What Is the California Consumer Privacy Act (CCPA)?
The CCPA (California Consumer Privacy Act) is a data privacy law enacted in 2018 to protect California residents’ personally identifiable information (PII). The law came into force in January 2020. The legislative objective for the CCPA was to combat rising incidents of data breaches in the technology, media, entertainment, and telecommunication industries.
The CCPA ensures that California residents have control over how businesses handle their PII. It also ensures that businesses honor requests from California residents on access and deletion to their PII as well as have the ability to opt out of the sharing and selling of their personal information.
What Is CCPA Compliance?
Modeled after the European Union’s General Data Protection Regulation (GDPR), the CCPA provides that businesses collecting PII from California residents must provide information on how data is collected. It also has similarities with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). For a business to ensure that it is compliant, it may need to adjust its privacy policy to include:
- The information a business collects and processes
- The reason for which the information is collected and processed
- Methods used to collect and process personal information
- What residents need to do to request access, change, move, or delete their personal data
- The method to be used to verify the identity of the person who submits such a request
- The sale of users’ PII and how they can opt out of selling their data
What Is the Geographical Scope of the CCPA?
The CCPA is a state-wide data privacy law but applies to businesses worldwide, provided they handle PII belonging to California residents. The law is considered one of the strictest privacy laws in the United States.
Organizations That Must Comply With the CCPA
The CCPA applies to all for-profit businesses collecting and controlling PII belonging to California residents. It also applies to for-profit businesses in California that meet any of the following criteria:
- Gross annual revenue of over US$25 million
- 50% or more of annual revenue comes from selling PII belonging to California residents
- Buys, receives, or sells the PII of 50,000 or more California residents, households, or devices annually
Organizations Not Subject to the CCPA
The CCPA doesn’t apply to nonprofits, smaller companies that don’t meet the revenue thresholds, and those that don’t deal in large amounts of PII from California residents.
Other situations where the CCPA doesn’t apply include:
When No PII Is Involved
The main focus of the CCPA is on PII. Publicly available information—namely, information lawfully made available from federal, state, and local government records—is not subject to the CCPA.
When Other Laws and Regulations Apply
Other regulations regarding data protection already govern some industries. Such laws include the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA). The CCPA exempts data that is already covered under these laws.
Key Provisions of the CCPA
Much as the CCPA is compared to the GDPR, it has a much broader definition of regulatory compliance. The CCPA defines PII protected data as that which “identifies, relates to, describes, can be associated with, or could reasonably be linked to a particular person.”
The CCPA gives California residents the right to request a business to disclose any of the following:
- All data collected about the consumer
- Categories of sources from which the information is collected
- The business purpose for collecting that information
- Any third party with which the information is shared
For businesses, the CCPA defines business purpose as the use of personal information for business operations, provided that its use is reasonably necessary and proportionate to achieve the purpose for which the information was collected or processed. According to the CCPA, business purpose includes:
- Auditing relating to a current interaction with a consumer and subsequent transactions with the consumer
- Monitoring and detecting security incidents, protecting against illegal activities, and prosecuting those responsible for such activities
- Short-term use of personal information provided the information is not disclosed to a third party and is not used to create a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction
- Conducting internal research on a business for technological development
- Providing services on behalf of the business, such as maintaining accounts, customer service, processing orders and transactions, verifying customer data, processing payments, providing advertising or marketing, and analytic services
- Providing services to verify or maintain the quality or safety of a service or device for the business
Personal Information Under the CCPA
The CCPA ensures privacy rights and consumer protection of California residents regarding their PII:
- A person’s real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, Social Security number, driver’s license number, or passport number
- Commercial information such as records of personal property, purchases, purchasing or consuming histories, or tendencies
- Biometric data
- Internet activity information such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information provided the information is not publicly available
- Inferences drawn to create a profile about a consumer to reflect the consumer’s identity, preferences, characteristics, trends, behavior, attitudes, and abilities
Penalties and Fines for Noncompliance With the CCPA
Noncompliance with the CCPA carries financial penalties and fines. According to the CCPA, the Attorney General of California can exact a maximum fine of $7,500 per violation for purposefully ignoring the mandates of the CCPA, which is deemed as intentional noncompliance. Failing to encrypt user data that was accessed during a breach, which could be deemed as unintentional noncompliance, carries a fine of $2,500 per violation.
The CCPA also gives consumers a private right of action in the event of a data breach due to noncompliance. Consumers may sue a business for statutory damages in such a breach. Before proceeding, a consumer must notify a business of a violation and give them 30 days to address the violation. In the event the business fails to address the violation within the period, they become subject to statutory damages of up to $750 per affected consumer.
Steps to Become CCPA Compliant
There are several steps that organizations must follow to become and remain CCPA compliant:
1. Establish Business Obligation to the CCPA
The CCPA protects any natural human being who is a California resident. The CCPA mandates that California residents have a right to know what PII businesses collect on them and how they use that data. A business must enable the customer to opt out of the use of that information and ensure that they can obtain a copy of the information being held by the business upon request.
2. Map All Consumer Data Held and Collected
Once a business determines that it is obligated to comply with the CCPA, the next step is to map all PII under the control of the business.
3. Evaluate All Third Parties With Which Consumer Data Is Sent and/or Received
The next step is to do the same with all the third parties with which a business shares PII. As part of an organization’s third-party risk management (TPRM), they need to verify that each of these third parties are compliant with the CCPA. This includes reviewing and updating the privacy policy.
4. Make It Easy for Consumers to Exercise Their Rights According to the CCPA
The next step is to create processes and procedures that consumers can use to exercise their rights as provided for in the CCPA.
