CCPA Compliance Guide
Overview
The California Consumer Privacy Act (CCPA) is a major privacy initiative designed to protect the consumer data of residents of the Golden State. In the absence of federal data privacy laws, many other states are modeling their privacy laws after the CCPA.
Additional Resources:
Coalition's Guide to Cyber Insurance Coalition Adds California Consumer Protection Act (CCPA) Endorsement to Coverage for Small and Midsize Businesses
How We Helped a Healthcare Company with GDPR Compliance | Coalition
How Coalition helps your business respond to evolving privacy regulations
What is the California Privacy Rights Act (CPRA) and what does it mean for your business?
What is the California Consumer Privacy Act?
According to the California Attorney General’s office, the CCPA is a landmark privacy initiative that secures personal data privacy rights for California residents.
The CCPA gives Californians more control over the personal data companies collect about them, including transparency into how they use and share that information. The CCPA also grants California consumers the ability to force companies to delete their personal data and prevent companies from selling that data to third parties. At the same time, the CCPA helps consumers avoid discrimination when exercising these newfound privacy rights.
Under the CCPA, personal data refers to information that correlates or relates to a specific consumer or household (i.e., personally identifiable information, or PII). Such data may include the following personal identifiers:
Real names
Aliases
Postal addresses
Online identifiers
IP address
Account names
Email addresses
Social Security numbers
Driver’s license numbers
Passport numbers
Biometric information like fingerprints or facial scans
Geolocation data
Professional or employment-related data
Per the CCPA, personal information doesn’t include publicly available data from local, state, or federal records such as professional licenses and public real estate and property records. For a complete breakdown of how the California legislature defines personal data, see section 1798.140 (v)(1) of the CCPA.
Additional state privacy laws exist outside California, and other states continue to review privacy legislation proposals. Outside of the U.S., countries such as the members of the European Union, Australia, Canada, and Japan have privacy legislation in place.
As privacy regulations continue evolving worldwide, businesses need to take a proactive approach to ensure compliance with the ones that impact them. With so many rapid changes occurring, many businesses — and small and midsize businesses in particular — may be best off partnering with a third party to achieve compliance.
Why do we need privacy compliance?
Privacy compliance deters organizations from using an individual’s personal information without consent. This may include data-sharing practices like selling data without permission or exposing private information to the public.
Today, there’s a heightened demand for privacy compliance due to the enormous amount of commercial information companies collect to drive marketing, sales, research, and technology initiatives. According to a recent survey, 97% of organizations are investing in big data, and the global big data market, which brought in $240.56 billion in 2021, is expected to reach $655.53 billion by 2029.
While businesses need data, protecting it is challenging. Cybercrime remains a top threat globally, with threat actors becoming increasingly sophisticated and effective in their tactics. Research indicates that during the third quarter of 2022, roughly 15 million data records were exposed globally through data breaches, approximately a 37% increase from the previous quarter. Additionally, the average data breach costs U.S. companies $9.44 million.
Privacy programs like the CCPA help consumers by incentivizing companies to take greater responsibility for the data they collect, store, and manage. It’s important to note that privacy frameworks like the CCPA are continuously evolving. As such, businesses need to pay close attention to privacy regulations to ensure continued compliance.
CCPA vs. GDPR: What’s the difference?
In 2018, the European Union drastically changed the global privacy landscape with the introduction of the General Data Protection Regulation (GDPR) — a groundbreaking law that forever changed the way companies handle personal information.
Today, the GDPR remains one of the most far-reaching privacy frameworks in the world. It also paved the way for the CCPA, which launched two years later.
The CCPA and GDPR are similar in that both aim to give consumers more control over their personal data and protect them against unlawful data processing. But there are some important differences to consider.
For example, CCPA only applies to businesses with gross annual revenues of at least $25 million, collect data on at least 50,000 individuals, households, or devices, or earn more than half their annual revenue from selling PII. The GDPR, on the other hand, applies to all businesses that process the personal data of European citizens — regardless of annual revenue or data volume.
In addition, the GDPR has more stringent privacy requirements than the CCPA. For example, the CCPA enables companies to collect data after an individual makes a purchase or signs up for a service, but the GDPR requires consumers to opt-in before any data collection can occur. The GDPR also has a much wider scope, as it contains specific data processor and cross-border transfer requirements and processing and automated decision-making limitations. The CCPA mainly focuses on the sale of personal information and respecting consumers who opt out of data collection.
As for enforcement, the GDPR levies much more severe penalties. For example, CCPA violations carry fines of up to $7,500 per incident. Consumers also have the right to sue a business for up to $750 per violation or even more, depending on the extent of the damages. GDPR violations are much costlier and can extend to up to 4% of a company’s global annual turnover or €20 million (about $23 million) — whichever is greater.
The EU also applies to a much larger group of people. While the CCPA only protects Californians (approximately 40 million people), the GDPR extends to every citizen within the EU (approximately 750 million people).
