While most people working in data protection have heard of the GDPR, the CCPA receives much less attention. Passed by the California State Legislature, the CCPA attempts to give consumers more control over their personal data.
The CCPA and the GDPR share many similarities – as both pieces of legislation aim to address the same issues. Namely the numerous data breaches of personal data from major corporations and the secretive collection of personal data without regulatory oversight.
In this article, we'll explore what the CCPA is, who it regulates, and how to become compliant. So, if you're a business with connections to California, you need to keep reading.
The California Consumer Privacy Act (CCPA) was drafted and passed into law by the California State Legislature on 28 June 2018. This landmark act confers California consumers with many new privacy rights, including:
- The Right to Know when their personal data is being collected.
- The Right to Delete the personal data that has been collected.
- The Right to Opt-Out of the sale of their personal data.
- The Right to Non-Discrimination when exercising their rights under the CCPA.
Furthermore, Californian consumers also have the right to know when their personal data is sold and to whom and can access their personal data upon request.
For those familiar with the basics of the GDPR, much of the above will seem familiar. Indeed, the framework of the two regulations is similar.
In contrast to the GDPR, the primary difference is that while the GDPR applies even to temporary residents, the same is not true of the CCPA. Rather, to qualify as a "Californian consumer," an individual must have resided in the state long enough to register to pay taxes.
Otherwise, they are not covered by this legislative protection.
Who is required to comply with the CCPA?
Again, unlike the GDPR, the CCPA exclusively applies to a for-profit business that collects and uses Californian consumers' personal data. To meet that definition, a business must fulfil at least one of the following thresholds:
As non-profits and smaller companies do not meet these thresholds, they often do not need to comply with the CCPA. This is the polar opposite to the EU, where under the GDPR, all organizations using EU citizen data must comply (with some exemptions for businesses smaller than 250 employees).
A major contention with the EU and UK GDPR is the "extra-territorial effects." That means businesses located outside the EU or UK must still accord with the GDPR, so long as they cater to EU citizens. For instance, an online vendor in California must follow the GDPR when collecting and using data from EU customers.
The reverse is not the case, however.
Currently, the CCPA only governs for-profit companies established in California or who indirectly qualify (such as parents and subsidiaries of companies established in California). Therefore, any organizations located outside of the state do not need to accord with the CCPA.
Under the CCPA, personal data is defined broadly as:
"…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
That includes social security numbers, drivers' license numbers, purchase history, unique personal identifiers, name, address, phone numbers, and more.
It's a significantly broader definition that is typically found in data protections acts – even the EU GDPR.
The CCPA is a complex piece of legislation with many facets. It's therefore understandable that many Californian businesses find compliance confusing and problematic.
However, that shouldn't be so.
Non-compliance can yield fines of up to $2,500 per violation. And intentional violations can result in fines of up to $7,500 per violation. Consumers can also sue businesses for violations, recovering damages of $100 to $750 per incident or actual damages – whichever is greatest. That's without considering the indirect costs to a brand's reputation and standing.
Therefore, compliance is essential. Here are the top ways to become CCPA-compliant:
This is a comprehensive checklist to help kickstart your compliance efforts. However, it is not exhaustive. There are also software packages available that help supports CCPA compliance.
And you can also refer to the legislation itself here.
Like other data protection acts, such as the GDPR, the CCPA regulates the collection and use of personal data. It is currently limited only to California residents and does not apply to businesses situated outside of California.
For such businesses, ensuring CCPA alignment is critical to avoiding fines and damages to a company's reputation.