The CCPA (California Consumer Privacy Act) is a data privacy law enacted in 2018 to protect California residents’ personally identifiable information (PII). The law came into force in January 2020. The legislative objective for the CCPA was to combat rising incidents of data breaches in the technology, media, entertainment, and telecommunication industries.

The CCPA ensures that California residents have control over how businesses handle their PII. It also ensures that businesses honor requests from California residents on access and deletion to their PII as well as have the ability to opt out of the sharing and selling of their personal information.

What Is CCPA Compliance?

Modeled after the European Union’s General Data Protection Regulation (GDPR), the CCPA provides that businesses collecting PII from California residents must provide information on how data is collected. It also has similarities with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). For a business to ensure that it is compliant, it may need to adjust its privacy policy to include: 

  • The information a business collects and processes
  • The reason for which the information is collected and processed
  • Methods used to collect and process personal information
  • What residents need to do to request access, change, move, or delete their personal data
  • The method to be used to verify the identity of the person who submits such a request
  • The sale of users’ PII and how they can opt out of selling their data

CCPA

What Is the Geographical Scope of the CCPA?

The CCPA is a state-wide data privacy law but applies to businesses worldwide, provided they handle PII belonging to California residents. The law is considered one of the strictest privacy laws in the United States.

Organizations That Must Comply With the CCPA

The CCPA applies to all for-profit businesses collecting and controlling PII belonging to California residents. It also applies to for-profit businesses in California that meet any of the following criteria:

  • Gross annual revenue of over US$25 million
  • 50% or more of annual revenue comes from selling PII belonging to California residents
  • Buys, receives, or sells the PII of 50,000 or more California residents, households, or devices annually

Organizations Not Subject to the CCPA

The CCPA doesn’t apply to nonprofits, smaller companies that don’t meet the revenue thresholds, and those that don’t deal in large amounts of PII from California residents.

Other situations where the CCPA doesn’t apply include:

When No PII Is Involved

The main focus of the CCPA is on PII. Publicly available information—namely, information lawfully made available from federal, state, and local government records—is not subject to the CCPA.

When Other Laws and Regulations Apply

Other regulations regarding data protection already govern some industries. Such laws include the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA). The CCPA exempts data that is already covered under these laws.

Key Provisions of the CCPA

Much as the CCPA is compared to the GDPR, it has a much broader definition of regulatory compliance. The CCPA defines PII protected data as that which “identifies, relates to, describes, can be associated with, or could reasonably be linked to a particular person.”

The CCPA gives California residents the right to request a business to disclose any of the following: 

  • All data collected about the consumer
  • Categories of sources from which the information is collected
  • The business purpose for collecting that information
  • Any third party with which the information is shared

For businesses, the CCPA defines business purpose as the use of personal information for business operations, provided that its use is reasonably necessary and proportionate to achieve the purpose for which the information was collected or processed. According to the CCPA, business purpose includes:

  1. Auditing relating to a current interaction with a consumer and subsequent transactions with the consumer
  2. Monitoring and detecting security incidents, protecting against illegal activities, and prosecuting those responsible for such activities
  3. Short-term use of personal information provided the information is not disclosed to a third party and is not used to create a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction
  4. Conducting internal research on a business for technological development
  5. Providing services on behalf of the business, such as maintaining accounts, customer service, processing orders and transactions, verifying customer data, processing payments, providing advertising or marketing, and analytic services
  6. Providing services to verify or maintain the quality or safety of a service or device for the business

Personal Information Under the CCPA

The CCPA ensures privacy rights and consumer protection of California residents regarding their PII:

  • A person’s real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, Social Security number, driver’s license number, or passport number
  • Commercial information such as records of personal property, purchases, purchasing or consuming histories, or tendencies
  • Biometric data
  • Internet activity information such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information provided the information is not publicly available
  • Inferences drawn to create a profile about a consumer to reflect the consumer’s identity, preferences, characteristics, trends, behavior, attitudes, and abilities

Penalties and Fines for Noncompliance With the CCPA

Noncompliance with the CCPA carries financial penalties and fines. According to the CCPA, the Attorney General of California can exact a maximum fine of $7,500 per violation for purposefully ignoring the mandates of the CCPA, which is deemed as intentional noncompliance. Failing to encrypt user data that was accessed during a breach, which could be deemed as unintentional noncompliance, carries a fine of $2,500 per violation.

