Understanding CCPA Compliance
The General Data Protection Regulation (GDPR) set a huge precedent in modern digital privacy regulation. We've seen regions throughout the world adopt similar data protection laws in the time since its inception, and the financial liabilities are only part of the story. Customers and users of software products are now savvier than ever when it comes to understanding the importance of data privacy rights.
The US doesn't currently have an equivalent of the GDPR, but some states have decided to push forward rather than wait for the federal government to implement legislation. California's "California Consumer Privacy Act" is the largest and most impactful example we've seen thus far.
The California Consumer Privacy Act (CCPA) was first signed into law in June 2018, but officially went into effect on January 1st, 2020—though enforcement didn't start until July 1st, 2020. Who does it affect and what does it do? The quick version is: any mid to large sized company that deals with the personal information of residents of California needs to comply. The long version has more nuance. Let's take a look at who needs to be concerned with CCPA compliance, what personal information is protected, and how the CCPA compares with similar legislation.
Note: As with any advice related to law and government legislation, this information is meant to provide insight and act as a starting point. We recommend consulting with our legal teams and privacy professionals as you work toward regulatory compliance in your area.
What companies are affected by the CCPA
Unlike many privacy regulations that target all companies that deal with the personal information of citizens in their jurisdiction, the consumer privacy act limits compliance requirements to businesses that meet certain criteria. Businesses need to meet one or more of the following requirements in order to be required to comply with the CCPA:
- Have an annual revenue of $25 million or greater as a business in California.
- Buy, share, receive, or sell the personal information of 50,000 or more consumers, households, or devices.
- Generate at least 50% of their annual revenue from selling personal information.
It's important to note that only the first requirement is limited to businesses in California. The other requirements affect any companies, regardless of where they operate. The CCPA defines consumers as any individual that is a resident of California. There are also a handful of additional obligations that apply to businesses that handle the personal information of more than 4 million customers.
As a regional regulation that focuses on the personal data of only California residents, it would be easy to expect the CCPA to have limited impact—particularly with its revenue and user-base criteria. What we've seen instead is that due to California's size, economy, and governing authority over Silicon Valley the regulation has moved faster than similar policies. Much like international companies were forced to abide by the GDPR, many businesses outside of California have updated their processes to be in compliance with CCPA.
CCPA Compliance Requirements
To best understand what a business needs to do to be compliant, we should first look at what rights consumers in California have. There are five key rights outlined in the privacy law:
- The right to notice: This requires businesses to provide notice to the consumer at the time of collection that informs the user what information is being collected and how it will be used.
- The right to be forgotten: This gives individuals the right to request that a company delete all information about the individual. There are some exceptions to this, such as regulatory or contractual obligations, but in general an individual can request the removal of all personal information that a company holds about them.
- The right to knowledge: Individuals can request to know any information a company has about the individual. This allows individuals to view every piece of personal information, both direct and indirect, that an organization has about them.
- The right to control access: The sale of personal information is a focal point in most data privacy law. This right gives individuals the ability to opt-out of the sale of their personal information.
- The right of nondiscrimination: As individuals can choose to opt-out of data sales and data collection, they also have the right to not be discriminated against for opting out. This means the sale of data cannot be a requirement for using a service. Businesses can, however, provide incentives to encourage users to allow the use of their data.
With the rights of the consumer, in this case California residents, understood we can look at what businesses need to do to be compliant. An organization's compliance is largely linked with allowing consumers to express their rights by the law.
- The business must disclose to the consumer what their rights are, what options they have, how their information is used, and how it is shared.
- Companies cannot discriminate against a customer based on whether a customer chooses to express their rights under the CCPA.
- Businesses need to set up process to comply with customer requests to view their data, delete all information about them, and opt-out of information collection and information sharing.
- Businesses are required to display a link on their homepage with the text "Do not sell my personal information" that allows the customer to opt-out of data sales.
