As we leave our data on every site we visit, personal information has become a valuable asset for both consumers and companies.
For that reason, organizations process increasing amounts of personal information every day.
While there is nothing wrong with that, many companies sell the data of consumers to make a profit without their consent.
At the same time, with a hacker attack taking place every 39 seconds, a great share of organizations have failed to protect their customers’ sensitive personal information from data breaches that cost $3.86 million on average.
For that reason, data protection and privacy have become an important issue, with 46% of consumers feeling they have lost control over their personal information.
Besides consumers, governments have also realized the importance of data privacy. As a result, they have passed laws to provide increased control to their citizens and regulate how businesses can interact with their personal information.
The California Consumer Privacy Act (CCPA) is among such data privacy laws, which we will explore more in detail in this article.
What Is the California Consumer Privacy Act (CCPA)?
The CCPA refers to the California Consumer Privacy Act, a data privacy law passed by the California state legislature in June 2018.
Also called the “California GDPR” and “GDPR Lite,” the CCPA follows the footsteps of the European Union’s General Data Protection Regulation (GDPR).
The CCPA introduces new rules related to how businesses can collect and process data, consequences for non-compliance and breaches, as well as rights that allow California residents to have increased control over their personal information.
When Did the CCPA Go Into Effect?
While the state of California passed the law on June 28, 2018, the CCPA only went into effect on January 1, 2020.
Affected businesses were given six full months to comply with the law as part of a grace period. Commencing July 1, 2020, California authorities have the right to enforce the law and fine companies for non-compliance.
Who Does the CCPA Apply to?
The California Consumer Privacy Act applies to two different parties.
On one side is the consumer, defined as a California resident under the CCPA. Every natural person who resides in the state – even if physically outside California for a temporary or transitory purpose – is considered a California resident.
Since the CCPA provides increased control over their personal information, consumers are clearly the ones who benefit from the state’s data privacy law.
Indeed, under California’s data protection law, businesses don’t have much choice other than to comply with the CCPA’s rules.
However, the CCPA does not apply to all organizations.
To qualify as a business under the CCPA, the organization has to be a for-profit company that “does business” in California.
While this definition is rather vague, it means that an organization doesn’t have to be located in the state (or even in the United States) to be affected by the CCPA.
Instead, any for-profit business that serves California residents have to comply with the state’s data protection laws if it meets one of the following:
- Has an over $25 million gross annual revenue,
- Purchases, receives, or sells the personal data of 50,000 or more California residents, households, or devices, or
- Earns 50% or more of its annual revenue from selling the personal information of California residents.
It’s important to mention since IP addresses are considered personal information under the CCPA, any for-profit organization operating a website that has at least 50,000 unique visits from California in a given year has to comply with the state’s privacy rules.
The CCPA also applies to data brokers that are defined in the privacy law as organizations collecting and selling consumer personal information to third parties without having a direct relationship with end-users.
However, the CCPA exempts organizations regulated by certain other laws from complying with the California Consumer Privacy Act’s rules.
Examples of these organizations include credit bureaus as well as certain financial institutions and insurance firms.
Why Is the CCPA Important?
The CCPA is an important step towards consumer data privacy.
Until the law came into force, organizations could interact with citizens’ personal information without any major rules or accountability.
Nowadays, personal information is precious and extremely valuable. While businesses benefit from the worth of personal data, consumers largely tend to share significant amounts of their data without realizing it.
Without a data protection law, businesses can’t be held accountable for how they store and interact with the consumers’ personal information. On top of that, they can collect and sell personal data to make a profit without the users’ knowledge or consent.
In the worst-case scenario, the lack of proper security measures could lead to consumer data being obtained by malicious parties, potentially causing serious damages to the victims.
Similar to the EU’s GDPR, the California Consumer Privacy Act focuses on fixing the above issues by introducing stricter rules for businesses with the goal to safeguard consumer data and the privacy of the users.
Businesses impacted by CCPA may need to allocate an increased amount of resources to comply with the new rules in order to handle consumer data with care and avoid being fined by authorities.
With that said, the CCPA also provides some benefits to organizations. Upon compliance with the privacy rules, businesses can highlight how they protect their customers’ data to earn the loyalty and trust of consumers.
