California Consumer Privacy Act (CCPA)
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is legislation in the state of California that supports an individual's right to control their own personally identifiable information. It requires companies to have mechanisms for consumers to opt-out of, request access to and delete data collected by the company.
The CCPA was first passed into law on June 28, 2018. It came into effect on January 1, 2020. The California Privacy Rights Act (CPRA) amended the CCPA by adding additional consumer privacy rights and obligations for businesses. It also established the California Privacy Protection Agency. The amended CCPA went into effect January 1, 2023. On January 1, 2024, the Delete Act went into effect, requiring companies to register for a data broker registry and preparing a mechanism for consumers to request data brokers delete their data to be finished by January 1, 2026.
Consumer rights under California Consumer Privacy Act
The CCPA seeks to give California residents a way to control their personal information. They can be remembered using the acronym LOCKED:
- Limit the use and disclosure of information. Request companies only use your information for a specific purpose, such as providing a service.
- Opt-out of sale and sharing of information. If you opt-out of selling or sharing of your information, they cannot do so unless you later agree to it.
- Correct information that is incorrect about you.
- Know what information they have about you. You can request what categories and specific information they have about you, how it was obtained, the purpose the data is used for, whom the data is shared with and what data is shared. This request can be made twice a year.
- Equal treatment and pricing if you exercise any of these rights.
- Delete any information they have on you.
These rights and how to exercise them should be explained in a company's privacy policy.
Companies subject to CCPA
The CCPA applies to for profit companies that do business in California and have a gross annual revenue of over $25 million. They also apply to any company that buys, sells, or obtains information containing over 100,000 California residents or derive over 50% of their revenue buying and selling California resident's personal information.
Responsibilities of companies subject to the CCPA
Companies subject to the CCPA have several requirements, including but not limited to the following:
- Disclose data collection and sharing practices to consumers, usually through a privacy policy.
- Provide and honor an opt-out request for consumers.
- Verify the identity of consumers who request access to data.
- Respond to data access and delete requests.
- Keep a record of data requests for at least 24 months.
Protected information under the CCPA
The CCPA broadly divides protected information into two categories, personal information and sensitive personal information.
Personal information is information that identifies or could be related to you or your household. It includes the following:
- Name.
- Email address.
- Purchase records.
- Browsing history.
- Geolocation data.
- Inferences of preferences based on such data.
Sensitive personal information includes the following:
Exceptions to California Consumer Privacy Act
The CCPA does not apply to non-profit organizations and governmental agencies.
Certain data may be retained even if a delete request is received. This includes data that meets the following criteria:
California Consumer Privacy Act penalties
A business found in violation of the CCPA is first give a notification. If it fails to address an alleged violation within 30 days of being notified, the California Office of the Attorney General can then impose fines. Any business that violates the CCPA may be liable for a penalty of not more than $2,500 per each unintentional violation and $7,500 per each intentional violation.
Consumers whose data "is subject to an unauthorized access and exfiltration, theft, or disclosure" as a result of a business' violation of CCPA can recover damages of $100 to $750 or the amount of actual damages, whichever is greater.
One recent example of a violation of the CCPA is the settlement with Google for $93 million dollars. They found that Google retained and used consumer location data even when the user opted out of location data.
Comparing CCPA with General Data Protection Regulation (GDPR)
The CCPA and GDPR provide many of the same protections and rights to consumers. They both protect a consumer's information and require similar mechanisms to request and delete data.
Differences between the GDPR and CCPA include the following:
- The CCPA protects households, while the GDPR only mentions individuals.
- GDPR applies to all business and non-profits with more than 250 employees.
- The GDPR requires express consent to collect, while the CCPA only requires an opt-out.
- The GDPR can sanction companies at risk for a breach and can impose fines for a breach of up to 20 million euro or 4% of revenue, while CCPA fines are $7,500 for intentional violations and $2,500 for other violations with no cap.
Explore privacy controls to meet CCPA compliance requirements. Check out the top customer data privacy best practices and how data anonymization best practices protect sensitive data. Learn how to use a data privacy framework to keep your information secure, and overcome GDPR compliance challenges.