When the California Consumer Privacy Act was enacted at the start of 2020, many businesses scrambled to determine whether the law applied to them. The CCPA is the most stringent privacy law in the United States, and for various reasons, its reach can extend well beyond the state’s borders.
The objective of the CCPA is to give consumers certain rights to protect the data about themselves that companies might collect, store, and process for commercial purposes. To that extent, it’s similar to the General Data Protection Regulation (GDPR), which the European Union put into effect in 2018.
What is CCPA?
The California Consumer Privacy Act, or CCPA, is a law to enhance Californians’ data privacy. It grants citizens the freedom to opt-out and the knowledge of when and how their information is being gathered and sold. Whether or not they use their right to privacy, it also gives them a legal claim to the same level of service and cost.
How Do the CCPA and the GDPR Differ?
The GDPR aims to create a “privacy by default” legislative framework for the European Union. In contrast, the CCPA aims to increase transparency and consumer rights in California’s massive data economy.
Another way to put matters: the GDPR offers a door that EU users can close before any data processing happens; the CCPA creates a window for California consumers to open to determine which of their data has already been collected by a business or sold to a third party.
This analogy encapsulates the primary distinction between the CCPA and the GDPR.
Legal Basis vs. Opt-Out
The GDPR requires websites, organizations, and companies to establish a legal basis for data processing information in the EU; for example, the first such basis is consent from the person.
The CCPA has no such framework. Under the CCPA, a company does not require a user’s previous consent to process the person’s data, nor does a website need a user’s prior consent before transferring that data to third parties. Instead, the consumer can opt out of such data processing – but absent that affirmative step to opt-out, data processing can continue.
Main Rights of the CCPA and GDPR
The CCPA and GDPR both include several core rights, such as the right to be informed, the right of access, and the right to portability.
Both laws also contain, with slight modifications, the right to deletion (CCPA) and the right to erasure (GDPR), as well as the right to opt-out (CCPA) and the right of prior consent (GDPR).
In some ways, the latter two are incomparable because the right to opt-out (CCPA) is best compared to the right to withdraw permission (GDPR), while the fundamental right of prior consent (GDPR) has no parallel in the CCPA.
CCPA vs. California Privacy Rights Act (CPRA)
Although the CCPA and the CPRA are two laws that frequently contrast with one another, it is crucial to understand that they are not entirely distinct from one another and do not take the place of one another—rather than being portrayed as distinct, referring to the CPRA as an improvement on the CCPA is more accurate. The CPRA is commonly referred to as “CCPA 2.0” and is California’s harshest privacy statute.
The primary distinctions between the CCPA and the CPRA are as follows:
- Scope – The CCPA and CPRA vary in that the CCPA applies to companies that collect personal information from more than 50,000 customers. In contrast, the CPRA applies to businesses that gather data from more than 100,000 consumers. Another related distinction is that the CCPA applies to companies that generate 50% or more of their yearly revenue from the sale of personal information. Still, the CPRA broadens this condition to include the sale and the sharing of personal information.
- Sensitive Personal Information – The CPRA adds a new category for sensitive personal information, comparable to the “processing of special categories of personal data” protected by the General Data Protection Regulation (GDPR), but differs from its categorization in the CCPA.
- Penalties – Under the CCPA, personal information violations regarding children and individuals under 16 are met with fines of US $2500 per violation, the same as breaches of adults’ personal information. This penalty is US $ 7500 per violation under the CPRA.
- Consumer Requests – The Consumer Protection Act expands the types of information that customers can seek from corporations, including categories of personal data, collecting sources, collection purposes, third-party access, and the information gathered.
- Consumer Rights – The CPRA has established four new consumer rights, including the right to rectification, limit of sensitive personal information, access and opt-out, and data portability.
- Right to Erasure – The CPRA has expanded the scope of this right, requiring companies to notify third parties with whom they have shared the consumer’s personal information and instruct them to comply with the request whenever a deletion request is made.
Who Is Subject to the CCPA?
The CCPA applies to any company that does business in the state of California and collects personal information and data from its customers – regardless of whether or not those individuals are California residents – and processes or shares this information with other third parties for commercial purposes.
What are the Criteria for a Business to be Subject to CCPA Regulations?
More specifically, to be covered by the CCPA, a business must also fall within at least one of these three categories:
- The company has annual gross revenues of more than $25 million.
- The company sells, buys, or otherwise shares for commercial purposes data collected from more than 50,000 California residents, households, or computer devices each year.
- The company gets more than half its annual revenue from selling California residents’ personal information.
Are Nonprofits Subject to the CCPA?
That question is more challenging to answer than it first seems.
