What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is the data privacy law of the state of California, the first of its kind and considered to be the toughest data privacy law in the United States. It is a consumer privacy law that enhances privacy rights and consumer protections for residents of California, effective since January 1, 2020 and enforceable as of July 1, 2020, and it requires covered companies that collect personal information from California residents (regardless of where the company is located) to put in place specific CCPA compliance protocols and procedures.
In November, 2020 the CPRA (California Privacy Rights Act), also known as the CCPA 2.0, was passed bringing with it a set of amendments to the CCPA, set to have a profound impact on what data privacy and data security mean for the future. The new provisions listed under the CPRA took effect as of the 1st of January 2023. According to the Attorney General’s website, the CPRA amends the CCPA but does not create a new law. The two work together as one law, referred to as CCPA.
2023 Update: On March 23, 2023 the long awaited CCPA Regulations became effective. Among the many clarifications they offered, these regulations removed the exemption of employment related information with the privacy law, instead covering the information of California employees, job applicants, and independent contractors, collectively called HR Data Subjects, same as that of California consumers.
What is Personal Information and what are other key definitions?
According to the CCPA text of the law, personal information is any information that identifies, relates to, describes or could be linked to a consumer or household and includes data such as name, email, date of birth, employment related information, and even IP address.
Sensitive personal information, newly defined in the CPRA, is information that reveals sensitive details such as, for example:
- a visitor’s precise geolocation,
- their social security number, driver’s license number, state identification card number or passport number,
- their racial or ethnic origin;
- Log-in credentials for various accounts, credit/debit card numbers alongside any access code needed to access to their account;
- Their genetic information;
- The contents of their mail, e-mail or text messages, unless otherwise intended as part of the communication between the business and the website visitor.
California's CCPA also defines ‘biometric information’ as “an individual’s physiological, biological or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that is used or intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.” This includes, among other details, “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”
Last but not least, according to the text of the CCPA, ‘consumer’ means a natural person who is a California resident.
What does compliance with the CCPA mean?
The CCPA applies to any business, service provider or third party, but to this a fourth category is added under the CPRA, namely, contractors.
It defines a business as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- Earns annual revenues of more than $25 million;
- Collects and processes personal information of at least 100,000 consumers, households or devices; or
- Derives at least 50% of its annual revenues from selling or sharing consumers’ personal information.
As a contractor, your business is similar to a service provider according to the California Privacy Rights Act (CPRA) text, as it is similarly bound by terms and conditions listed in a written contract that outlines certain restrictions regarding the use of personal information. However, unlike a service provider, a contractor will need to include some form of certification proving that the contractor understands the above mentioned restrictions and that it will comply with them.
Who is excluded from compliance with the California Consumer Privacy Act (CCPA)?
According to the CCPA text, there are a series of organizations and types of data that are excluded from compliance:
- Medical information governed by the Confidentiality of Medical Information Act.
- Providers of healthcare governed by the Confidentiality of Medical Information Act or “a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services.”
- Personal information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects.
- “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations, or the California Financial Information Privacy Act.”
- “personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994.”
How can I keep my organization compliant with the California Consumer Privacy Act (CCPA)?
A CCPA compliance checklist comes with a series of guidelines established by the CCPA text:
- Inform your website visitors of the personal information being collected about them at the point of or just before the collection of personal information.
- Do not collect additional categories of personal information.
- Reply to every verifiable consumer request in a timely manner and free of charge.
- Keep track of requests to ensure compliance with the response time set for these.
With the amendments brought on by the CPRA (California Privacy Rights Act) law this has now been expanded by allowing data subjects to limit both the sale and the sharing of their personal information. You are now required to provide a clear link on the homepage of your website, called “Do not sell or share my personal information” which has to lead data subjects to a page where they can opt out of selling or sharing their personal information with third parties.
What is more, if your business processes sensitive personal information you must provide a clear link on the homepage of your website, called “Limit the use of my sensitive personal information”.
What data access rights does the California Consumer Privacy Act (CCPA) grant?
A consumer can compel your company to provide it with the following rights:
- Right to Know: consumers have the right to know what personal information is being collected, from whom and for what purpose and, if that is the case, to whom it is being sold;
- Right to Delete: consumers have the right to ask that their personal information be deleted from the website;
- Right to Opt Out of Sale: your website visitors must be given the option to opt-out of their personal information being sold.
