Kiteworks | Your Private Content Network

Secure File Sharing and Governance Platfform

Free Trial EXPLORE KITEWORKS

What Is the California Consumer Privacy Act (CCPA)?

Home Glossary What Is the California Consumer Privacy Act (CCPA)?

The CCPA (California Consumer Privacy Act) is a data privacy law enacted in 2018 to protect California residents’ personally identifiable information (PII). The law came into force in January 2020. The legislative objective for the CCPA was to combat rising incidents of data breaches in the technology, media, entertainment, and telecommunication industries.

The CCPA ensures that California residents have control over how businesses handle their PII. It also ensures that businesses honor requests from California residents on access and deletion to their PII as well as have the ability to opt out of the sharing and selling of their personal information.

CCPA

What Is CCPA Compliance?

Modeled after the European Union’s General Data Protection Regulation (GDPR), the CCPA provides that businesses collecting PII from California residents must provide information on how data is collected. It also has similarities with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). For a business to ensure that it is compliant, it may need to adjust its privacy policy to include:

  • The information a business collects and processes
  • The reason for which the information is collected and processed
  • Methods used to collect and process personal information
  • What residents need to do to request access, change, move, or delete their personal data
  • The method to be used to verify the identity of the person who submits such a request
  • The sale of users’ PII and how they can opt out of selling their data

What Is the Geographical Scope of the CCPA?

The CCPA is a state-wide data privacy law but applies to businesses worldwide, provided they handle PII belonging to California residents. The law is considered one of the strictest privacy laws in the United States.

Organizations That Must Comply With the CCPA

The CCPA applies to all for-profit businesses collecting and controlling PII belonging to California residents. It also applies to for-profit businesses in California that meet any of the following criteria:

  • Gross annual revenue of over US$25 million
  • 50% or more of annual revenue comes from selling PII belonging to California residents
  • Buys, receives, or sells the PII of 50,000 or more California residents, households, or devices annually

Organizations Not Subject to the CCPA

The CCPA doesn’t apply to nonprofits, smaller companies that don’t meet the revenue thresholds, and those that don’t deal in large amounts of PII from California residents.

Other situations where the CCPA doesn’t apply include:

When No PII Is Involved

The main focus of the CCPA is on PII. Publicly available information—namely, information lawfully made available from federal, state, and local government records—is not subject to the CCPA.

When Other Laws and Regulations Apply

Other regulations regarding data protection already govern some industries. Such laws include the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA). The CCPA exempts data that is already covered under these laws.

Key Provisions of the CCPA

Much as the CCPA is compared to the GDPR, it has a much broader definition of regulatory compliance. The CCPA defines PII protected data as that which “identifies, relates to, describes, can be associated with, or could reasonably be linked to a particular person.”

The CCPA gives California residents the right to request a business to disclose any of the following:

  • All data collected about the consumer
  • Categories of sources from which the information is collected
  • The business purpose for collecting that information
  • Any third party with which the information is shared

For businesses, the CCPA defines business purpose as the use of personal information for business operations, provided that its use is reasonably necessary and proportionate to achieve the purpose for which the information was collected or processed. According to the CCPA, business purpose includes:

  1. Auditing relating to a current interaction with a consumer and subsequent transactions with the consumer
  2. Monitoring and detecting security incidents, protecting against illegal activities, and prosecuting those responsible for such activities
  3. Short-term use of personal information provided the information is not disclosed to a third party and is not used to create a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction
  4. Conducting internal research on a business for technological development
  5. Providing services on behalf of the business, such as maintaining accounts, customer service, processing orders and transactions, verifying customer data, processing payments, providing advertising or marketing, and analytic services
  6. Providing services to verify or maintain the quality or safety of a service or device for the business

Personal Information Under the CCPA

The CCPA ensures privacy rights and consumer protection of California residents regarding their PII:

  • A person’s real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, Social Security number, driver’s license number, or passport number
  • Commercial information such as records of personal property, purchases, purchasing or consuming histories, or tendencies
  • Biometric data
  • Internet activity information such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information provided the information is not publicly available
  • Inferences drawn to create a profile about a consumer to reflect the consumer’s identity, preferences, characteristics, trends, behavior, attitudes, and abilities

Penalties and Fines for Noncompliance With the CCPA

Noncompliance with the CCPA carries financial penalties and fines. According to the CCPA, the Attorney General of California can exact a maximum fine of $7,500 per violation for purposefully ignoring the mandates of the CCPA, which is deemed as intentional noncompliance. Failing to encrypt user data that was accessed during a breach, which could be deemed as unintentional noncompliance, carries a fine of $2,500 per violation.

