CCPA Compliance: A Guide to California’s Data Privacy Law

CCPA Compliance: A Guide to California’s Data Privacy Law

  • July 14, 2022

Have you seen the headlines? 

Google is always listening. Alexa spies on you. Instagram tracks everything you do. Every smart device within earshot is feeding its algorithms with sensitive data it can use to influence you. 

Even if these reports aren’t completely accurate, the sheer amount of speculation just goes to show that people are more concerned about data privacy than ever. 

As people share more of their personal information with businesses, they want to know what those businesses are doing with their data and why. Governments around the world are taking notice and passing data privacy laws, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the US. 

So how does CCPA legislation impact businesses? This article offers a straightforward introduction to the essentials of CCPA. Keep reading to learn who needs to be CCPA compliant, what the law requires, penalties for non-compliance, and more. 

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act of 2018 gives California residents greater insight into and control over how businesses collect and use their personal information. 

The law requires companies to implement a range of privacy initiatives, from publishing an easily accessible privacy policy to allowing consumers to opt-out of data collection. CCPA also gives California residents specific rights concerning who can collect or process their data and for what purpose.

Because CCPA regulates what companies can and can’t do with personal information, it’s important to understand what qualifies as personal data. The CCPA text defines personal information as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

To clarify, personal information is anything that can be linked to a specific consumer or household. This includes names and addresses, Social Security numbers, and device identifiers like IP addresses. 

Personal data does not include information that’s publicly available, such as property tax records. Aggregated data is also not considered personal information, nor is health information that’s governed by other legislation like HIPAA or California’s Confidentiality of Medical Information Act. 

Who needs to be CCPA compliant?

CCPA applies to for-profit organizations that collect the personal information of California residents. But not all businesses are subject to the data privacy law. To fall within the scope of CCPA, the organization must also meet one of these three thresholds:

  • Exceeds $25 million in annual gross revenue
  • Buys, sells, or receives/shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices
  • Earns 50% or more of its annual revenue from selling personal data

CCPA and GDPR: Comparing data privacy laws

Both the General Data Protection Regulation (GDPR) and CCPA are considered some of the world’s strictest data privacy laws, and the two share several common principles. 

For one, both laws require organizations to honor a customer’s request to opt-out of processing their personal data. GDPR and CCPA also require organizations to notify consumers of a data breach. Both protect the consumer’s rights to request their personal data be erased and for data portability. 

That said, the two laws aren’t interchangeable. There are some differences in the finer points of the legislation. For example, GDPR specifically allows consumers to rectify errors in their personal data.

But the main difference to note is that CCPA takes a broader approach by extending its definition of personal information. Under GDPR, personal information is information that can be linked to a particular individual. With CCPA, it only needs to be linked to a specific household or device.

How to comply with CCPA requirements

Under CCPA, organizations are required to respect consumer rights regarding their personal data. To be compliant with the law, businesses must follow these requirements:

Right to Disclosure 

If you collect information about consumers protected by CCPA, you must inform them at the point of data collection (or before). 

Right to Access

Consumers have the right to access the personal information you’ve collected from them. If you receive a request from a consumer, you have 45 days to provide them with the information in a readily usable format, free of charge. Consumers must also have easy access to your complete privacy policy. 

Right to Contact Information

Organizations are required to make it easy for consumers to find out more information about its privacy policy and efforts to comply with CCPA. This includes contact information for submitting requests related to consumer rights. 

Right to Opt-out

If your organization sells a consumer's personal information, you are required to give them the opportunity to opt-out. This includes a web page that clearly offers an opt-out option with a link to your privacy policy. You must also give consumers the right to opt out of future marketing efforts. 

Right to Fair Treatment

Organizations are prohibited from discriminating against consumers who exercise their rights under CCPA. 

Periodically update the Privacy Policy

Privacy policies must be updated at least every 12 months to reflect the organization’s current processes for collecting, selling, processing, or handling consumer data. 

Establish business purpose

Under CCPA, organizations must have a business or commercial purpose for collecting personal information from consumers. It defines 7 types of business purposes: 

  1. Auditing interactions with consumers, such as counting ad impressions)
  2. Detecting and preventing security incidents
  3. Debugging to identify and repair errors in functionality
  4. Short-term use that does not involve building a customer profile
  5. Providing services such as customer support and order fulfillment
  6. Conducting internal research and development
  7. Verifying the quality and safety of a device, such as performing device upgrades

Penalties for CCPA non-compliance

Organizations must respond to consumer requests to exercise their rights under CCPA within 45 days of receipt. If the organization fails to address a violation within 30 days of notification, it’s subject to a penalty of up to $7,500 per violation from the California Attorney General. In the event of a data breach, consumers can pursue damages up to $750 per violation. 

Although there have not been any CCPA fines issued yet, there may be soon. In November 2020 Californians passed the California Privacy Rights Act (CPRA). This established the California Privacy Protection Agency (CPPA), the enforcement arm of the CCPA/CPRA. The CPRA officially activates in January 2023 with a one-year look-back period. Companies to which the CCPA requirements are applicable, whether they know it or not, may face potentially enormous fines if they are found to be out of compliance.

CCPA compliance FAQs

If my business isn’t located in California, do I still need to be CCPA compliant? 

Yes. If your business sells goods or services to or collects the personal information of California residents and meets one of the other threshold requirements, you must follow CCPA.

Does CCPA apply to non-profit organizations or government agencies?

CCPA applies to for-profit legal entities that collect the personal information of California residents. It does not apply to non-profit organizations and government agencies. 

Can businesses sell the personal information of a minor?

Organizations cannot sell the personal information of consumers under the age of 16 without consent. Children aged 13-16 can give consent, but children 12 and under require parental consent. Note that the federal Children’s Online Privacy Protection Act regulations apply in addition to CCPA requirements. 

Can businesses deny a consumer’s opt-out request?

Organizations can refuse a consumer’s request to opt-out under certain special conditions. These include when selling personal information is necessary to comply with other legal obligations or defend legal claims, and when the personal information is a type that’s exempt from CCPA. 

Simplify security compliance with Secureframe

Whether your organization must comply with legislation like CCPA or GDPR, needs to get a SOC 2 report to satisfy customer demands, or just wants to build a more mature cybersecurity program, Secureframe can help.

Our platform makes it easier to achieve and maintain compliance with multiple frameworks by automatically collecting evidence, monitoring your tech stack for nonconformities, fetching vendor security data, and more. Learn more about our solution by requesting a demo today.

Become a security expert

Get the latest articles on startup security and compliance best practices delivered straight to your inbox.

Get a Secureframe demo
subscription-logo