• Secureframe Blogarrow
  • CCPA Compliance: A Guide to California’s Data Privacy Law as Amended by CPRA [+ Checklist]
CCPA Compliance: A Guide to California’s Data Privacy Law as Amended by CPRA [+ Checklist]

CCPA Compliance: A Guide to California’s Data Privacy Law as Amended by CPRA [+ Checklist]

  • February 21, 2023

Over 80% of consumers are concerned about the use of their personal data and 95% feel it’s important that their data is protected when online, according to a new report by Motive.co.

As people share more of their personal information with businesses, they are increasingly concerned with what those businesses are doing with their data and why. Governments around the world are taking notice and passing data privacy laws, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the US. 

So how does CCPA legislation impact businesses? This article offers a straightforward introduction to the essentials of CCPA, as amended by the California Privacy Rights Act. Keep reading to learn who needs to be CCPA compliant, what the law requires, penalties for non-compliance, and more.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act of 2018 gives California residents greater insight into and control over how businesses collect and use their personal information. 

The law requires companies to implement a range of privacy initiatives, from publishing an easily accessible privacy policy to allowing consumers to opt-out of data collection. CCPA also gives California residents specific rights concerning who can collect or process their data and for what purpose.

Because CCPA regulates what companies can and can’t do with personal information, it’s important to understand what qualifies as personal data. The CCPA text defines personal information as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

To clarify, personal information is anything that can be linked to a specific consumer or household. This includes names and addresses, Social Security numbers, and device identifiers like IP addresses. 

Personal data does not include information that’s publicly available, such as property tax records. Aggregated data is also not considered personal information, nor is health information that’s governed by other legislation like HIPAA or California’s Confidentiality of Medical Information Act.

Who needs to be CCPA compliant?

CCPA applies to for-profit organizations that collect the personal information of California residents. But not all businesses are subject to the data privacy law. To fall within the scope of CCPA as amended by the CPRA, the organization must also meet one of these three thresholds:

  • Exceeds $25 million in annual gross revenue
  • Buys, sells, receives, or shares for commercial purposes the personal information of 100,000 or more consumers, households, or devices
  • Earns 50% or more of its annual revenue from selling or sharing personal data

CCPA vs CPRA: Comparing data privacy acts

CPRA is a ballot initiative that passed in November 2020. It does not replace CCPA. It amends it and includes additional privacy protections for consumers.

The majority of the CPRA’s provisions became operative on January 1, 2023. However, the California Attorney General is still working on finalizing his revision on CPRA so enforcement on these new provisions will not begin until later in 2023.

To help you understand and prepare to comply with this amended legislation, we’ll cover the key changes below:

  • Established the California Privacy Protection Agency (CPPA): This agency was established to implement and enforce the law. While the CPPA has full administrative power, authority, and jurisdiction to do so, the California AG still retains civil enforcement authority.
  • Updated the qualifying criteria: Two of the three criteria for CPRA compliance changed. It now applies to for-profit organizations that buy, sell, or share the personal information of 100,000 or more consumers or households (previously, it did not include “share” and the threshold was 50,000). It also applies to for-profit organizations that earn 50% or more annual revenue based on sharing personal information, not just selling.
  • Added two consumer rights: The CPRA adds two additional consumer rights to CCPA’s original set. These new rights are the right to correct inaccurate personal information and the right to limit use and disclosure of sensitive personal information. More details on all CCPA consumer rights can be found below.
  • Defined a new subset of personal information: CPRA defines a new subset of personal information known as “sensitive personal information.” SPI may reveal a person’s racial or ethnic origins as well as passport numbers, precise geolocation, biometric data, text messages, and more. Organizations must allow consumers to opt-out of the use and disclosure of their SPI.

CCPA and GDPR: Comparing data privacy laws

Both the General Data Protection Regulation (GDPR) and CCPA are considered some of the world’s strictest data privacy laws, and the two share several common principles. 

For one, both laws require organizations to honor a customer’s request to opt-out of processing their personal data. GDPR and CCPA also require organizations to notify consumers of a data breach. Both protect the consumer’s rights to request their personal data be erased and for data portability. 

That said, the two laws aren’t interchangeable. There are some differences in the finer points of the legislation. For example, GDPR specifically allows consumers to rectify errors in their personal data.

But the main difference to note is that CCPA takes a broader approach by extending its definition of personal information. Under GDPR, personal information is information that can be linked to a particular individual. With CCPA, it only needs to be linked to a specific household or device.

How to comply with CCPA and new CPRA requirements 

To be compliant with the law, businesses must follow the key requirements below. 

1. Establish a business purpose for collecting personal information

Under CCPA, organizations must have a business or commercial purpose for collecting personal information from consumers. It defines 7 types of business purposes: 

  • Auditing interactions with consumers, such as counting ad impressions)
  • Detecting and preventing security incidents
  • Debugging to identify and repair errors in functionality
  • Short-term use that does not involve building a customer profile
  • Providing services such as customer support and order fulfillment
  • Conducting internal research and development
  • Verifying the quality and safety of a device, such as performing device upgrades

2. Respect consumer rights

Under CCPA, organizations are required to respect consumer rights regarding their personal data. These rights include:

Right to Know

Consumers have the right to know what personal information of theirs is sold or shared, and to whom. So if you collect information about consumers protected by CCPA, you must inform them at the point of data collection (or before).

