The California Consumer Privacy Act (CCPA) of 2018 (CCPA) is a set of regulations that offers California residents more control over their personal data. When the act went into effect in January 2020, many businesses were still trying to determine whether the CCPA applied to them, and if so, what they needed to do to be CCPA compliant.
In this post, we’ll cover the broad implications of the CCPA, which businesses need to be CCPA-compliant, and how to be CCPA compliant.
Why Does the California Consumer Privacy Act Matter?
Savvy digital consumers may know that websites are collecting their personal information, but they might be unaware just how much of their personal data is collected.
The intent of the CCPA is to help consumers understand what data businesses are collecting and for what purpose, and to give consumers the ability to opt out of data collection. (That’s a high-level view — we’ll delve into specifics of the CCPA in a subsequent section).
Information that businesses may collect about consumers includes:
- Credit card numbers
- Real names
- Postal addresses
- Social security numbers
- Demographics
- Income or similar information
- Browsing history and search history
- Age
- Commercial information
- Political affiliations
- Education information
- Religious affiliations
- Unique personal identifier/account name/online identifier
- Driver's license number
- Geolocation data
- Biometric information
- IP address or other device similar identifiers
- Passport number
- Other identifiable information
Most consumer data is used for marketing purposes. But as a number of large data breaches have illustrated in recent years, personal data can be stolen and misused. The CCPA requires businesses to safeguard data, and it defines penalties for companies whose failure to protect data results in a data breach.
Who Needs to Be CCPA Compliant?
The CCPA doesn’t just apply to California businesses. Any business that has customers in California and meets one of the following criteria must comply with the CCPA:
- Has a gross annual revenue of at least $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50% or more of annual revenue from selling consumers' personal information.
In addition to the above, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
CCPA Compliance Requirements
So what is CCPA compliance, and what does it entail? The CCPA defines specific rights for consumers, and in order for companies to be in full compliance, they must ensure these rights are guaranteed:
- Right to know — Organizations that collect consumer data must inform consumers at or before the point of data collection about the type of data they’re collecting, and for what purpose.
- Right to access — Upon request, and within 45 days, organizations must provide consumers with the personal data they’ve collected, in a usable format (such as a CSV file).
- Right to be forgotten — Companies must honor consumers’ requests to be “forgotten,” which means their personal data must be deleted (with some exceptions).
- Right to opt-out — Consumers have the right to ask companies to stop sharing their personal information with third parties.
- Right to non-discrimination — Organizations cannot discriminate against consumers for exercising their rights under the CCPA.
Because data collection practices may change, organizations must update their privacy policy once a year and notify consumers of the change.
What does the CCPA say about cookies?
The CCPA requires organizations to create a cookie consent policy stating what cookies they use, the type of information cookies collect, and for what purpose. Websites must also offer an easy way to opt out of/reject cookies, except for those that are necessary for website functionality. The cookie consent language can be included in a company’s privacy policy.
What if You Fail to Meet Requirements?
The California Attorney General’s office may assess fines for any business found to be non-compliant with the CCPA. In the event of a data breach, fines are based on each individual violation (up to $7,500 per occurrence), and the CCPA allows affected individuals to pursue civil action against offending companies.
How to Comply With the California Consumer Privacy Act
It’s safe to say that most businesses hope to avoid penalties for CCPA non-compliance, and the following tips can help with that.
1. Update privacy policy and notices
Once per year, review your privacy policy and make sure it accounts for any revisions to data privacy laws, or any new methods your company may be using to collect data. While consumers may not necessarily read materials about privacy policies, the CCPA requires you to provide them at least once a year.
Maintain a detailed data inventory
Your data inventory is the record of how you track consumer data. It should include details about how data is stored, sold, and shared. In the event of a data breach, investigators will want to review a company’s data inventory to make sure it’s CCPA-compliant.
3. Create data rights protocols
Companies need protocols to ensure that they respond appropriately and in a timely manner when consumers exercise their rights under the CCPA.
4. Improve your cybersecurity
Cybersecurity should be a concern for any business, and especially those who are required to comply with the CCPA. The cost of improving cybersecurity is far less than the fines associated with a widespread data breach.
5. Review third-party processor agreements
The way third-party data processors manage and store data could create non-compliance concerns. A thorough review of data processing agreements with any third parties processing your data will
6. Schedule internal data privacy training
The CCPA requires ongoing internal data privacy training (and this type of training is also good practice, in general).
CCPA Compliance Checklist
1. Preparation
The first step is a thorough audit of your internal data management, which includes identifying any security risks.
2. Implementation
At this stage, you’ll act on any discoveries from the preparation step — for example, scrubbing outdated data and updating user permissions to ensure only authorized users can access consumer data.
3. Maintenance
At this stage, you’ll act on any discoveries from the preparation step — for example, scrubbing outdated data and updating user permissions to ensure only authorized users can access consumer data.
CCPA Compliance FAQ
1. What’s the difference between GDPR and CCPA?
The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR). The primary differences between the two regulations are:
- The GDPR applies to organizations with customers within the EU.
- While the CCPA requires companies to provide an opt-out process for consumers, the GDPR requires an opt-in process, meaning organizations cannot collect consumer data until and unless granted permission to do so.
2. Does the CCPA apply to any specific industries?
The CCPA applies to any businesses that meet one of the three criteria for revenue threshold, number of consumers, and use of data.
3. Can I achieve CCPA compliance on my own?
Companies with legal teams and large IT departments may be able to achieve CCPA compliance without any external help. However, the best approach is to use CCPA compliance software and seek support from an organization that’s well versed in compliance.
3. Can I achieve CCPA compliance on my own?
Companies with legal teams and large IT departments may be able to achieve CCPA compliance without any external help. However, the best approach is to use CCPA compliance software and seek support from an organization that’s well versed in compliance.
4. What does the CCPA define as “Sale of Data”?
The “sale” of data, by CCPA definitions, does not necessarily include the exchange of money. It means that data collected by one party is shared with another, generally for the purpose of marketing.
CCPA compliance with Monsido Consent Manager
Monsido's Consent Manager helps companies comply with CCPA, GDPR, and other important regulations, and our compliance experts provide the personalized context business leaders need to implement changes.
Monsido Consent Manager
Find out how Monsido can prepare you for success and shield you from non-compliance issues.
