The California Consumer Privacy Act (CCPA) is a bill that was passed into law in June 2018 with the goal of enhancing privacy rights and consumer protection for residents of California. CCPA was declared effective from January 1, 2020. You can find the full text of the CCPA regulation here on the California Legislative Information page. The CCPA is part of a broader set of data privacy laws aimed at protecting consumer’s personal information.
Overview of the CCPA
Definition and Purpose
The California Consumer Privacy Act (CCPA) is a comprehensive data privacy law enacted in 2018 to safeguard the personal information of California residents. This landmark legislation aims to provide consumers with greater control over their personal information, fundamentally changing how businesses handle data. The CCPA establishes privacy as an inalienable right, ensuring that consumers have the power to manage their personal information.
The law applies to for-profit businesses operating in California that collect personal information from its residents. It grants consumers several rights, including the right to know, the right to delete, and the right to opt out of the sale of personal information, specifically addressing the issue of selling consumers personal information. By doing so, the CCPA set a new standard for data privacy law, emphasizing transparency and consumer empowerment.
Scope and Applicability
CCPA also extends to entities that control or are controlled by a business that meets these thresholds, as well as entities that share common branding with such a business.
The CCPA’s scope is broad, covering not only online activities but also offline practices. It applies to personal information collected from California residents, including information gathered through websites, mobile apps, and offline interactions. Additionally, the CCPA governs the sharing of personal information with third parties, including service providers and contractors. This comprehensive approach ensures that the personal information of California residents is protected across various contexts and interactions.
Does my business need to comply with the CCPA law?
CCPA applies to organizations that process any personal data for a California consumer:
- A California consumer is a natural person who is a California resident.1
- Personal information is information that identifies a particular consumer or household.2
- Gross annual revenue is more than $25 million
- Process information about 50,000 or more households, consumers or devices
- Earn 50% or more of your annual revenues from selling California residents’ personal information, highlighting the significant financial implications for businesses involved in this data.3
- Or if your business controls or is controlled by a business which meets the threshold for one of the above criteria.
Businesses must also address inaccurate personal information upon receiving verifiable requests from consumers, ensuring adherence to privacy regulations.
Why was the California Consumer Privacy Act Established?
CCPA is the State of California governing bodies recognizing that information (data), and how it is used and protected, has a meaningful impact on the life of its citizens. Data breaches have been a significant factor in the establishment of the CCPA to enhance data protection, as businesses can face significant fines and consumers have the right to sue if their personal information is compromised due to the organization’s failure to maintain adequate security measures during a data breach. When some information about a person is made public by accident (information leak) or on purpose (misuse), or is used in a way the person did not intend, these actions can result in emotional stress and financial hardship for that person.
How is Personal Information and Sensitive Personal Information Defined by the CCPA?
The CCPA defines Personal Information as non-public information that “…identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
1798.140(o)(1-2). Examples of Personal Information are name, email address, IP address, and also internet activity like browsing history. The CCPA also protects sensitive personal information, which includes various identifiers and sensitive attributes. Each regulation has its own definition of personal information, so it is important to know how it is defined in the CCPA (i.e. Personal Information is defined differently in CCPA than how it is defined in GDPR which covers the personal data of EU citizens). Unlike the Fair Credit Reporting Act, which focuses on credit information, the CCPA covers a broader range of personal information.
Sensitive Personal Information
Sensitive personal information (SPI) is a subset of personal information that is subject to additional protections under the CCPA. SPI includes data that reveals a consumer’s racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric data, and other sensitive attributes. It also encompasses personal data collected from a consumer’s device and information obtained through single sign-on services.
Businesses that collect, use, or disclose SPI must provide consumers with explicit notice and obtain their consent before processing this data. Consumers have the right to limit the use and disclosure of their SPI, and businesses are obligated to respect these preferences. Furthermore, the CCPA mandates that businesses maintain reasonable security procedures to protect SPI from unauthorized access, disclosure, or misuse. This ensures that sensitive personal information is handled with the highest level of care and security.
What if My Business is Not Headquartered in California – Is it Still Impacted by CCPA?
The State of California also recognizes that data misuse has no geographical boundaries. If a person’s data is misused in California or outside of it, the impact on the person is the same. That is why the CCPA applies to businesses who gather and process data of any California consumer, no matter the business’ location, rather than applying it only to businesses in California. The CCPA is based on data and people, not data processing location.
What the State of California wants organizations to do is protect the consumer’s personal information, regardless of the physical location of the system the data resides on. Protection is to ensure no “unauthorized access and exfiltration, theft or disclosure of a consumer’s nonencrypted or nonredacted personal information”5. (citation to page 2 of the CCPA law document). The definition of how to protect personal data is in section 1798.150.(a)(1) page 19 of the Assembly Bill. The business has the “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information…” This emphasis on data protection is crucial for complying with the CCPA and safeguarding user information.
