The California Consumer Privacy Act 2018 (CCPA) has impacts far beyond the boundaries of California. The US state has a $4 trillion economy; if California was a country, it would be the fourth-largest economy on the planet.
All that trade gives California very wide reach into other economies around the world, which means businesses globally need to understand how CCPA applies to their activities.
Who Does The CCPA apply to?
CCPA applies to any business that engages in transactions with Californians for the purpose of financial gain – for example, providing goods and services. A physical presence in the state is not required.
If you are operating as a for-profit business and collect data from residents of California, it is likely you will need to know how to comply with CCPA. The law has been in force since January 1, 2020 and has many similarities to GDPR, although there are important differences too.
What are the rights set out under CCPA?
CCPA gives California residents control over how their personal data is handled online. It is based around five key rights:
- The right to know – individuals should be told when their data is being collected and processed
- The right to delete – individuals can ask for personal data to be deleted
- The right to opt out – individuals should be able to refuse permission for companies to sell their personal data
- The right to correct – individuals should be able to obtain copies of the data held about them and correct inaccurate information
- The right to limit use – individuals should be able to specify that personal information can only be used for limited purposes
Individuals who exercise rights under CCPA should not be subject to any discrimination as a result.
What are the penalties for breaching CCPA?
CCPA is enforced by the California Attorney General. Businesses are sent a letter giving notice of a potential breach, after which they have 30 days to remedy the issue and become compliant. After this, penalties of $2,500 per breach ($7,500 for intentional breaches) can be applied.
Private individuals cannot sue a business for CCPA breaches, although they have other rights of action in the event of a data breach and could be awarded civil damages of $750 for each data breach under CCPA. Large-scale data breaches may result in class action lawsuits.
Does the CCPA apply to other states?
The US does not have a federal data privacy law that applies to all states. As a Californian law, CCPA only applies to residents of California, although it continues to apply when they are traveling out of state.
Does CCPA apply to non-profits?
The basic rule is that CCPA only applies to for-profit businesses. These are legal entities (for example, sole proprietorship, LLC or corporation) operated for the profit and financial benefit of shareholders and owners.
However, in some situations non-profit organisations may not be exempt from CCPA. This includes where a non-profit is controlled by a for-profit entity and shares common branding with the parent business. A non-profit may also fall within the law if it receives personal information through a ‘sale’ as defined in CCPA.
Who does CCPA not apply to?
The rules apply to businesses outside of California that meet one or more of these criteria:
- Annual gross revenues of over $25 million
- Processes (buys, sells, receives or shares) personal information of 50,000 or more California residents for commercial purposes
- More than 50% of annual revenues derive from selling personal information
How do I comply?
There are some key points to understand to help ensure you are compliant with CCPA:
CCPA definition of personal information
The legislation defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Personal information can be categorized in different ways:
Direct identifiers – name, postal address, social security number
Unique identifiers – cookies, IP addresses, usernames
Biometric data – fingerprints, face and video recordings
Geolocation data – location information and history
Internet activity – browsing and search history
Sensitive information – health data, personal characteristics, sexual preferences, religious faith, employment data.
Data that can be used to infer identity – information that could be used to pinpoint an individual or household
You must inform users before the point of data collection about what you collect and for what purposes
You must have a ‘do not sell my personal information’ linkenabling users to opt out of data being sold to third parties
Opt-ins are required for site users under the age of 16 (and parental consent for users under the age of 13)
You should be prepared to comply with requests from consumers for disclosure of personal information you have collected about them in the past 12 months, without charge.
You should ensure you do not discriminate against a consumer based on them exercising the right to request disclosure, opt of sales, correct or delete information.
Make sure your cookie policies are CCPA compliant
Cookies collect information on website users, including information that could meet the CCPA definition of personal information. Even if information is not identifying in itself, it could become personal when considered in combination with other data.
Cookie banners are often used to give users the required information and confirm consent to data collection. Looking at some CCPA cookie banner examples can give you an idea of how a banner could work on your site.
Remember, CCPA is not the only legislation that applies to data protection for Californian residents the California Privacy Rights Act (CPRA) is also relevant. Find out more about the differences between the CCPA and CPRA..
Working out the legal requirements of different regulations can be a headache. Let CookieHub take the strain for you – we can help ensure your cookies are compliant with CCPA and other data protection rules, giving you peace of mind.