The digital world was shaken up on June 28, 2018 when the California Consumer Privacy Act of 2018 (CCPA) was passed by the state legislature, introducing the strictest data privacy and digital consumer rights law within US borders.
Following in the footsteps of the General Data Protection Regulation (GDPR), the CCPA brings the data privacy efforts forged by the EU into US legislation, setting the stage for a new era in American digital regulation.
But what exactly is the CCPA? Why has it been deemed the “California GDPR”? And what does it mean for your business?
1. California Consumer Privacy Act of 2018 (CCPA) Summary
By holding businesses accountable for data protection through strict guidelines and threatening consequences, the new California privacy act is setting the foundation for US data privacy in 2021.
What is CCPA?
The California Consumer Privacy Act of 2018 (CCPA) is a data privacy law passed by the state of California on June 28, 2018. The law outlines new standards for data collection, new consequences for businesses that fail to protect user data, and new rights that California consumers can exercise over their data.
What are the CCPA regulations?
To help businesses understand how to comply with CCPA, including how businesses are to inform customers about their new rights, the California Attorney General drafted CCPA regulations to provide guidance on how to implement the law. The CCPA regulations were initially introduced on October 11, 2019, and revised twice on February 10, 2020 and March 11, 2020, before California’s Office of Administrative Law approved the final version on August 14, 2020. Each revision followed feedback from interested parties, including activists, California Citizens, and industry representatives. Additional amendments to the CCPA regulations went into effect on March 15, 2021. It is important to follow the guidance in the CCPA regulations in addition to the CCPA itself because a violation of the CCPA regulations constitutes a violation of the CCPA. You can review the current version of the CCPA regulations here.
When is the California Consumer Privacy Act effective date?
In effect since January 1, 2020, businesses are now subject to comply with the CCPA. Companies enjoyed a grace period until July 1, 2020, at which point the California Attorney General was able to begin issuing fines for noncompliance. The CCPA Regulations took effect immediately after the final version was approved on August 14, 2020, and additional amendments went into effect on March 15, 2021.
Who needs to worry about CCPA compliance?
According to section 9 (SEC. 9. 1798.140) of the bill, “businesses” that collect “consumer” data are subject to comply with the CCPA. But how does the law define “business” and “consumer”?
Consumer — Under the CCPA, a “consumer” is defined as a California resident.
Business — The CCPA defines a “business” as a for-profit entity that collects “consumer” data and meets at least one of the following thresholds:
- Annual gross revenue over $25 million
- Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes
- Derives 50% or more of its annual revenue from selling consumer personal information.
It’s important to note that the CCPA applies to all businesses and parties, as defined above, that collect data from California residents — regardless of the headquarters of the business, itself.
Given the breadth of the CCPA’s definition of business and consumer, companies across all states in the US that collect user data and deploy cookies have a high chance of being subject to comply with the CCPA. For example, tech companies such as Facebook, Microsoft, Samsung, Apple, and Amazon are subject to CCPA.
2. The “California GDPR”
Shortly before the CCPA was signed into law, the General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The GDPR — with its extensive guidelines for handling user data and its worldwide reach — redefined data privacy regulation.
The following month, the California GDPR was passed, and with this privacy law, the US made its first effort to follow in the footsteps of the EU.
The CCPA has earned names like “California GDPR” and “GDPR Lite” because of its similarities to the GDPR. Both laws seek to:
- Grant users rights over their data through access, transfer, editing, and deletion requests
- Give consumers the ability to opt out of certain data-processing practices
- Establish greater consequences for businesses that fail to adequately protect data
- Shift accountability for data protection onto businesses that collect and handle user information
While the CCPA is notably lighter than its European counterpart, the consumer rights law introduces the goals of the GDPR to the US. See our CCPA vs GDPR infographic for more details on the differences between these laws.
