CCPA – California Consumer Privacy Act

CCPA – California Consumer Privacy Act

What is the California Consumer Privacy Act (CCPA)?

CCPA, or California Consumer Privacy Act, is the latest product of California’s legislature. The newest privacy law in the State of California is heavily influenced by the EU’s General Data Protection Regulation (GDPR) and is set to protect consumers’ data.

So, if you are already familiar with the GDPR, you will immediately notice similarities, but there are also a few differences.

Read the blog: CCPA vs. GDPR - differences and similarities

CCPA is complementary to existing privacy laws in California, such as CalOPPA– California Online Privacy Protection Act.

The California Consumer Privacy Act is not substituting them. It addresses specific issues arising from the advancement of IT technology, how people communicate, and how the digital footprint is left today.

The ever-changing need for new ways to protect consumers is reflected in the new wave of data protection initiatives, and CCPA is one of the first to address those problems.

When does CCPA go into effect?

The CCPA came into full effect on January 1, 2020, and after a six months grace period, it became fully enforceable on July 1, 2020.

All California-based businesses will have to adapt their privacy model and align how they manage and process personal data with the CCPA.

Privacy trends point to the rise of privacy laws and regulations, with GDPR and CCPA leading the way.

What are the CCPA requirements?

The CCPA will apply to all companies that process personal information of California residents if they meet one of the following criteria:

CCPA vs GDPR who must comply

  • Company’s annual revenue surpasses $25 million;
  • Company obtains personal information of at least 50.000 California residents, households or devices annually;
  • Or company makes at least 50% of its annual revenue from selling the personal information of California residents.

Selling of personal data, in this case, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means.

The enforcement of the law is not defined by the territory. Instead, it protects the personal data of the residents of California states no matter where.

What does CCPA mean for your business?

If you meet one of the CCPA criteria, you will have to implement certain changes in how you do your business and process consumers’ personal information. If you have a website, you have to upgrade it and include the DO NOT SELL MY PERSONAL INFORMATION option.

You will also have to inform your customers at every collection point about what categories of personal data you collect and for which purpose.

You will also have to get acquainted with the rights granted under the CCPA and update your privacy policy as often as you can (no less than once per year).

Explain to consumers how they can exercise their rights and clarify how you will use their data, what categories of data you collect, and for what purposes.

  • Inform the customer on how their personal data is going to be used prior to the collection of their data.
  • Ensure that you respond to requests free of charge if a customer requests information and details on personal data that you collected on them in the past 12 months
  • You should respond to customers’ requests even though you are obligated to send info up to two times in a period of one year.

CCPA - California Consumer Privacy Act

Rights under the CCPA

Much like citizens of the EU, from the beginning of 2020, Californians can exercise new rights granted under the CCPA that include:

  • Right to request information
  • Right to data portability
  • Right to opt-out of the sale of personal information
  • Right to access data
  • Right of disclosure
  • Right to deletion

Rights under the CCPA - California Consumer Privacy Act

The fines and ramifications of non-compliance with the CCPA

Much like the GDPR, the California Consumer Privacy Act (CCPA) issues fines to all violators and non-compliant organizations. Besides the monetary penalties, there is also a risk of a negative business reputation.

The CCPA limits the civil penalty to be assessed by the California Attorney General and proposes penalties of no more than:

  • $ 2 500 per each unintentional violation or
  • $ 7 500 per each intentional violation

If a data breach is discovered, consumers can recover damages of no less than $100 and not more than $750 per consumer per incident or actual damage, whichever is higher.

Penalties do not seem that high, right? However, fines could go up to millions. If an organization violates the rights of 10 000 consumers, penalties would be multiplied by 10 000.

Mentioned penalties do not seem too high compared to other privacy laws, such as the GDPR. However, do remember that these penalties are imposed for individual violations.

It clearly means that smaller businesses with even a few customers can be penalized with large amounts. The CCPA does not prescribe a maximum amount, which means that for each violation, companies will potentially be penalized multiple times.

The Act extends to consumers a private right of action, giving businesses exposure not only to government penalties but also to customer lawsuits.

Businesses have 30 days to fix non-compliance, or they will be likely to pay up to $7 500 per violation. Californians are granted to sue companies if they fail to take reasonable precautions to prevent data breaches.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top