When the California Consumer Privacy Act went into effect at the start of 2020, many businesses scrambled to determine whether the law applied to them. The CCPA is the most stringent privacy law in the United States, and for various reasons, its reach can extend well beyond the state’s borders.

The objective of the CCPA is to give consumers certain rights to protect the data about themselves that companies might collect, store, and process for commercial purposes. To that extent, it’s similar to the General Data Protection Regulation (GDPR), which the European Union put into effect in 2018.

Who Is Subject to the CCPA?

The CCPA applies to any company that does business in the state of California and collects personal information and data from its customers – regardless of whether or not those individuals are California residents – and processes or shares this information with other third parties for commercial purposes.

More specifically, to be covered by the CCPA, a business must also fall within at least one of these three categories:

  • The company has annual gross revenues of more than $25 million.
  • The company sells, buys, or otherwise shares for commercial purposes data collected from more than 50,000 California residents, households, or computer devices each year.
  • The company gets more than half its annual revenue from selling California residents’ personal information.

What Data is Subject to CCPA?

For information to be considered personal, it must satisfy four criteria in the CCPA definition.

Identifying Information

This requirement means information that identifies a customer or a family. For example, this information might include a person’s real name, Social Security number, or photograph of the person; all of this is considered personal data under the CCPA.

Information That Relates

This criterion pertains to identifiable data based on its intended use rather than its substance in identifying a person or household. For example, information obtained via cookies or other monitoring technologies may be classified as personal information that ties to a consumer and constitutes a component of that customer’s data.

Information That Describes

Under the CCPA, personal data includes information like pharmaceutical prescriptions, dosages, medication identification numbers, contact information, and other information that can define a consumer.

Information That Can Be Reasonably Linked

Internal systems can integrate tracking in company databases and software to keep data structured. Although this monitoring technology was not expressly designed to track people, the CCPA classifies any information obtained about an individual as personal data.

Are Nonprofits Subject to the CCPA?

That question is harder to answer than it first seems.

The statute’s text says the law applies specifically to “businesses” and defines a business as any legal entity “organized or operated for the profit or financial benefit of its shareholders or other owners.” That means the CCPA doesn’t apply to many nonprofits since they don’t meet that statutory definition.

The issue, however, is that some nonprofits operate for the profit and financial benefit of shareholders or other owners and therefore are subject to the CCPA. Credit unions, for example, are nonprofit mutual benefit corporations and are expected to comply with the CCPA.

Any nonprofit that owns or operates a for-profit division or is owned by a for-profit organization may also be subject to CCPA regulations (depending on its business volume, as mentioned in the bullet points above).

Even without CCPA compliance obligations, traditional donor-funded nonprofit charities should still make sure they update their privacy notices and privacy statements on web pages and explain how they manage donors’ data (such as credit card numbers and addresses) and what the organization does to prevent a data breach or theft of personal information.

Who Is Exempt From the CCPA?

It’s important to distinguish between the company complying with the CCPA versus specific types of data or personal information that aren’t subject to the CCPA.

Businesses that are not subject to the CCPA:

  • If a business never collects data from California residents, it is exempt from the CCPA.
  • A medical service provider that already complies with the Health Insurance Portability and Accountability Act (HIPAA) or the Confidentiality of Medical Information Act (CMIA) is not subject to the CCPA.

The following data types are also exempt, even if the CCPA applies to the company collecting this data:

  • Personal information collected when the consumer was outside of the state of California. Be aware that it may be easier to determine the consumer’s location if IP addresses or geolocation data are collected during consumer requests for services or purchases.
  • Personal information collected from job applicants, employees, and independent contractors as part of a hiring process.
  • Personal health information is exempt if it is collected by a business that already complies with HIPAA or the CMIA.
  • Information collected during clinical trials is exempt.
  • Consumer reporting information such as credit scores and credit ratings are also exempt.

Regardless of whether a business is subject to the CCPA, the company is always responsible for maintaining reasonable security procedures and preventing unauthorized access to consumer information.

How Do the CCPA and the GDPR Differ?

The GDPR aims to create a “privacy by default” legislative framework for the whole European Union, whereas the CCPA aims to increase transparency and consumer rights in California’s massive data economy.

Another way to put matters: the GDPR offers a door that EU users can close before any data processing happens; the CCPA creates a window for California consumers to open, to determine which of their data has already been collected by a business or sold to a third party.

This analogy encapsulates the primary distinction between the CCPA and the GDPR.

Legal Basis vs. Opt Out

The GDPR requires websites, organizations, and companies to establish a legal basis for data processing information in the EU; for example, the first such basis is consent from the person.

The CCPA has no such a framework. Under the CCPA, a company does not require a user’s previous consent to process the person’s data, nor does a website need a user’s prior consent before transferring that data to third parties. Rather, the consumer can opt out of such data processing – but absent that affirmative step to opt out, data processing can continue.

Main Rights of the CCPA and GDPR

The CCPA and GDPR both include several core rights, such as the right to be informed, the right of access, and the right to portability.

Both laws also contain, with slight modifications, the right to deletion (CCPA) and the right to erasure (GDPR), as well as the right to opt out (CCPA) and the right of prior consent (GDPR).

In some ways, the latter two are incomparable because the right to opt out (CCPA) is best compared to the right to withdraw permission (GDPR), while the fundamental right of prior consent (GDPR) has no parallel in the CCPA.

What Are the Penalties for Violating the CCPA?

Failure to comply with the CCPA can result in regulatory fines or lawsuits from unhappy consumers, especially if the aggrieved parties show that the company didn’t maintain proper data security or privacy protection.

The CCPA specifically mentions sanctions for businesses that are out of compliance. Companies might face fines of up to $2,500 per penalty for standard infractions. Because businesses acquire personal information from many customers daily, these fines might quickly total hundreds of thousands of dollars.

Businesses can be penalized up to $7,500 per infraction for deliberate noncompliance. The law doesn’t expressly define what “deliberate noncompliance” is, but the most likely example is when a company violates the privacy law repeatedly, notwithstanding past enforcement proceedings or customer complaints.

Maintain CCPA Compliance Effortlessly with Reciprocity ZenComply

As more individuals deal with suppliers who handle consumer data or have staff who monitor customer demands, compliance with data protection regulations will require greater communication within and outside the business.

Reciprocity ZenComply monitors and simplifies workflows to ensure that requests are completed – a vital feature for meeting the CCPA.

ZenComply also makes assessing the controls required for keeping opt-out and opt-in information easier. You gain a unified, real-time view of risk and compliance with seamless integrations with Reciprocity ZenRisk and the Reciprocity ROAR platform, supplying the context-specific perspective required to make intelligent, strategic choices that keep your company protected and earn the trust of your customers, associates, and staff.

Learn how your compliance programs affect your risk posture to prioritize initiatives that increase compliance and minimize risk. A risk posture dashboard provides you with the same insight as a risk assessment without the extra work, allowing you to swiftly prioritize the actions and investments that increase compliance and minimize risk.

Schedule a demo and start down the worry-free path to CCPA compliance, the Zen way.