While most people working in data protection have heard of the GDPR, the CCPA receives much less attention. Passed by the California State Legislature, the CCPA attempts to give consumers more control over their personal data.
The CCPA and the GDPR share many similarities – as both pieces of legislation aim to address the same issues. Namely the numerous data breaches of personal data from major corporations and the secretive collection of personal data without regulatory oversight.
In this article, we’ll explore what the CCPA is, who it regulates, and how to become compliant. So, if you’re a business with connections to California, you need to keep reading.
What is the CCPA?
The California Consumer Privacy Act (CCPA) was drafted and passed into law by the California State Legislature on 28 June 2018. This landmark act confers California consumers with many new privacy rights, including:
- The Right to Know when their personal data is being collected.
- The Right to Delete the personal data that has been collected.
- The Right to Opt-Out of the sale of their personal data.
- The Right to Non-Discrimination when exercising their rights under the CCPA.
Furthermore, Californian consumers also have the right to know when their personal data is sold and to whom and can access their personal data upon request.
For those familiar with the basics of the GDPR, much of the above will seem familiar. Indeed, the framework of the two regulations is similar.
What are the differences between the CCPA and the GDPR?
In contrast to the GDPR, the primary difference is that while the GDPR applies even to temporary residents, the same is not true of the CCPA. Rather, to qualify as a « Californian consumer, » an individual must have resided in the state long enough to register to pay taxes.
Otherwise, they are not covered by this legislative protection.
Who is required to comply with the CCPA?
Again, unlike the GDPR, the CCPA exclusively applies to a for-profit business that collects and uses Californian consumers’ personal data. To meet that definition, a business must fulfil at least one of the following thresholds:
- Annual gross revenues greater than $25 million
- Receive or disclose the personal data for 50,000 or more California consumers, households, or devices per year
- Earn 50% or greater annual revenue from the sale of California residents’ personal data
As non-profits and smaller companies do not meet these thresholds, they often do not need to comply with the CCPA. This is the polar opposite to the EU, where under the GDPR, all organizations using EU citizen data must comply (with some exemptions for businesses smaller than 250 employees).
Do businesses located outside California need to comply?
A major contention with the EU and UK GDPR is the « extra-territorial effects. » That means businesses located outside the EU or UK must still accord with the GDPR, so long as they cater to EU citizens. For instance, an online vendor in California must follow the GDPR when collecting and using data from EU customers.
The reverse is not the case, however.
Currently, the CCPA only governs for-profit companies established in California or who indirectly qualify (such as parents and subsidiaries of companies established in California). Therefore, any organizations located outside of the state do not need to accord with the CCPA.
How does the CCPA define personal data?
Under the CCPA, personal data is defined broadly as:
« …information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. »
That includes social security numbers, drivers’ license numbers, purchase history, unique personal identifiers, name, address, phone numbers, and more.
It’s a significantly broader definition that is typically found in data protections acts – even the EU GDPR.
How to become CCPA-compliant
The CCPA is a complex piece of legislation with many facets. It’s therefore understandable that many Californian businesses find compliance confusing and problematic.
However, that shouldn’t be so.
Non-compliance can yield fines of up to $2,500 per violation. And intentional violations can result in fines of up to $7,500 per violation. Consumers can also sue businesses for violations, recovering damages of $100 to $750 per incident or actual damages – whichever is greatest. That’s without considering the indirect costs to a brand’s reputation and standing.
Therefore, compliance is essential. Here are the top ways to become CCPA-compliant:
- Always informs consumers about how and when their personal data is handled, used, or shared.
- Always receive permission from consumers before collecting their data.
- Permit consumers to access their data.
- Allow consumers to request that their personal data be deleted.
- Provide a full explanation to a consumer regarding the CCPA and how it regulates their data privacy rights.
- Companies that sell personal data must establish a Do Not Sell My Personal Data page.
This is a comprehensive checklist to help kickstart your compliance efforts. However, it is not exhaustive. There are also software packages available that help supports CCPA compliance.
And you can also refer to the legislation itself here.
Like other data protection acts, such as the GDPR, the CCPA regulates the collection and use of personal data. It is currently limited only to California residents and does not apply to businesses situated outside of California.
For such businesses, ensuring CCPA alignment is critical to avoiding fines and damages to a company’s reputation.