In this post, we’ll cover the broad implications of the CCPA, which businesses need to be CCPA-compliant, and how to be CCPA compliant.
Why Does the California Consumer Privacy Act Matter?
Savvy digital consumers may know that websites are collecting their personal information, but they might be unaware just how much of their personal data is collected.
The intent of the CCPA is to help consumers understand what data businesses are collecting and for what purpose, and to give consumers the ability to opt out of data collection. (That’s a high-level view — we’ll delve into specifics of the CCPA in a subsequent section).
Information that businesses may collect about consumers includes:
- Credit card numbers
- Real names
- Postal addresses
- Social security numbers
- Income or similar information
- Browsing history and search history
- Commercial information
- Political affiliations
- Education information
- Religious affiliations
- Unique personal identifier/account name/online identifier
- Driver's license number
- Geolocation data
- Biometric information
- IP address or other device similar identifiers
- Passport number
- Other identifiable information
Who Needs to Be CCPA Compliant?
- Has a gross annual revenue of at least $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50% or more of annual revenue from selling consumers' personal information.
CCPA Compliance Requirements
- Right to know — Organizations that collect consumer data must inform consumers at or before the point of data collection about the type of data they’re collecting, and for what purpose.
- Right to access — Upon request, and within 45 days, organizations must provide consumers with the personal data they’ve collected, in a usable format (such as a CSV file).
- Right to be forgotten — Companies must honor consumers’ requests to be “forgotten,” which means their personal data must be deleted (with some exceptions).
- Right to opt-out — Consumers have the right to ask companies to stop sharing their personal information with third parties.
- Right to non-discrimination — Organizations cannot discriminate against consumers for exercising their rights under the CCPA.
What does the CCPA say about cookies?
What if You Fail to Meet Requirements?
How to Comply With the California Consumer Privacy Act
Maintain a detailed data inventory
3. Create data rights protocols
4. Improve your cybersecurity
5. Review third-party processor agreements
6. Schedule internal data privacy training
CCPA Compliance Checklist
CCPA Compliance FAQ
1. What’s the difference between GDPR and CCPA?
The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR). The primary differences between the two regulations are:
- The GDPR applies to organizations with customers within the EU.
- While the CCPA requires companies to provide an opt-out process for consumers, the GDPR requires an opt-in process, meaning organizations cannot collect consumer data until and unless granted permission to do so.