The California Consumer Privacy Act of 2018 (CCPA) was signed into law in June 2018 and put into effect on January 1st, 2020, to respond to growing instances of businesses exploiting data privacy through poor data handling policies or data breaches.

The CCPA gives Californian consumers greater transparency into how their sensitive personal information is handled. California was the first state to implement such strong data collection and handling laws, and its data security framework will likely become a blueprint for all other states.

Under the CCPA, California residents have a right to:

• Know when their personal data is collected by businesses
• Know when their personal data is being sold to, or shared with, a third party
• Deny the sale of their personal data
• Have their personal data deletion request honored

As part of California's new privacy law movement, this landmark move mirrors the consumer data protection posture outlined in the European Union’s General Data Protection Regulation (GDPR) and Canada's propositions in Bill C-11. CCPA regulations also offer Californian businesses guidance on adhering to this law.

In November 2020, the California Privacy Rights Act (CPRA) was passed as an amendment to the CCPA, adding many additional consumer privacy rights. CCPA and CPRA are often used interchangeably, both discussing the same privacy regulations.

Similar data privacy laws are either being considered or are already implemented in Nebraska, New York, and Washington. This article will examine how this law could impact businesses and how your organization can become CCPA-compliant.

Important: The provisions of the CCPA have been amended and expanded in the California Privacy Rights Act (CPRA). To learn about the CPRA, read this post.

Who Must Comply with the California Consumer Privacy Act?

The CCPA applies to for-profit businesses that have business operations in California and meet any of the following criteria:

1. Gross annual revenue of $25 million or more.
2. Process personal information for over 50,000 Californian residents, households, or devices (including buying, receiving, or selling data).
3. Attribute the sale of California residents' personal data to at least 50% of their annual gross revenue.

CCPA compliance is not limited to businesses physically located in California.

Any business located outside of California must still comply with CCPA regulations if it:

• Offers Californians the opportunity to purchase their products or services,
• Collects any personal information from Californians (such as IP addresses of web visitors), or
• Shares branding with a business that's bound to the CCPA.

The CCPA does not apply to non-profit businesses.

How Does the CCPA Define Personal Data?

The enforcement of this law depends on the CCPA's classification of personal data. Under the CCPA, a consumer's personal information includes any data that identifies, connects, or relates to an individual and/or their household.

This includes the following categories of personal information:

• Email addresses
• Social Security numbers
• Records of purchased products
• Internet browsing history and search history
• Geolocation data
• Biometric data
• Driver's license numbers
• Inferences from other sources that can be used to create a profile about an individual's preferences and characteristics

How Does the CCPA Differ From the GDPR?

The CCPA has a broader classification of personal data compared to the European Union's (EU) GDPR.

Unlike the GDPR, the CCPA expands its threshold of privacy practices to also households. Any data subject identifying an individual or household could be liable to CCPA regulations.

Another difference between the two regulations is that the (GDPR) applies to any organization establishing a private data inventory for EU citizens. CCPA compliance, however, is only expected of businesses that meet any of CCPA's three thresholds.

Learn more about the GDPR here.

CCPA and the Current California Data Breach Notification Law

The CCPA does not impact current data breach notification obligations under Section 1798.82 in the State of California, meaning organizations are not required to report data breaches under the CCPA. However, businesses and state agencies must still notify California residents whenever an unauthorized party gains access to their unencrypted personal data in a data breach under the current California Data Breach Notification Law. Businesses can submit data breach notifications via this online portal.

Businesses suffering a breach impacting more than 500 California residents must submit a sample copy of the breach notifications to the California Attorney General. This notification must exclude any personal information identifiers.

The CPRA also established the California Privacy Protection Agency (CPPA) to help the California Attorney General enforce the notification laws.

California residents have the right to access all data breach notification submissions via this search engine.

How Should Businesses Respond?

In response to this provision, businesses should:

• Publish a description of consumer rights under the CCPA and make this information readily accessible from the homepage.
• Publish privacy notices describing the commercial motivations behind the collection and sale of personal data.
• Establish internal policies for accurately responding to all CCPA privacy protection inquiries.
• Implement processes that accurately identify the categories of consumer personal data being collected, shared, and sold.

Under the CCPA, consumers have the private right of action to request the deletion of all collected personal data.

In most situations, businesses must immediately comply with these requests. However, exceptions apply for the following scenarios:

• When this data is necessary to complete a transition or to provide a service requested by the customer.
• When this data is required to debug or repair expected product functionality.
• When this information is necessary for the detection or investigation of cyber threats.

How Should Businesses Respond?

In response to this provision, businesses should:

• Establish internal processes to honor consumer requests to delete personal data storage rapidly.
• Establish reliable communication channels for responding to data deletion requests.
• Create an internal document delineating probable scenarios where deletion requests are denied.

The CCPA empowers consumers to opt out of the sale of their personal data at any time.

Before any customer PII is sold, businesses must provide ample notice to impacted consumers of their intention to sell, alongside instructions on how to opt-out of the inclusion of their data in the sale.

Any third-party service provider that purchased consumer data cannot resell that data unless impacted consumers are given clear notice and provided with an opportunity to opt out of the sale.

How Should Businesses Respond?

In response to this provision, businesses should:

• Include a link on their homepage titled "Do Not Sell My Personal Information," which directs users to a web page explaining how to opt out of the sale of their personal data.
• Not require consumers to create an account to effectuate their intention to opt out.
• Establish processes for tracking all opt-out requests.

Should a consumer, or website visitor, elect to exercise their reasonable security rights outlined in the CCPA, the requestee must not:

• Impede the availability of goods and services to the consumer.
• Reduce the quality of customer service for the consumer.
• Charge the consumer at different rates.
• Deny such consumers the use of discounts or coupon codes available to all other consumers.

Penalties for Non-Compliance

Organizations have up to 45 days to respond to consumer requests under the CCPA.

If these requests are not actioned within 30 days, the offending business may be charged a maximum penalty of $7,500 per violation.

Consumers impacted by the unauthorized handling of their data, as outlined in the CCPA, can exercise a private right of action, entitling them to $750 in recovery damages per violation.