5. Identify and Implement Any Needed Operational Changes
Some operational business changes may be needed to accommodate the CCPA. Such changes include how consumer information is collected and handled, how consumer requests will be handled, and how continuous compliance occurs.
6. Train Employees
The final step is to train employees on how compliance affects your business and how this impacts the handling of consumer data. Teams must be trained on how the CCPA defines a consumer, what it defines as personal information, and how to respond to requests from consumers.
Comparing the CCPA to the GDPR
The CCPA and the GDPR are laws that regulate how organizations within their respective jurisdictions handle PII. Both laws give individuals greater power over how businesses manage their personal information.
The CCPA applies to businesses engaging in for-profit activities and handling, collecting, or processing personal information for California residents. The GDPR, on the other hand, gives European Union (EU) residents control over how businesses collect and use their personal information. The GDPR is uniformly binding in all 27 EU member states. Following is a quick comparison overview of the CCPA and the GDPR (adapted from Baker Law document):
Area | CCPA | GDPR | Comparison |
Who Is Protected | Consumers who are California residents that are: · In California for other than a temporary or transitory purpose · Domiciled in California but are currently outside the State for a temporary or transitory purpose Consumers include: · Consumers of household goods and services · Employees · B2B transactions | Data subjects defined as identified or identifiable persons to which personal data relates | Different but similarly broad effect
Focus on information related to identifiable natural person but definitions differ
Potential extraterritorial effects for businesses located outside of the jurisdiction |
What Information Is Protected | Personal data that is to be sold for monetary value | Any personal data | Similar |
Anonymous, Deidentified, Pseudonymous, or Aggregated Data | Deidentification can be used for compliance. Aggregated data also cannot “reasonably” be linked to an individual or small group. | GDPR’s concept of anonymization requires that an individual’s identifiable information be irreversibly prevented from being used. GDPR requires pseudonymization. | Largely similar but GDPR requires pseudonymization |
Privacy Notice/Information Right | CCPA gives the consumers the right to know what information is being held and can get a copy of that information | GDPR allows individuals to know how long their information will be held | Similar |
Security | CCPA does not directly impose data security requirements | Provides the requirement for appropriate technical and organizational measures to secure personal information and reduce security risk | GDPR provides for security of personal information while CCPA doesn’t |
Opt-out Right for Personal Information Sale | CCPA provides the right to opt out for personal information sales | GDPR allows data subjects to withdraw consent for processing activities and not to allow processing of their data for marketing purposes | CCPA provides the right to opt out for personal information sales while CCPA doesn’t explicitly allow it |
Children | CCPA addresses the sale of children’s information—not all processing—and requires that businesses first obtain opt-in consent. Parents must provide consent for children under 13; teens 13–15 can provide their own consent. | GDPR requires that parents provide consent for the processing of their children’s personal information in an online environment | Largely similar |
Right of Disclosure or Access | Allows consumers to know what information is being collected and can get a copy of that information | Allows individuals to know how long their information will be held | Similar |
Right of Data Portability | Consumers can exercise their right to data portability | Individuals can exercise their right to data portability | Similar |
Right to Deletion/Erasure | CCPA provides for the right to deletion | GDPR provides for the right to be forgotten | Similar with certain differences such as the response time. Under CCPA, the response time is 45 days, while under GDPR, the response time is 30 days. |
Right of Rectification | Does not provide for the right to rectification of personal information | Provides for the right to rectification | GDPR allows the right to rectification while CCPA does not |
Right to Restrict Processing | CCPA only has the opt-out right for the sale of personal information | Provides for the right to restrict processing | Different |
Right to Object to Processing | Only allows the right to opt out of the sale of personal information | Allows for the right to object to the processing of personal information | Different |
Right to Object to Automated Decision-making | Not found under CCPA | Allows the right to object to automated decision-making | Different |
Non-discrimination | Prohibits discrimination against individuals who exercise their privacy rights | Prohibits discrimination against individuals who exercise their privacy rights | Similar |
Responding to Rights Requests | Provides for 45 days as the response time to rights requests | Provides for 30 days as the response time to rights requests | Similar but with different timelines for response |
Penalties (Private Rights of Action) | CCPA provides for consumers’ private right of action | GDPR does not mention an individual’s private right of action. | Different |
Penalties (Civil Fines) | Penalties applied per violation ($2,500–$7,500). Consumer can sue the business for violation ($100–$750). | Penalty based on annual global turnover (4% or €20 million) | Different |
Figure 1. Comparison of CCPA and GDPR.
What Is the CPRA?
In 2020, the California Consumer Privacy Act was enacted. The California Privacy Rights Act (CPRA) is an amendment to the CCPA that takes effect in January 2023 with enforcement activated in July 2023. The CPRA amends the CCPA to include more privacy rights for California residents. While the law mainly offers the same protections under the CCPA, it updates some of its provisions and introduces several others.
The CPRA establishes the California Privacy Protection Agency to be responsible for implementing and enforcing this law. It also retains the attorney general as the civil enforcement authority.
Sensitive Content Communications and the CCPA
Private sector businesses must track, control, and secure the digital communications of PII belonging to California residents to comply with the CCPA. Historically, businesses rely on numerous tools for sensitive content communications—siloed approaches for the different communication channels (email, file sharing, file transfer, managed file transfer, web forms, and application programming interfaces [APIs]). This creates a bifurcation of metadata that makes it difficult for organizations to institute centralized and automated governance of PII and to maintain an integrated risk management approach.
The Kiteworks platform consolidates digital communications of confidential data like PII into a Private Content Network. Kiteworks unifies, tracks, controls, and secures PII shared and sent into, within, and out of an organization, which helps ensure CCPA regulatory compliance.
For more information on how Kiteworks can create a Private Content Network for your organization, schedule a custom-tailored demo today.