies accordingly to maximize protection. It is your responsibility — as a business — to protect your users’ records.

The CCPA creates exemptions for some types of consumer information.

For example, the law exempts aggregate and de-identified consumer information that is not tied to a consumer or household. It also exempts types of information covered by specific other laws.

The law also excludes a set of particular business processing procedures.

What does this look like on a website?

What does CCPA compliance look like? Major CCPA requirements are shaping website operations.

Data Cookies

In regards to cookies, the CCPA takes some cues from the EU’s Cookie Law. CCPA compliance applies to the cookies that websites add to your computer. Companies must acknowledge that the data they get from cookies is not theirs, and consumers have a right to control their cookies.

A cookie policy must be easy to understand and locate on the website — allowing the consumer to opt-in and opt-out. The law makes a small exception for “essential cookies” necessary for the website to operate.

Privacy Policies

Companies must disclose and explain their privacy policies to their consumers. The privacy laws list the information to be disclosed and require that the business updates and communicates that information yearly. The policy must allow consumers to accept or decline.

5. CCPA Amendments

Privacy advocates and tech giants were locked in a head-to-head battle over clauses outlined in the California privacy law. While some groups fought for stricter requirements and more expansive consumer rights, others worked to produce loopholes in the law.

Recent amendments cover health and business records. You can view proposed amendments with the International Association of Privacy Professionals (IAPP) California privacy legislation tracker.

6. CCPA Penalties and Fines

The California Attorney General’s office and the new CPPA are in charge of enforcement. The CCPA also allows for private lawsuits in some limited circumstances.

Before any formal enforcement action can occur, the law provides that a business must first be provided with notice of a violation before taking action. Formerly, businesses had a 30-day “right to cure” those violations, but the CPRA will end that in 2023. If a business fails to fix the violations, it will likely face penalties.

Large-scale data breaches or audience-wide data handling violations can add up to a detrimental chunk of change. For example, a business with just 1,300 consumers whose data gets breached is subject to nearly a million-dollar fine.

The law allows California consumers to file lawsuits that aren’t based on loss of money or property but, instead, on claims of loss of privacy. Traditionally, lawsuits are founded on proof of damages. This, not being the case under the CCPA, has sparked contention and concern from data-reliant companies.

7. CCPA California Attorney General Enforcement Updates

CCPA enforcement started six months after the law went into effect.

Starting July 1, 2020, the California Attorney General’s office began sending out letters to businesses believed not to be in compliance with CCPA.

On July 19, 2021, after about a year of enforcement action, the California Attorney General’s office provided helpful information on its website about how the first year of enforcement went. In addition, they published a list of enforcement case examples, which will help businesses understand what the California Attorney General focuses on regarding enforcement.

The office also introduced a new privacy interactive tool for consumers to notify businesses of potential violations. The tool allows consumers to draft their own notice of noncompliance to send to businesses that may have violated the CCPA by failing to post an easy-to-find “Do Not Sell My Personal Information” link on their website in cases where it would be required to do so.

That means consumers have a new way to keep tabs on the privacy practices of the businesses they engage with and a new way to hold them accountable in some cases. As a result, it is more important than ever to review your business’s data processing activities, confirm whether you are subject to the CCPA and whether the law requires you to have a “Do Not Sell My Personal Information” link on your website.

Some California consumers have filed class-action lawsuits against businesses, taking enforcing compliance with the law into their own hands. The law otherwise limits private suits to when the business lacks adequate security and leaks the customer’s personal information.

8. Conclusion

While the California Consumer Privacy Act was passed in haste, and interpretations of the text remain to be seen, the law takes an important step forward in introducing new data rights to users. The CPRA enhances this law, fixing some problems and adding more protections.

These laws, compounded with the data rights and privacy efforts ushered in by the GDPR, are substantially changing the way businesses operate online. Other states are considering and enacting their own privacy bills. Some mirror the California laws, and others do not. Because of this mix of different laws, people are pushing Congress to design and enact a national privacy law, standardizing content and making it easier to do business online.

Now is the time to put CCPA compliance measures in place, and be vigilant in how you collect, use, sell, and share consumer data — or face the consequences.