It’s also crucial to emphasize that the CCPA is a state-wide privacy law designed to safeguard the personal information of California residents. Currently, the United States lacks a federal law that offers data protection on the national level.
Interestingly, it is increasingly becoming the standard for US businesses to use CCPA-compliant privacy measures not just for California citizens but also for all their users throughout the nation (and even overseas).
How Does the CCPA Define Personal Information and What Data Does It Cover?
The California Consumer Privacy Act defines personal information as data that identifies, relates to, or could be reasonably linked to an individual or his household. Examples of such include:
- Email address
- Postal address
- Demographics data
- Social Security Number
- Driver’s license number
- Records of purchased products
- Geolocation data
- Internet browsing history
- IP address
- Biometric data (e.g., fingerprints)
- Financial information (e.g., credit card data)
- Account name or another online identifier
- Inferences from other personal information that can be used to create a profile about someone’s characteristics and preferences
The CCPA does not cover publicly available data from federal, state, or local government records. Professional licenses and public real estate records are good examples of data not covered under the CCPA.
Are Cookies Considered Personal Information Under the CCPA?
For business owners, it’s essential to take a look at whether and how the CCPA impacts the cookies they collect about California consumers.
Cookies refer to small text files that a website places on a user’s browser upon visiting the site. By doing so, businesses can collect information about the consumer, the user’s device, as well as other data that helps them recognize the user when he or she returns to the website.
We differentiate two types of cookies.
Cookies fall into the first category if they are necessary for a website’s core functions, recording only random identifiers, which are often deleted after the user closes his browser.
However, most cookies are placed on websites by third parties, using unique IDs to collect a wide range of data on consumers for marketing and analytical purposes.
Cookies falling into this category often store user data for longer times (even tens of years), which is a practice that can violate the consumers’ privacy.
Categorizing them as unique identifiers, cookies fall under the CCPA’s rules.
The California Consumer Privacy Act requires businesses to disclose their privacy policies at a visible place on their websites.
Besides that, the companies’ websites have to include information about the privacy rights of consumers outlined in the CCPA (e.g., the right to know) as well as how users can exercise them.
What Are the Rights and the Requirements Under the CCPA?
As mentioned earlier, the CCPA provides new rights to consumers over their data as well as rules on how businesses can interact with it.
The Right to Know
The right to know refers to the ability of California consumers to submit requests to businesses to disclose what personal data they have collected, used, shared, or sold about them, along with the reasons for doing so.
Consumers can request businesses to provide the following information:
- The categories of personal information collected
- Specific records of personal data collected
- The categories of the sources the business used to collect the data
- The purposes for using the personal information
- The categories of third parties the business shares the data with
- The categories of personal information the business discloses or sells to third parties
However, businesses can deny the consumers’ right to know requests in some cases, including:
- The company can’t verify the consumer’s request
- The request is manifestly unfounded or excessive
- The business has already responded to the right to know request of the same consumer more than twice in a 12-month period
- Businesses are prohibited from disclosing sensitive personal information (e.g., financial account number, social security number, account password) even with the consumer.
However, in such a case, the company still has to inform the user about the type of sensitive personal data it collects
- Revealing the data would restrict the organization’s ability to exercise or defend legal claims or rights or comply with legal obligations
- The personal data falls into a category that is exempt from the CCPA (e.g., certain medical information and consumer credit reporting data)
To exercise their right to know, consumers have to submit a request via one of the methods (e.g., email message, phone call) provided by the company.
After submission, the business has 45 calendar days to respond, which can be extended to a total of 90 days upon notifying the consumer.
Organizations have to provide the sought data free of charge for the 12-month period preceding the consumer’s request.
It’s crucial to mention that consumers must submit their requests directly to the company in order to get their claims accepted.
According to the CCPA, businesses often use the solutions of multiple service providers (e.g., payment gateways, shipping companies, etc.). The privacy act treats service providers differently than the businesses they serve, making the latter parties responsible for responding to CCPA-related consumer requests. For that reason, submitting a right to know request to a service provider instead of a business will likely result in a denied claim.
Notice at Collection
A notice at collection refers to the mandatory duty of a business to inform consumers about the personal data they collect about their users at or before the point at which it gathers the information.
