California took a big step this year, passing the first consumer privacy act in the country. It’s the only state to give its residents similar protections to what you’d find in the General Data Protection Regulation (GDPR). The Act allows them to see how their information is being used and gives them more control over the sharing of their data.
The California Consumer Privacy Act (CCPA) of 2018, Assembly Bill No. 375, went into effect in January 2020. That has left many brands wondering what that means for them and their consumer base. Not only do the companies want to ensure they are being compliant, but they also want to do it quickly.
To help you with that, here’s what we will cover in this guide:
- What CCPA is and dates you need to know
- Who the bill impacts
- What does CCPA consider personal information
- GDPR vs. CCPA: How they’re the same and different
- How does it affect security
- How to accelerate your brand’s journey to compliance
- What to do if you receive consumer requests
- Risks, fees, and requirements to be compliant
- Predictions for the future of consumer privacy and compliance
Let’s start with the basics of the Act — what it is and isn’t — and how it could affect your brand.
What is the California Consumer Privacy Act?
As the name suggests, this bill is focused on protecting consumer privacy. That includes how companies use and/or sell their personal information and data, giving consumers more control over how that’s handled.
The bill grants consumers the right to:
- Request a business to disclose the categories and specific pieces of personal information that it collects about them — and how that information is used
- Opt-out of the sale of their personal information
- Non-discrimination for exercising their CCPA rights
- Categories of third parties with which the information is shared
- Request deletion of personal information — and business must delete upon receiving a request
The main point of the bill is to give any California consumer the right to demand to see the information a company has saved on them. It also allows consumers to see a full list of the third parties that data is shared with.
Dates to know
Here’s the timeline for the California Consumer Privacy Act:
- Filed with Secretary of State Jun 28, 2018
- Enacted January 2020
- Enforced started July 1, 2020, following a six-month grace period
We have passed that grace period, so companies need to get on the fast track for becoming compliant.
Who does this bill impact?
The CCPA impacts all companies that serve California residents and have at least $25 million in annual revenue. It also affects companies of any size that have personal data on at least 50,000 people — or that collect more than half of their revenues from the sale of personal data. Your brand doesn’t actually have to be based in California to be included in this bill. It only matters if you reach people who live in the state and also fall in a covered category.
The CCPA doesn’t apply to:
- Government agencies
- Health providers and insurers under HIPAA
- Financial companies covered by the Gramm-Leach-Bliley Act
- Credit reporting agencies under the Fair Credit Reporting Act
If any of the criteria above fits your company, you’ll need to take steps to become compliant now — because this law is already being enforced.
What does CCPA count as personal information?
The bill describes personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to a specific consumer or household. Here’s the list shared in the bill of what all that includes:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer. It reflects the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
Don’t let that list overwhelm you. Here are a few specific examples pulled from that of what is considered personal information:
- IP addresses
- Email addresses
- Online handles/usernames
- Geolocation data
- Search history
- Biometric information
If you’re using any of that information and fit the criteria for businesses included in this bill, you will need to become compliant right away if you aren’t already.
How similar is the CCPA to GDPR?
You’ve probably heard of the EU’s GDPR by now. The CCPA was put into place to protect consumer information, so in that respect, it’s similar to the GDPR. Here are a few other similarities the two share:
- Apply to companies located outside of their borders
- Promote some of the same themes (ex. access and transparency)
- Require companies to use a lot of resources to become compliant
However, that’s about where the similarities end. The GDPR regulates what disclosures companies can make to data subjects. It also oversees the procedures for data breach notifications, data security implementation, and more. It also includes additional rights for the data subjects, like the right to rectification, be forgotten, and not to be a subject of a decision based on automated processing.
On the other hand, the CCPA is more limited and mainly focuses on consumer privacy rights and disclosures made to consumers. While it is less comprehensive than the GDPR, that doesn’t mean it has a narrow scope or can be ignored. This Act still requires companies to make some major changes to become compliant.