Consumer Rights and Requests
Consumer Rights under the CCPA
The CCPA empowers consumers with several significant rights regarding their personal information. These rights include:
- The right to know what personal information is being collected about them.
- The right to know whether their personal information is being sold or shared.
- The right to access their personal information.
- The right to delete their personal information.
- The right to opt-out of the sale of their personal information.
- The right to non-discrimination for exercising their privacy rights.
- The right to correct inaccurate personal information.
Consumers can exercise these rights by submitting a verifiable consumer request to the business, which must respond within 45 days. To facilitate this process, businesses are required to provide a clear and conspicuous link on their website, allowing consumers to opt-out of the sale of their personal information. This framework ensures that consumers have the tools they need to manage their personal information effectively.
CCPA Obligations for Businesses
Businesses subject to the CCPA have several obligations, including responding to consumer requests, providing notice at collection, maintaining a privacy policy, and implementing data minimization practices. These requirements are designed to enhance transparency and accountability in the handling of personal information.
Notice at Collection
Businesses must provide consumers with notice at the point of collection, informing them of the categories of personal information being collected and the purposes for which it will be used. This notice must be clear and conspicuous and must include a link to the business’s privacy policy.
The notice at collection must also inform consumers of their right to opt-out of the sale of their personal information, as well as their right to request deletion of their personal information. Businesses must provide consumers with information about how to exercise these rights, ensuring that they have the necessary tools to manage their personal information effectively.
Privacy Policy
Businesses must maintain a privacy policy that includes information about the categories of personal information they collect, the purposes for which it is used, and the categories of third parties with whom it is shared. The privacy policy must also include information about consumers’ rights under the CCPA, including their right to opt-out of the sale of their personal information and their right to request deletion of their personal information.
The privacy policy must be updated at least once every 12 months and must be made available to consumers through a clear and conspicuous link on the business’s website. This ensures that consumers are always informed about how their personal information is being handled and their rights under the CCPA.
Data Minimization
Businesses must implement data minimization practices, collecting and processing only the personal information that is necessary to achieve the purposes for which it was collected. Businesses must also ensure that personal information is not retained for longer than is necessary to achieve these purposes.
Data minimization practices include implementing data retention policies, ensuring that personal information is not shared with third parties unless necessary, and implementing technical and organizational measures to protect personal information from unauthorized access, disclosure, or use. By adhering to these practices, businesses can minimize the risks associated with handling personal information and ensure compliance with the CCPA.
Enforcement and Penalties
CCPA Enforcement and Penalties by the California Privacy Protection Agency
The enforcement of the CCPA is primarily the responsibility of the California Attorney General and the California Privacy Protection Agency (CPPA). Noncompliance with the CCPA can result in substantial penalties, with fines reaching up to $2,663 for unintentional violations and $7,988 for intentional violations. Upon notification by the Attorney General’s Office, businesses have 30 days to cure the violation. Failure to address the violation within this period results in financial penalties. Additionally, consumers have the right to file private lawsuits, seeking damages ranging from $107 to $799 per incident or actual damages for breaches involving their unredacted and unencrypted data due to a data breach. This robust enforcement mechanism underscores the importance of adhering to the CCPA’s requirements and maintaining reasonable security procedures to protect consumers’ personal information.
How to Address CCPA?
The CCPA is silent as to what exactly those security procedures are and there is no further definition around security. The CCPA can be compared to the General Data Protection Regulation (GDPR) in terms of its focus on data protection and consumer rights. Because the focus is on breach prevention and avoiding a data breach, the most effective way to ensure your cyber security strategy and controls meet the definition of “reasonable security practices” is to implement an industry standard security framework- for example NIST Risk Management Framework, ISO 27001, CSA CCM for cloud, or CIS Best Practices- to an appropriate degree for the information you process and the technologies you use. Fidelis has mapped our capabilities to many of the NIST 800-53 controls and we believe that this is an appropriate method to help prevent breaches.
*This article is for informational purposes only and should not be construed as legal advice.
1 1798.140 (g), Assembly Bill No 375, page 13
2 1798.140 (o) (1), Assembly Bill No 375, page 14
3 1798.125 (c) (1), Assembly Bill No 375, page 11
4 Section 1, (f), Assembly Bill No. 375, page 3
5 Legislative Counsel’s Digest, Assembly Bill No. 375, page 2
Frequently Ask Questions
What is a CCPA violation?
Infractions to the law may result in penalties from CCPC or CPRA. In some cases there are several breaches: failure to provide a consumer information, a failure on a “don’t sell” request, failure to obtain consent to collect information on children.
What is the difference between GDPR and CCPA?
GDPR is the data protection legislation governing the protection of personal information. CCPA stands for California consumer privacy laws that protect the data of California residents.