3. CCPA Compliance — How to Meet CCPA Requirements
Hearing that the CCPA is California’s GDPR may send some business owners into panic. Fortunately for those subject to comply, CCPA guidelines are lighter, clearer, and easier to adopt than the lengthy requirements of the GDPR.
The CCPA primarily addresses four areas: access, user control, protection, and non-discrimination.
According to the CCPA text, Californians are now entitled to the following rights:
- To know what information is being collected about them
- To know if their personal information is sold or disclosed, and to whom
- To say ‘no’ to the sale of personal information
- To access their personal information
- To equal service and price, even if they exercise their privacy rights
But what exactly do these rights mean for businesses who collect, store, share, and use the information of California citizens?
Let’s break down each of these rights and how you, as a business owner, can comply:
Access
The California privacy act aims to give users greater access to the information that is collected from them, and know how that information is treated and shared — bringing forth a culture of transparency around consumer data.
Under the CCPA, users have the right to request that businesses disclose to them the following:
- What information has been collected
- The sources from which that data was collected
- The business purposes for collection
- Whether that information is sold, and for what business purpose
- The third-party recipients of the data
These rights should be detailed in your CCPA privacy policy.
You, on behalf of your business, need to be able and willing to divulge the above information to your users upon “verifiable request.” The information you relay should cover the last 12 months of data collection, sharing, use, and sale, as it applies to that consumer’s personal information.
According to the bill text, a “verifiable consumer request” is a request made by a consumer, a consumer on behalf of a minor, or a person legally authorized to act on behalf of a consumer, that addresses data verifiably collected from or about that consumer.
If you receive such a request, make sure to present the information to the user within 45 days, as per the guidelines of the CCPA.
Furthermore, any California consumer has the right to make such requests twice over the course of 12 months.
User Control
In this age of increasingly severe techlash, new privacy laws — from the GDPR to the CCPA — notably serve to give users more control over their data. From making data handling requests, to having the ability to opt out of data sale, users are given rights over their personal information that have never before been established on American soil.
Let’s dive into what you need to do to uphold these new rights and controls.
Honor consumers’ data requests
Not only do you need to honor a user’s request to access information about the data collected from them, but you also need to honor requests to delete that data entirely.
A request form can satisfy both the access and deletion aspects of user data management. Making such a form, link, or page available on your site will allow users to exercise any right they have over their data — and keep you off the Attorney General’s radar.
Allow users to opt out of the sale of their data
According to Section 1798.120 (a) of the California Consumer Privacy Act official text:
A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.
Not only should users be allowed to refuse the sale of their data, but you need to clearly advertise this right through a conspicuous link on your homepage and in your California privacy policy, which reads: “Do Not Sell My Personal Information”.
This link should take the user to a Do Not Sell My Personal Information page that allows them to opt out of the sale of their personal information.
Implement data sale opt-in for consumers under 16 years old
While most users are granted the right to opt out, as detailed above, those under the age of 16 are explicitly given the “right to opt in.”
Section 1798.120 (d) states:
A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, […], has affirmatively authorized the sale of the consumer’s personal information
Protection
As we cover below, in the penalties section, consumers now have the right to sue over a loss of privacy resulting from a data breach.
Keeping consumer data safe and secure largely comes down to caution and organization.
Data is a precious commodity, and the damages your business can face for failing to keep it safe are loftier than ever.
Make an effort to audit your data, evaluate the procedures with which you handle it, and adjust your strategies accordingly to maximize protection. Now more than ever, it’s your responsibility — as a business — to protect your users’ data.
Non-discrimination
The CCPA text states:
A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the title
But what exactly constitutes discriminatory practices against users who choose to opt out?
According to the CCPA, such actions include, but are not limited to:
- Denying goods or services
- Charging differential prices (including through the use of discounts, penalties, or price benefits)
- Offering a different quality of goods or services to those who exercise their rights than those who do not
- Suggesting that the consumer will receive differential prices or qualities in the event that they exercise their rights
The act does present a caveat to the above, noting that a business can, in fact, offer different prices or qualities of goods and services “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
While this allows businesses some wiggle room in how they may incentivize users to relinquish control of their data, we recommend proceeding with caution in this undertaking, given the high risk of consumer backlash.