The CCPA also gives consumers a private right of action in the event of a data breach due to noncompliance. Consumers may sue a business for statutory damages in such a breach. Before proceeding, a consumer must notify a business of a violation and give them 30 days to address the violation. In the event the business fails to address the violation within the period, they become subject to statutory damages of up to $750 per affected consumer.

Steps to Become CCPA Compliant

There are several steps that organizations must follow to become and remain CCPA compliant:

1. Establish Business Obligation to the CCPA

The CCPA protects any natural human being who is a California resident. The CCPA mandates that California residents have a right to know what PII businesses collect on them and how they use that data. A business must enable the customer to opt out of the use of that information and ensure that they can obtain a copy of the information being held by the business upon request.

2. Map All Consumer Data Held and Collected

Once a business determines that it is obligated to comply with the CCPA, the next step is to map all PII under the control of the business.

3. Evaluate All Third Parties With Which Consumer Data Is Sent and/or Received

The next step is to do the same with all the third parties with which a business shares PII. As part of an organization’s third-party risk management (TPRM), they need to verify that each of these third parties are compliant with the CCPA. This includes reviewing and updating the privacy policy.

4. Make It Easy for Consumers to Exercise Their Rights According to the CCPA

The next step is to create processes and procedures that consumers can use to exercise their rights as provided for in the CCPA.

5. Identify and Implement Any Needed Operational Changes

Some operational business changes may be needed to accommodate the CCPA. Such changes include how consumer information is collected and handled, how consumer requests will be handled, and how continuous compliance occurs.

6. Train Employees

The final step is to train employees on how compliance affects your business and how this impacts the handling of consumer data. Teams must be trained on how the CCPA defines a consumer, what it defines as personal information, and how to respond to requests from consumers.

Comparing the CCPA to the GDPR

The CCPA and the GDPR are laws that regulate how organizations within their respective jurisdictions handle PII. Both laws give individuals greater power over how businesses manage their personal information.

The CCPA applies to businesses engaging in for-profit activities and handling, collecting, or processing personal information for California residents. The GDPR, on the other hand, gives European Union (EU) residents control over how businesses collect and use their personal information. The GDPR is uniformly binding in all 27 EU member states. Following is a quick comparison overview of the CCPA and the GDPR (adapted from Baker Law document):

What Is the CPRA?

In 2020, the California Consumer Privacy Act was enacted. The California Privacy Rights Act (CPRA) is an amendment to the CCPA that takes effect in January 2023 with enforcement activated in July 2023. The CPRA amends the CCPA to include more privacy rights for California residents. While the law mainly offers the same protections under the CCPA, it updates some of its provisions and introduces several others.

The CPRA establishes the California Privacy Protection Agency to be responsible for implementing and enforcing this law. It also retains the attorney general as the civil enforcement authority.

Sensitive Content Communications and the CCPA

Private sector businesses must track, control, and secure the digital communications of PII belonging to California residents to comply with the CCPA. Historically, businesses rely on numerous tools for sensitive content communications—siloed approaches for the different communication channels (email, file sharing, file transfer, managed file transfer, web forms, and application programming interfaces [APIs]). This creates a bifurcation of metadata that makes it difficult for organizations to institute centralized and automated governance of PII and to maintain an integrated risk management approach.

The Kiteworks platform consolidates digital communications of confidential data like PII into a Private Content Network. Kiteworks unifies, tracks, controls, and secures PII shared and sent into, within, and out of an organization, which helps ensure CCPA regulatory compliance.

For more information on how Kiteworks can create a Private Content Network for your organization, schedule a custom-tailored demo today.

Back to Risk & Compliance Glossary

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

Schedule a Demo
Talk to a Rep

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

VOIR LA DÉMO
CONTACTER UN COMMERCIAL

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

DEMO ANSCHAUEN
MIT EINEM MITARBEITER SPRECHEN

Comienza ahora.

Es fácil empezar a asegurar el cumplimiento normativo y gestionar los riesgos de manera efectiva con Kiteworks. Únete a las miles de organizaciones que confían en su plataforma de comunicación de contenidos hoy mismo. Selecciona una opción a continuación.

Agenda una Demo
Habla con un Representante
Share
Tweet
Share
Explore Kiteworks