As per the CCPA, the notice at collection should include the categories of personal information gathered about consumers and the purposes for which businesses use them.
There is a further requirement for companies that do not just collect and use the consumers’ personal information but also sell it.
According to the CCPA, such businesses must include a “Do Not Sell” link in the notice, which users can use to opt-out of the sale of their personal data.
The Right to Opt-Out
With the right to opt-out, consumers can use the “Do Not Sell” link on a business’ website to request the company not to sell their personal data to third parties.
After submitting the opt-out request, the business is prohibited from selling the consumer’s personal data unless he later authorizes the company to do so again.
However, businesses must wait at least 12 months before asking a consumer who decided to opt-out for authorization to sell his personal data again.
It’s crucial to note that the CCPA includes some cases in which consumers are unable to exercise their opt-out rights.
A business might refuse user opt-out requests when:
- The sale of the consumer’s data is necessary for the company to comply with legal obligations, defend legal claims, or exercise legal claims or rights
- The personal information falls into a category that is exempt from the CCPA (e.g., certain medical data, consumer credit reporting information)
The Right to Delete
Under the CCPA, consumers not only have the right to opt-out of the selling of their personal data but also to request that businesses delete the personal information collected about them.
Similar to the right to know, businesses have a maximum of 45 calendar days – which can optionally be extended by another 45 days after notifying the user – to respond to the request.
Also, consumers must submit their requests directly to the business instead of one of its service providers, which is the same process as in the right to know.
In addition to fulfilling the consumer’s request, the company has to notify its service providers to delete any records they possess related to the user.
The CCPA includes multiple exceptions for the right to delete, including cases when the business:
- Can’t verify the consumer’s request
- Needs the personal information to complete the consumer’s transaction, provide a reasonably anticipated product or service, or for certain product recall and warranty purposes
- The data is crucial to carry out certain business security practices
- The user’s personal information is essential for certain internal uses, which are compatible with reasonable consumer expectations or the context in which the data was provided
- The lack of the consumer’s data would prevent or limit the business in complying with legal obligations, exercising legal claims or rights, or defending legal rights
- The CCPA does not cover that type of personal information
The Right to Non-Discrimination
Without the right to non-discrimination, businesses could prevent consumers from exercising their control over their data.
As per the CCPA, the right to non-discrimination refers to the mandatory requirement in which businesses have to provide the same quality of products at the same price to both consumers who have and who haven’t exercised their data privacy rights without denying access to their services.
However, there is one exception to the rule.
When a consumer opts out of the sale or requests his data to be deleted, a business may not be able to complete the transaction if it needs the user’s personal information or a related sale to provide him goods or services.
But in such a case, the business can still provide services to the consumer by rightfully denying his opt-out or data deletion request (as this is considered an exception under the CCPA).
While businesses can’t discriminate consumers based on whether they have exercised their rights under the CCPA, the privacy law allows them to offer promotions, deals, and discounts in exchange for collecting, storing, or selling their users’ personal data.
However, organizations can only offer such deals to consumers if the financial incentive is reasonably related to the value of the users’ personal data.
According to the CCPA, by opting out of a sale or requesting to delete their personal information, consumers might not be able to participate in the special data-related deals of businesses.
How Is the CCPA Enforced?
It’s important to mention that the CCPA lacks a dedicated government body or agency responsible exclusively for enforcing the privacy law.
With that said, the California Consumer Privacy Act can be enforced in two ways.
First, consumers have the right to sue a business violating the CCPA but only in a limited number of cases, all of which are related to data breaches.
In the instance of a data breach, a consumer can initiate a lawsuit against a business if his non-encrypted and non-redacted personal information was stolen due to the company’s failure to use reasonable security measures to protect it.
In such a case, a consumer can sue the business for statutory damages.
But before doing so, the user has to first give written notice to the company of the specific CCPA sections it violated.
After submission, the business has a maximum of 30 days to respond to the consumer with a written statement about curing the violations the user referred to, as well as a guarantee that no further CCPA violations will occur.
Unless the business refuses to respond in the above timeframe or continues to violate the CCPA’s rules, the consumer is unable to sue a company that has managed to cure the violation.