- Right to Non-Discrimination: discriminating users based on their choice to exercise or not their CCPA rights is forbidden, the same level of access and service must be made available to all your website visitors.
In addition to these, the CPRA (California Privacy Rights Act) law text adds two more rights, namely:
- Right to Correct: which allows your website visitors to ask that their personal information be corrected;
- Right to Limit Use and Disclosure of Sensitive Personal Information.
How to address data subject access requests under the CCPA?
CCPA-CPRA enumerates certain rights for individuals, one of which requires companies to provide access to the data collected on individuals by facilitating Data Subject Requests (DSRs).
One such request is the one referring to opting out of the sale of one’s personal data, also known as the “Do Not Sell My Personal Information” component of CCPA. If a consumer makes this request, your company cannot sell that consumer’s information for at least 12 months, after which the company can sell the consumer’s information provided that they obtain affirmative consent from the consumer to do so.
It is important to know that CCPA takes a broad view of the word “sell”, which the regulation defines as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Based on our understanding of the regulation, if you’re running tracking scripts on your website, that’s considered to be selling personal information for purposes of CCPA.
CCPA-CPRA requires that you respond to any DSAR within 45 days after receipt, which can be extended once for another 45 days provided you notify the consumer about the delay. Note that in another section of the law’s text businesses are given an extension of 90 days after the initial 45 days, but it is not clear when the 45 days vs. 90 days extension applies.
Enforcement and penalties
According to the text of the CCPA, if your business is in violation of the CCPA-CPRA and you do not prove compliance within 30 days from the date of notification, CCPA penalties come with a potential charge of up to $2,500 for every unintentional violation and $7,500 for every intentional violation.
In addition, any consumer who suffers consequences following a data breach of your website can recover damages between $100 and $750 per consumer per incident or actual damages, depending on which is greater, can file for injunctive or declaratory relief, or for any other type of relief that a court determines as being proper.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
FAQs about the CCPA-CPRA
What does CCPA-CPRA compliance mean?
The CCPA-CPRA applies to for-profit entities that carry out business in California and control the processing; and either derive > $25 million in annual gross revenues, purchase or sell the personal information of ≥ 50,000 consumers annually; or derive more than half of their annual revenue from the sale of personal information.
What does the CCPA-CPRA exempt?
There are several types of entities and data that are exempted from compliance with the Colorado Privacy Act, such as certain HIPAA- regulated entities, i.e. specific health care controllers; entities covered by the Gramm-Leach-Bliley Act; air carriers covered by the FAA (Federal Aviation Administration) Regulation; national security associations that are regulated by the Securities Exchange Act; data that is de-identified; and personal data regulated by Children's Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, or the Driver's Privacy Protection Act of 1994.
What is personal information under CCPA-CPRA?
According to the CCPA-CPRA, personal information is any information that identifies, relates to, describes or could be linked to a consumer or household and includes data such as name, email, date of birth, employment related information, and even IP address.
How to facilitate CCPA-CPRA compliance?
Who enforced the CCPA-CPRA and what are the penalties for non-compliance?
Under the CCPA-CPRA both the Attorney General and the regulatory authority, the California Privacy Protection Agency (CPPA) have enforcing authority. Although there is no cure period mandated, the CPPA has discretion to offer this where it deems it relevant. Penalties under CCPA-CPRA consist of fines up to $2,500 per violation or $7,500 per intentional violation.
- California’s Attorney General Opts Out of Cookie Banner Requirement
- New California Bill on Web Accessibility Considered for Approval
- California Governor Approves Extension to CCPA’s Employment and Business-to-Business Exemption
- Businesses Using Loyalty Programs Receive Notice from California AG
- California Legislature Passes Extension to CCPA’s Employment and Business-to-Business Exemption, Awaits Governor Approval
- California’s Attorney General to U.S. Senate: Don’t Preempt CCPA
- CCPA Is Here, But Is California Getting Another Privacy Law?
- Why Your Out-of-State Website May Be Subject to California’s New Data Privacy Law
- How to Respond to Consumer Requests - CCPA (CPRA)
- To Track or Not to Track: GPC and 'Do Not Track' Signals
- A Look at CCPA Regulations and Employment Related Data