4. CCPA Amendments
Due to the circumstances surrounding the passing of the bill, the text was subject to change up until its 2020 institution date. Privacy advocates and tech giants were locked in head-to-head battle over clauses outlined in the California privacy law.
While some groups fought for stricter requirements and more expansive consumer rights, others worked to produce loopholes in the law.
You can view proposed amendments with the International Association of Privacy Professionals (IAPP) California privacy legislation tracker.
5. CCPA Penalties
Given that the act is a piece of state legislation, enforcement ultimately resides with the California Attorney General’s office. The CCPA also allows for private lawsuits in some limited circumstances.
Before any formal enforcement action can take place, the CCPA provides that a business must first be provided with notice of a violation before taking action. The business then has a 30-day “right to cure” those violations upon receipt of notice. If the business fails to fix the violations, remaining non-compliant, they will likely face penalties.
As for the penalties that non-compliant businesses face, there are potential fines of $750 per person, per violation.
While this number immediately reads as much less than the multi-million-dollar fines threatened by the GDPR, large-scale data breaches or audience-wide data handling violations could easily add up to a detrimental chunk of change for a company to fork over.
For example, a business with just 1,300 consumers whose data is breached is subject to nearly a million-dollar fine.
Furthermore, the act allows for California consumers to file lawsuits that aren’t based on an evidentiary loss of money or property, but rather, on claims of loss of privacy.
Traditionally, lawsuits are founded on proof of damages. This not being the case under the CCPA has, in itself, sparked contention and concern from data-reliant companies.
6. CCPA California Attorney General Enforcement Updates
As mentioned above, CCPA enforcement started six months after CCPA went into effect.
Starting July 1, 2020, the California Attorney General’s office began sending out letters to businesses believed not to be in compliance with CCPA.
On July 19, 2021, after about a year of enforcement action, the California Attorney General’s office provided helpful information on its website about how the first year of enforcement went, and published a list of enforcement case examples, which will help businesses get a better idea of what the California Attorney General is focused on in regards to enforcement. The office also introduced a new privacy interactive tool for consumers to use to notify businesses of potential violations. The tool allows consumers to draft their own notice of noncompliance to send to businesses that may have violated the CCPA by failing to post an easy-to-find “Do Not Sell My Personal Information” link on their website in cases where it would be required to do so under CCPA.
That means consumers have a new way to keep tabs on the privacy practices of the businesses they engage with, and a new way to hold them accountable in some cases. As such, it is more important than ever to review your business’s data processing activities, confirm whether or not you are subject to CCPA, and if you are subject to CCPA, whether you are required to have a “Do Not Sell My Personal Information” link on your website.
If you receive notice of noncompliance from a California consumer, you may need to fix any potential violations quickly, as it is possible the California Attorney General may find this notice to serve as your 30-day notice to cure.
7. Conclusion
While the CCPA was passed in haste, and interpretations of the text remain to be seen, the law takes an important step forward in introducing new data rights to users.
This new measure, compounded with the data rights and privacy efforts ushered in by the GDPR, are substantially changing the way businesses operate online.
Now is the time to put compliance measures in place, and be vigilant in how you collect, use, sell, and share consumer data — or face the consequences.
8. CCPA FAQs
- Who must comply with the CCPA?
- What are the penalties for violating the CCPA?
- Are cookies personal information under the CCPA?
- How is the CCPA enforced?
- What data is covered by the CCPA?
- What is a sale under the CCPA?
- What is considered personal information under the CCPA?
- How do I become CCPA compliant?
- Does the CCPA apply to businesses outside of California?
- When did CCPA go into effect?
- How does CCPA define consumer?
- Who is exempt from CCPA?
- Who is a third party under CCPA?