Also, consumers can only sue a business in the event the following personal information types have been stolen in a non-encrypted and non-redacted form during a data breach:
- Sensitive government-issued documents or unique ID numbers used for identification purposes (e.g., social security and passport numbers, driver’s licenses, tax IDs)
- Financial information combined with the security code or password that allows someone to access the account (e.g., credit card number with a CVV or a bank account number with a username and password)
- Medical and health insurance information
- Biometric data used for personal identification (e.g., fingerprints, photos used for facial recognition purposes)
California’s Attorney General is responsible for enforcing all other CCPA violations.
While the Attorney General can file an action against non-complying companies, he doesn’t represent individual California consumers.
Instead, the Attorney General’s office monitors consumer complaints to identify patterns of misconduct and may launch a large-scale lawsuit against violating businesses on behalf of California citizens.
What Are the Fines and Consequences of Violating the CCPA?
In the last section, we have explored how the California Consumer Privacy Act can be enforced. Now, let’s see what the fines and consequences of violating the CCPA are.
For violating the CCPA, authorities can punish a business with fines, which fall into two categories.
In the first category, the consumer is the one that sues the company. Here, the fines are less severe for non-compliant businesses, ranging from $100 to $750 per consumer per incident or actual damages (whichever is greater).
However, the state can impose a fine of up to $2,500 per violation for an organization that unintentionally breaches the CCPA. Intentional infringements come with a higher price for businesses, which can be up to $7,500 per violation.
At first glance, the CCPA’s fines can seem rather mild compared to a strict privacy law such as the EU’s GDPR, where a single penalty can be as much as 20 million EUR ($23.66 million) or 4% of the annual global turnover of a company.
However, these can add up to a hefty fine as authorities punish companies by the number of violations or incidents (or actual damages) per consumer. For that reason, non-compliance with the CCPA bears high costs even for a business that serves only a few California consumers.
How Is the CCPA Different From the GDPR?
Upon passing the bill in April 2016, the EU’s General Data Protection Regulation (GDPR) has been pretty much in the spotlight, and remains so, long after it became enforceable in May 2018.
And it shouldn’t come as a surprise.
Applying to all businesses targeting EU citizens, the GDPR introduced strict rules for companies while providing increased control to 515 million people over their data.
With businesses facing maximum penalties of up to 20 million EUR ($23.66 million) or 4% of their global annual turnover (whichever is greater), European authorities have imposed nearly 260 million EUR ($308 million) of fines to non-compliant companies to date.
While the CCPA and the GDPR share similar features, there are some major differences between the two data protection laws.
In the table below, you can see how the two data privacy regulations compare:
|Business Coverage||For-profit businesses that do business in California fall into one of the three categories: 1.) Have an annual gross revenue above $25 million, 2.) Interact with the personal data of 50,000 or more California consumers, 3.) At least 50% of their annual revenue comes from selling the personal information of California consumers.||All data controllers and data processors that are either based in the European Union or interact with the personal information of EU citizens (no matter where the organizations are located).|
|Parties Protected||California consumers, referring to any natural person that resides in the state for other than a temporary or transitory purpose||EU data subjects, referring to all citizens in the European Union that have their personal information collected or processed by organizations|
|Enforcement||California’s Attorney General with the option for the state’s consumers to sue businesses for damages||The data protection agencies of EU member states with the option for European Union citizens to initiate lawsuits against non-compliant organizations|
|Data Types Covered||All personal information that relates to, identifies, or could reasonably be linked with a California consumer or household, with the exception of publicly available personal data from federal, state, or local government records||All data that relates to an identified or identifiable EU data subject|
|Consent Requirements||Businesses must obtain the consumers’ consent in the case of minors, or when users have previously opted out of the sale of their personal information||Unless a legal basis applies, organizations must obtain the consent of EU citizens prior to processing their data|
|Security Requirements||While the CCPA lacks specific security requirements for businesses, consumers have the right to sue violating companies for damages that are the result of their failure to follow the appropriate security practices and procedures||As per the GDPR, both data controllers and data processors are required to implement both technical and organizational security measures appropriate to the level of risk involved|
|Consequences of Non-Compliance||$100 to $750 per consumer per incident or actual damages (whichever is greater) in the case of consumer lawsuits, and $2,500 to $7,500 per violation of civil penalties imposed by California’s Attorney General||Up to 20 million EUR ($23.66) or 4% of the annual global turnover of the violating organization (whichever is greater)|
In addition to the differences listed above, there’s another main difference between the two data privacy laws.