The CCPA also gives consumers a private right of action in the event of a data breach due to noncompliance. Consumers may sue a business for statutory damages in such a breach. Before proceeding, a consumer must notify a business of a violation and give them 30 days to address the violation. In the event the business fails to address the violation within the period, they become subject to statutory damages of up to $750 per affected consumer.

Steps to Become CCPA Compliant

There are several steps that organizations must follow to become and remain CCPA compliant:

1. Establish Business Obligation to the CCPA

The CCPA protects any natural human being who is a California resident. The CCPA mandates that California residents have a right to know what PII businesses collect on them and how they use that data. A business must enable the customer to opt out of the use of that information and ensure that they can obtain a copy of the information being held by the business upon request.

2. Map All Consumer Data Held and Collected

Once a business determines that it is obligated to comply with the CCPA, the next step is to map all PII under the control of the business.

3. Evaluate All Third Parties With Which Consumer Data Is Sent and/or Received

The next step is to do the same with all the third parties with which a business shares PII. As part of an organization’s third-party risk management (TPRM), they need to verify that each of these third parties are compliant with the CCPA. This includes reviewing and updating the privacy policy.

4. Make It Easy for Consumers to Exercise Their Rights According to the CCPA

The next step is to create processes and procedures that consumers can use to exercise their rights as provided for in the CCPA.

5. Identify and Implement Any Needed Operational Changes

Some operational business changes may be needed to accommodate the CCPA. Such changes include how consumer information is collected and handled, how consumer requests will be handled, and how continuous compliance occurs.

6. Train Employees

The final step is to train employees on how compliance affects your business and how this impacts the handling of consumer data. Teams must be trained on how the CCPA defines a consumer, what it defines as personal information, and how to respond to requests from consumers.

Comparing the CCPA to the GDPR

The CCPA and the GDPR are laws that regulate how organizations within their respective jurisdictions handle PII. Both laws give individuals greater power over how businesses manage their personal information.

The CCPA applies to businesses engaging in for-profit activities and handling, collecting, or processing personal information for California residents. The GDPR, on the other hand, gives European Union (EU) residents control over how businesses collect and use their personal information. The GDPR is uniformly binding in all 27 EU member states. Following is a quick comparison overview of the CCPA and the GDPR (adapted from Baker Law document):

Area

CCPA

GDPR

Comparison

Who Is Protected

Consumers who are California residents that are:

· In California for other than a temporary or transitory purpose

· Domiciled in California but are currently outside the State for a temporary or transitory purpose

Consumers include:

· Consumers of household goods and services

· Employees

· B2B transactions

Data subjects defined as identified or identifiable persons to which personal data relates

Different but similarly broad effect

 

Focus on information related to identifiable natural person but definitions differ

 

Potential extraterritorial effects for businesses located outside of the jurisdiction

What Information Is Protected

Personal data that is to be sold for monetary value 

Any personal data 

Similar

Anonymous, Deidentified, Pseudonymous, or Aggregated Data

Deidentification can be used for compliance.

Aggregated data also cannot “reasonably” be linked to an individual or small group.

GDPR’s concept of anonymization requires that an individual’s identifiable information be irreversibly prevented from being used.

GDPR requires pseudonymization.