Right to Access

Consumers have the right to access the personal information you’ve collected from them. If you receive a request from a consumer, you have 45 days to provide them with the information in a readily usable format, free of charge. Consumers must also have easy access to your complete privacy policy. 

Right to Delete

Consumers can request that you delete their personal information and tell your service providers to do the same. There are exceptions, such as if your business is legally required to keep the information.

Right to Contact Information

Organizations are required to make it easy for consumers to find out more information about its privacy policy and efforts to comply with CCPA. This includes contact information for submitting requests related to consumer rights. 

Right to Opt-out

If your organization sells or shares a consumer's personal information, you are required to give them the opportunity to opt-out. This includes a web page that clearly offers an opt-out option with a link to your privacy policy. You must also give consumers the right to opt out of future marketing efforts. 

Right to Fair Treatment

Organizations are prohibited from discriminating against consumers who exercise their rights under CCPA. 

Right to Correct

Consumers have the right to correct inaccurate personal information that a business has about them. This is a new right given under CPRA.

Right to Limit Use and Disclosure of Sensitive Personal Information

Consumers also have the right to limit the use and disclosure of sensitive personal information collected about them. For example, they can direct a business to only use their precise geolocation data to provide them with the services they requested. This is a new right given under CPRA.

3. Update your privacy policy annually

Privacy policies must be updated at least every 12 months to reflect the organization’s current processes for collecting, selling, processing, handling, or sharing consumer data. 

4. Create a notice at collection

Organizations must have a notice at collection to disclose to consumers what personal information they are collecting. This notice must include:

  • The categories of personal information it has collected about that consumer.
  • The categories of sources from which the personal information is collected.
  • The business or commercial purpose for collecting, selling, or sharing personal information.
  • The categories of third parties to whom the business discloses personal information.
  • The specific pieces of personal information it has collected about that consumer.

As required by a new provision in the CPRA, this notice must also include:

  • the categories of sensitive personal information collected and whether they are sold or shared
  • the length of time you to retain each category of personal information, or the criteria that would be used to determine the retention period

5. Complete CCPA training

CCPA training is required for all individuals responsible for handling consumer inquiries about a company’s privacy practices. This training should explain what rights consumers have under the law and how they can exercise those rights.

All personnel involved with collecting, storing, processing, selling, or sharing consumers’ personal information should be provided with data privacy training to help them handle different categories of personal data securely. 

The law does not specify how often employees must complete training but annual training is recommended.

CCPA Compliance Checklist

To help you evaluate your company’s CCPA compliance readiness, download the CCPA compliance checklist below. 

Penalties for CCPA non-compliance

Organizations must respond to consumer requests to exercise their rights under CCPA within 45 days of receipt. If the organization fails to address a violation within 30 days of notification, it is subject to a penalty of up to $7,500 per violation from the California Attorney General. In the event of a data breach, consumers can pursue damages up to $750 per violation. 

While CPRA provisions are not enforceable yet, companies managing high volumes of personal data of California residents still face significant fines and penalties for violating CCPA provisions, like Sephora’s $1.2 million settlement.

CCPA compliance FAQs

If my business isn’t located in California, do I still need to be CCPA compliant? 

Yes. If your business sells goods or services to or collects the personal information of California residents and meets one of the other threshold requirements, you must follow CCPA.

Does CCPA apply to non-profit organizations or government agencies?

CCPA applies to for-profit legal entities that collect the personal information of California residents. It does not apply to non-profit organizations and government agencies. 

Can businesses sell the personal information of a minor?

Organizations cannot sell the personal information of consumers under the age of 16 without consent. Children aged 13-16 can give consent, but children 12 and under require parental consent. Note that the federal Children’s Online Privacy Protection Act regulations apply in addition to CCPA requirements. 

Can businesses deny a consumer’s opt-out request?

Organizations can refuse a consumer’s request to opt-out under certain special conditions. These include when selling personal information is necessary to comply with other legal obligations or defend legal claims, and when the personal information is a type that’s exempt from CCPA. 

Are the exemptions for employee data and business-to-business transactions still in effect?

No. The exemptions for employment-related personal information and personal information reflecting B2B transactions expired on January 1, 2023. This personal information will now be subject to the requirements of CCPA.

What does “sharing” consumers’ personal information mean?

According to CPRA, sharing is defined as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to a third party for cross-context behavioral advertising. This definition applies whether or not money is exchanged.

Does CCPA compliance require audits or risk assessments?

CCPA does not include a requirement for conducting audits or risk assessments. The CPRA introduces the concept of requiring businesses whose processing of personal information presents “significant risk” to consumers’ privacy or security to perform an annual cybersecurity audit and conduct regular risk assessments. But ultimately it charges the CPPA to develop the specific standards and expectations through the rulemaking process.

Simplify security and privacy compliance with Secureframe

Whether your organization must comply with legislation like CCPA or GDPR, needs to get a SOC 2 report to satisfy customer demands, or just wants to build a more mature cybersecurity program, Secureframe can help.

Our platform makes it easier to achieve and maintain compliance with multiple frameworks by automatically collecting evidence, monitoring your tech stack for nonconformities, fetching vendor security data, and more. Learn more about our solution by requesting a demo today.