Also, the CCPA only provides partial coverage for the GDPR’s right to restrict processing and the right to object to processing in the form of the right to opt-out.
What Is the California Privacy Rights Act (CPRA) and How Is It Different From the CCPA?
Also called the “CCPA 2.0”, the California Privacy Rights Act (CPRA) is an extension of the CCPA.
Passed in California in November 2020, the CPRA aims to address the limitations of the CCPA to protect the state’s consumers more efficiently.
One of the most important changes the CPRA introduces is establishing an organization – called the California Privacy Protection Agency (CPPA) – that is solely responsible for enforcing the state’s privacy laws.
With this move, the CPRA seeks to relieve the California Attorney General’s burden and instead create an agency that has the necessary resources to take legal action against non-compliant businesses.
Furthermore, the CPRA introduces two new rights:
- The right to rectification: With the right to rectification, consumers can request businesses to correct inaccurate personal information.
- The right to restriction: Here, consumers can exercise their right to limit how businesses use and disclose their sensitive personal data.
Also, businesses collecting personal data from California consumers have to clearly and transparently inform users in case they use automated decision-making technology.
Regarding personal information, the CPRA differentiates sensitive (e.g., social security numbers) and standard consumer data, introducing separate rules for interacting with each. Also, authorities can impose three times the fines for violations that involve minors’ personal data.
Furthermore, the CPRA requires companies to protect the privacy of not only California consumers but also of their employees and independent contractors.
Although the CPRA was passed in November, it will only become effective on January 1, 2023, and enforceable on July 1, 2023.
With that said, the refined privacy law will likely have an impact on how companies collect personal information from January 1, 2022.
What Are the Advantages and the Downsides of the CCPA?
In this section, we have collected the advantages and the downsides of the California Consumer Privacy Act.
|Increased data privacy rights for consumers||Less rights than in the GDPR, which only apply to California consumers on the state level|
|While the California Attorney General is responsible for enforcing the CCPA, consumers can sue companies for statutory damages||The CCPA lacks an agency solely dedicated to enforcing the consumers’ privacy rights and California residents can only commence lawsuits against violating businesses in a limited number of cases|
|As the refined version of the CCPA, the CPRA introduces more rights to California consumers and fixes some of its predecessor’s shortcomings||Consumers have to wait until January, 2022 before noticing the effects of the privacy law, which will not become enforceable until July, 2023|
|Since there is no upper limit for the fines, organizations violating the CCPA’s rules face dire consequences||The CCPA doesn’t cover all types of personal information and only applies to for-profit organizations that do business in California and fall into one of the three threshold categories|
|Despite being only a state-wide privacy law, since it applies to a large part of US organizations, the CCPA introduces a new standard for data privacy across the United States|
|Businesses can take advantage of their compliance with the CCPA to increase the trust and loyalty of their customers|
Despite being only a state-wide privacy law, since it applies to a large part of US organizations, the CCPA introduces a new standard for data privacy across the United States
Businesses can take advantage of their compliance with the CCPA to increase the trust and loyalty of their customers.
CCPA: A Crucial Step Towards Consumer Data Privacy
Providing increased control to California consumers over their personal information, the CCPA is amongst the most important data privacy laws in the United States.
While it takes some extra legwork for businesses to comply with the CCPA’s regulations, they can showcase their dedication to follow the state’s data privacy laws and thereby increase their customers’ trust and loyalty.
CCPA may only cover California residents, but because the law applies to many businesses in the US and abroad, it introduces a new standard in data privacy (especially in the United States).
As a result, an increasing number of US states have come up with their own data protection regulations, with a growing chance for a federal consumer privacy law to be introduced in the (near) future.
On the flip side, the CCPA is not as strict as the EU’s GDPR and clearly has its shortcomings.
With that said, the newly passed California Privacy Rights Act (CPRA) will provide a solution to the majority of those issues.