Largely similar but GDPR requires pseudonymization 

Privacy Notice/Information Right

CCPA gives the consumers the right to know what information is being held and can get a copy of that information

GDPR allows individuals to know how long their information will be held 

 Similar

Security

CCPA does not directly impose data security requirements

Provides the requirement for appropriate technical and organizational measures to secure personal information and reduce security risk

GDPR provides for security of personal information while CCPA doesn’t 

Opt-out Right for Personal Information Sale

CCPA provides the right to opt out for personal information sales

GDPR allows data subjects to withdraw consent for processing activities and not to allow processing of their data for marketing purposes

CCPA provides the right to opt out for personal information sales while CCPA doesn’t explicitly allow it 

Children

CCPA addresses the sale of children’s information—not all processing—and requires that businesses first obtain opt-in consent. Parents must provide consent for children under 13; teens 13–15 can provide their own consent.

GDPR requires that parents provide consent for the processing of their children’s personal information in an online environment

Largely similar

Right of Disclosure or Access

Allows consumers to know what information is being collected and can get a copy of that information 

Allows individuals to know how long their information will be held 

 Similar

Right of Data Portability

Consumers can exercise their right to data portability 

Individuals can exercise their right to data portability

 Similar

Right to Deletion/Erasure

CCPA provides for the right to deletion 

GDPR provides for the right to be forgotten 

Similar with certain differences such as the response time. Under CCPA, the response time is 45 days, while under GDPR, the response time is 30 days.

Right of Rectification

Does not provide for the right to rectification of personal information 

Provides for the right to rectification 

GDPR allows the right to rectification while CCPA does not 

Right to Restrict Processing

CCPA only has the opt-out right for the sale of personal information

Provides for the right to restrict processing

 Different

Right to Object to Processing

Only allows the right to opt out of the sale of personal information 

Allows for the right to object to the processing of personal information 

 Different

Right to Object to Automated Decision-making

Not found under CCPA

Allows the right to object to automated decision-making 

 Different

Non-discrimination

Prohibits discrimination against individuals who exercise their privacy rights

Prohibits discrimination against individuals who exercise their privacy rights

 Similar

Responding to Rights Requests

Provides for 45 days as the response time to rights requests 

Provides for 30 days as the response time to rights requests 

Similar but with different timelines for response 

Penalties (Private Rights of Action)

CCPA provides for consumers’ private right of action

GDPR does not mention an individual’s private right of action. 

 Different

Penalties (Civil Fines)

Penalties applied per violation ($2,500–$7,500).

Consumer can sue the business for violation ($100–$750).

Penalty based on annual global turnover (4% or €20 million)

 Different

Figure 1. Comparison of CCPA and GDPR.

What Is the CPRA?

In 2020, the California Consumer Privacy Act was enacted. The California Privacy Rights Act (CPRA) is an amendment to the CCPA that takes effect in January 2023 with enforcement activated in July 2023. The CPRA amends the CCPA to include more privacy rights for California residents. While the law mainly offers the same protections under the CCPA, it updates some of its provisions and introduces several others.

The CPRA establishes the California Privacy Protection Agency to be responsible for implementing and enforcing this law. It also retains the attorney general as the civil enforcement authority.

Sensitive Content Communications and the CCPA

Private sector businesses must track, control, and secure the digital communications of PII belonging to California residents to comply with the CCPA. Historically, businesses rely on numerous tools for sensitive content communications—siloed approaches for the different communication channels (email, file sharing, file transfer, managed file transfer, web forms, and application programming interfaces [APIs]). This creates a bifurcation of metadata that makes it difficult for organizations to institute centralized and automated governance of PII and to maintain an integrated risk management approach.

The Kiteworks platform consolidates digital communications of confidential data like PII into a Private Content Network. Kiteworks unifies, tracks, controls, and secures PII shared and sent into, within, and out of an organization, which helps ensure CCPA regulatory compliance.

For more information on how Kiteworks can create a Private Content Network for your organization, schedule a custom-tailored demo today.

 

Back to Risk & Compliance Glossary

SUBSCRIBE

Get email updates with our latest blogs news



Share
Tweet
Share