Privacy rights under CCPA
Consumers have several rights under the CCPA, spread out across different categories. In this section, we provide a general breakdown of each.
Right to notice
Under the CCPA, businesses must present consumers with a notice at the point of data collection that outlines what data will be collected and how it will be used. These notices must contain links to the business’ privacy policy.
Right to know
The right to know enables consumers to request that companies inform them about the categories of personal data they intend to collect, as well as why they collect that data and how they plan to use it. Businesses must respond within 12 months of each request, providing data free of charge.
Right to delete
California consumers have the right to delete personal information that companies collect about them. They also have the right to request that service providers delete certain personal data. Businesses must provide at least two methods for customers to submit requests, such as a toll-free phone number, website form, dedicated email address, or paper form.
Right to opt-out
If consumers don’t want a company to use their personal information, they can request that a business stops doing so by exercising the right to opt-out. After a customer opts out, a business is unable to sell their personal information. However, a customer can later provide authorization by opting back in. A company must also wait at least 12 months before asking a customer to opt back in and agree to let the business sell their personal data.
Right to non-discrimination
Under the right to non-discrimination, the CCPA prohibits businesses from denying customers goods or services, providing a different level or quality of goods, or charging different prices to those who exercise their CCPA rights.
What businesses need to comply with CCPA?
Not all businesses need to adhere to the CCPA. It only applies to for-profit organizations that do business in California and meet at least one of the following requirements:
Exceeding $25 million in annual gross revenue;
Generating at least 50% of annual revenue from selling California residents’ personal data; or
Buying, receiving, or selling the personal data of 50,000 or more California residents, households, or devices.
Additionally, the CCPA doesn’t apply to nonprofits or government agencies in California.
How to become CCPA compliant
While not every business needs to follow the consumer data law, companies should still strongly consider following CCPA best practices and striving for compliance — particularly since so many unique privacy laws are coming down the pipe on a state-by-state level.
For starters, achieving CCPA compliance can help organizations avoid privacy issues that can lead to complaints and data breaches. What’s more, CCPA compliance is also important for small businesses and startups that intend to scale and potentially exceed the $25 million annual gross revenue threshold.
These basic steps can help organizations achieve CCPA compliance and build more resilient, consumer-friendly operations.
1. Create privacy notices and policies
The CCPA requires businesses to give consumers a notice at collection which outlines their privacy practices. This notice must list the specific categories of personal data they collect and how they plan to use it. If the business sells personal data, the notice must also contain a “Do Not Sell” link.
Furthermore, the notice must also include the business’ privacy policy, which should provide a complete description of all privacy practices and consumer privacy rights.
2. Form a data strategy
Another critical step towards achieving CCPA compliance is to form a data strategy. Companies must demonstrate how data moves across the organization from ingestion to storage.
By implementing a thorough pipelining strategy and tracking information as it flows from point to point across the organization, companies get a deeper understanding of how they collect data, where it goes, and how it’s used.
Establish consumers’ rights protocols
Companies often get into hot water because they fail to keep up with consumer rights protocols under the CCPA. For example, companies may not respond to consumer privacy requests in a timely manner. Similarly, they might not provide the necessary mechanisms for data requests or removals.
As a best practice, companies should strongly consider creating a dedicated CCPA task force to oversee privacy operations and take ownership of incoming requests. This can prevent requests from piling up and reduce the likelihood of penalties and lawsuits.
Keep up with security updates
While the CCPA doesn't state any specific security measures businesses must comply with, implementing robust security practices help protect customer data.
Security, privacy, and operations teams can mitigate risk by working closely together to ensure all systems remain free from vulnerabilities and up to date with the latest patches. Companies should also thoroughly document security updates to demonstrate proficiency and give customers the peace of mind that comes with knowing their personal data is secure.
Provide ongoing training
The CCPA also mandates that all individuals responsible for handling privacy procedures receive proper training. In other words, participating individuals must know how to effectively advise consumers about their rights under the CCPA. Relevant team members must also receive guidance on CCPA regulations. This may include managers, marketing directors, social media managers, or anyone who may participate in activities governed by the CCPA.
Businesses that fall under CCPA coverage requirements must establish and document a formal CCPA training program. Organizations that fail to provide proper training may face civil penalties.
Currently, there isn’t any guidance indicating how long training needs to be or who should provide it. Training should be thorough and cover all aspects of the CCPA. As a best practice, companies should consider utilizing employees who have privacy and technical expertise. They may also partner with third-party organizations that offer specialized training courses and educational materials.
It’s time for businesses to get up to speed with CCPA compliance
In December 2022, the California Privacy Protection Agency (CPPA) met to finalize a new set of proposed privacy rules which are set to go into effect in 2023. The new California Privacy Rights Act (CPRA) will essentially serve as an amendment to the CCPA, introducing even more provisions to the law. As such, all business leaders would be wise to get up to speed with CCPA compliance and plan for upcoming changes.