- When it comes to the information of minors, companies are required to obtain an opt-in consent from minors age 13-16 in order to collect personal information. For minors under 13, consent is needed from the individual's parent or guardian.
- Websites and applications must inform users at or before the time of data collection that data will be collected, and offer them the option to opt-out.
- Privacy policies need to contain an annually updated list of all the categories of information collected, as well as how that information is sold or disclosed to other organizations or individuals.
In addition to these compliance requirements, businesses must also make all efforts to protect the personal information of individuals. This is reflected in the penalties that can be imposed on businesses that have compliance violations.
For instances of noncompliance, an unintentional violation can incur a fine up to $2500 per violation. For intentional violations or negligence, a fine of up to $7500 per violation can be imposed. In general, consumers cannot directly sue a business that is out of compliance. Instead, complaints are made to the California State Attorney General. They can then choose to pursue further action. These fines may appear low, but they are per violation. That means a violation that affects 50,000 consumers could result in a $125,000,000 fine.
The only exception to this is instances where negligence lead to a data breach. In this case, consumers can sue for actual monetary damages.
How CCPA compares to GDPR and other legislation
GDPR is considered the foundation for modern data privacy law, so it is common to see future regulation adopt large parts of it. CCPA does adopt many aspects of GDPR and they do overlap in some ways, but the CCPA is unique.
It is best to understand the intent behind GDPR and CCPA to better understand how they compare. GDPR is preemptive, while CCPA is reactive. For example, GDPR requires consent from individuals before personal information is collected, while CCPA allows users to opt-out once data has been collected. Fundamentally this shifts the responsibility onto the individual in the case of CCPA, as apposed to placing responsibility on the business with GDPR.
Another difference is the scope of who needs to be compliant. While legislation like the general data privacy regulation essentially affects any company doing business in the EU, or with EU citizens, the CCPA only affects larger companies that deal with large profits from data sales or a large volume of users that are California residents. One difficulty that smaller organizations found with GDPR compliance was the cost required to put all the necessary processes and training in place. The CCPA removes some of this burden by limiting compliance requirements to larger organizations.
This limit to the scope, however, doesn't stop the consumer privacy act from having a disproportionate impact. Due to California's large economy and population, along with its governance over most of Silicon Valley's big tech companies, compliance has become an almost immediate requirement.
CCPA also expands on the notion of "personal information" described in the GDPR. We go more into this in our article on personally identifiable information, but some unique additions include how personal data relates to a "household" rather than simply an individual. For example, data linked to a smart-home device may not directly link information to a specific person in that home, but it certainly could indirectly link information to an individual.
Expansions to CCPA and the future
As of 2021, we've already seen expansions to CCPA. Voters in California passed the California Privacy Rights Act (CPRA) in the fall of 2020. It will not take effect until 2023, but it addresses some of the more administrative issues with CCPA, and establishes a new agency to handle enforcement. The new California Privacy Protection Agency (CPPA) will handle enforcement and compliance of the CCPA, as well as work on future privacy laws that adapt as technology and the needs of individuals evolve. CCPA is expected to be a longterm solution to protecting the privacy of residents in California, rather than a locked into a specific point in time.
How you be CCPA compliant
Compliance isn't as simple as a checklist, regardless of what some companies try to sell you. CCPA compliance in particular requires a set of systems to be in place to enable users to retrieve all their data, delete all their data, and opt-out of data collection and processing. This means you need to tag each piece of data with the user it came from, keep track of where it goes and how it is sold, and set up a system to notify any partner services or third-parties when a customer decides to opt-out. This is much more than a quick change that can be made when a complaint is filed.
If your company isn't quite at the scale where CCPA compliance is required yet, now is a great time to start building the processes into your organization. It is much easier to build privacy into your application from the start than it is to add it in at the last minute. More importantly, respect for your user's privacy is increasingly becoming a key business advantage that your sales teams can leverage. As more and more regulation is finalized across the globe, investing early in privacy focused practices will give you a major advantage over other companies in your space—and save you money and reputation in the long run.