The statute’s text says the law applies specifically to “businesses” and defines a business as any legal entity “organized or operated for the profit or financial benefit of its shareholders or other owners.” That means the CCPA doesn’t apply to many nonprofits since they don’t meet that statutory definition.
The issue, however, is that some nonprofits operate for the profit and financial benefit of shareholders or other owners and, therefore, are subject to the CCPA. Credit unions, for example, are nonprofit mutual benefit corporations expected to comply with the CCPA.
Any nonprofit that owns or operates a for-profit division or is owned by a for-profit organization may also be subject to CCPA regulations (depending on its business volume, as mentioned in the bullet points above).
Even without CCPA compliance obligations, traditional donor-funded nonprofit charities should still make sure they update their privacy notices and privacy statements on web pages and explain how they manage donors’ data (such as credit card numbers and addresses) and what the organization does to prevent a data breach or theft of personal information.
Does the CCPA Apply to Government Agencies?
While the CCPA states explicitly that it applies solely to for-profit enterprises, so CCPA doesn’t apply to Government Agencies.
Who Is Exempt From the CCPA?
It’s important to distinguish between the company complying with the CCPA versus specific types of data or personal information that aren’t subject to the CCPA.
Businesses that are not subject to the CCPA:
- If a business never collects data from California residents, it is exempt from the CCPA.
- A medical service provider that already complies with the Health Insurance Portability and Accountability Act (HIPAA) or the Confidentiality of Medical Information Act (CMIA) is not subject to the CCPA.
The following data types are also exempt, even if the CCPA applies to the company collecting this data:
- Personal information collected when the consumer was outside of the state of California. It may be easier to determine the consumer’s location if IP addresses or geolocation data are collected during consumer service requests or purchases.
- Personal information collected from job applicants, employees, and independent contractors as part of a hiring process.
- Personal health information is exempt if it is collected by a business that already complies with HIPAA or the CMIA.
- Information collected during clinical trials is exempt.
- Consumer reporting information such as credit scores and credit ratings are also exempt.
Regardless of whether a business is subject to the CCPA, the company is always responsible for maintaining reasonable security procedures and preventing unauthorized access to consumer information.
What Data is Subject to CCPA?
For information to be considered personal, it must satisfy four criteria in the CCPA definition.
This requirement means information that identifies a customer or a family. For example, this information might include a person’s real name, Social Security number, or photograph of the person; all of this is considered personal data under the CCPA.
Information That Relates
This criterion pertains to identifiable data based on its intended use rather than its substance in identifying a person or household. For example, information obtained via cookies or other monitoring technologies may be classified as personal information that ties to a consumer and constitutes a component of that customer’s data.
Information That Describes
Under the CCPA, personal data includes information like pharmaceutical prescriptions, dosages, medication identification numbers, contact information, and others that can define a consumer.
Information That Can Be Reasonably Linked
Internal systems can integrate tracking in company databases and software to keep data structured. Although this monitoring technology was not expressly designed to track people, the CCPA classifies any information obtained about an individual as personal data.
What Are the Penalties for Violating the CCPA?
Failure to comply with the CCPA can result in regulatory fines or lawsuits from unhappy consumers, especially if the aggrieved parties show that the company didn’t maintain proper data security or privacy protection.
The CCPA specifically mentions sanctions for businesses that are out of compliance. Companies might face fines of up to $2,500 per penalty for standard infractions. Because businesses acquire personal information from many customers daily, these fines might quickly total hundreds of thousands of dollars.
Businesses can be penalized up to $7,500 per infraction for deliberate noncompliance. The law doesn’t expressly define ” deliberate noncompliance, ” but the most likely example is when a company repeatedly violates the privacy law, notwithstanding past enforcement proceedings or customer complaints.
Maintain CCPA Compliance Effortlessly with RiskOptics ZenGRC
As more individuals deal with suppliers who handle consumer data or have staff who monitor customer demands, compliance with data protection regulations will require greater communication within and outside the business.
Reciprocity ZenGRC monitors and simplifies workflows to ensure that requests are completed – a vital feature for meeting the CCPA.
ZenGRC also makes assessing the controls required for keeping opt-out and opt-in information easier. You gain a unified, real-time view of risk and compliance with seamless integrations with Reciprocity ZenRisk and the Reciprocity ROAR platform, supplying the context-specific perspective required to make intelligent, strategic choices that keep your company protected and earn the trust of your customers, associates, and staff.
Learn how your compliance programs affect your risk posture to prioritize initiatives that increase compliance and minimize risk. A risk posture dashboard provides the same insight as a risk assessment without the extra work, allowing you to swiftly prioritize the actions and investments that increase compliance and minimize risk.