Another major difference between the two is how they approach opt-ins and opt-outs. With the GDPR, users must opt-in to give their consent. However, with the CCPA, companies can simply include an opt-out (Unsubscribe) option in their messages — instead of having to earn the opt-in to begin with. Businesses can’t sell personal information after they receive an opt-out request unless the consumer gives you authorization allowing you to do so again. Also, companies have to wait at least 12 months before asking a consumer to opt back into the sale of their personal information.
Remember: Being GDPR-compliant doesn’t mean being CCPA-compliant, or vice versa.
How does it affect security?
The California Consumer Privacy Act is light on requirements for security and breach response compared to the GDPR. However, the Act does give fines (more on that below) for companies that expose consumer data because of a security lapse or breach. It also allows courts to offer “injunctive or declaratory relief,” or, “any other relief the court deems proper.”
Companies aren’t required to report breaches under the Act, requiring consumers to file complaints before fines are possible. So, the best course of action to improve security is to know what data the CCPA defines as private and take steps to secure that.
How to become CCPA-compliant
Unfortunately, there isn’t a magical switch that you can flip to ensure all of your consumer data is compliant with the CCPA. So, we’ve put together this overview to show you how to comply from start to finish.
- Identify your data assets. Figure out where the CCPA personal information is located and if that data is at risk (by checking access permissions).
- Classify the data. Consumers can request for their information to be deleted. So, if the information is properly classified, that makes that task a lot easier down the road.
- Dig deep. Look at the CCPA data to find folders that rarely are accessed. That type of information is of little value to you and could pose an unnecessary security risk.
- Implement the right permissions. One way to do that is by limiting data access to those who need it as part of their job.
- Monitor data. Follow a program to keep data safe against outside threats and unauthorized access.
- Maintain safety. Watch for new cyber threats, and adjust privacy protocols as needed.
In addition to covering your bases with the collected consumer data, there are other actions companies are required to take by the Act. Businesses must make two or more designated methods available to consumers that allow them to submit requests for information. That includes, at minimum, a toll-free telephone number and a website, if the company has one.
Companies must also disclose and deliver the required information to the consumer free of charge within 45 days of receiving a verifiable request from the consumer. You can extend that time period by an additional 45 days, when reasonably necessary. But, you must provide the consumer with a notice within the first 45-day period. You can’t require a consumer to create an account with your business to make a verifiable request.
Staying CCPA-compliant is a continuous process, just like it is to add new consumers to your database.
How to handle consumer requests
If you receive a consumer request, there are a few things you will need to do. The specifics will depend on their request, like if they want you to disclose the information on their data vs. they want to be deleted.
But generally, there are a few steps you can start with after receiving a request:
- Identify the consumer. Associate the information provided by the consumer in the request to any personal information previously collected by the business about the consumer.
- Identify by category. Look at the personal information collected about the consumer in the preceding 12 months by reference to the category that most closely describes the personal information collected.
Again, this is why it’s important to properly classify consumer data from the start. Yes, it takes extra effort at the beginning, but it will save you greatly in the future if/when you receive requests.
What happens if a business fails to comply?
Companies will have 30 days to comply with the Act once regulators notify them of a violation. From there, if they don’t resolve the issue, the company can face a fine of up to $7,500 per record. Unintentional violations are subject to fines of up to $2,500 per violation.
Also, companies that are affected by a data breach because of unreasonable information security can be ordered to pay fines between $100 to $750 per California resident involved with the incident — or damages, whichever is greater — in a civil class-action lawsuit. Remember that with statutory damages, the consumer doesn’t have to prove they incurred an actual financial loss. They just have to show the company violated the law.
Companies who aren’t compliant are risking significant fines when you factor in each impacted customer and/or non-compliant action.
Future of consumer privacy
With little leadership on the matter on the federal level, it’s not much of a surprise that California created its own privacy law. More states are sure to take note of what the Golden State is doing. So, even if this Act doesn’t affect your business now, something similar might soon.
Companies need to make smart decisions about how they handle their data security and privacy practices. If the past few years have taught us anything, it’s shown companies they should constantly monitor their systems for possible threats.
While this bill might not be as much of a burden on security as the EU’s GDPR, at least in some areas, things can always change. The true effects of the CCPA might not be seen for years. But, it’s clear consumer privacy will continue to be a hot topic across the country and beyond.