What is CCPA? An Expert Guide to the California Consumer Privacy Act.

A whopping 94% of organizations acknowledge that their customers will not do business with them if their data isn’t properly protected. And 91% admit they must do more to reassure customers about how their data’s being used by third-parties and new technologies, including artificial intelligence (AI).

The California Consumer Privacy Act of 2018 gives consumers more control over their data. Enacted in January 2020 and enforced by the California Attorney General's office, the law requires all businesses that collect personal data from California residents to comply with its strict regulations. The California Privacy Rights Act (CPRA) expands and strengthens these rights, imposing additional obligations and increased penalties.

In this article, you'll find:

Overview of CCPA

The California Consumer Privacy Act (CCPA) is a law that gives California residents the right to know what personal information is being collected about them, the right to have that information deleted, and the right to refuse its sale.

It applies to any for-profit business conducting business in California that meets one or more of the following criteria:

  • Annual gross revenues over $25 million.
  • Buys, sells, receives, or shares the personal information of 50,000 or more consumers, households, or devices.
  • Derives 50% or more of its annual revenues from selling consumers’ personal information.

There are five main requirements for businesses:

  1. Disclosure. Consumers have the right to know what personal information is collected about them. Businesses must disclose the categories of personal information they collect, use, or sell.
  2. Access. Consumers have the right to request certain information from businesses, including the sources from whom their personal information was collected.
  3. Deletion. Consumers have the right to request that a business delete any personal information it has collected about them.
  4. Opt-Out. Consumers have the right to know whether and to whom their personal information is sold or disclosed to, and to opt-out of its sale.
  5. Non-discrimination. Consumers have the right to receive equal services and pricing from a business, even if they exercise their privacy rights under CCPA.

In addition, businesses must provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information” that takes consumers to an opt-out page.

What Types of Data Does the CCPA Cover?

Unlike the GDPR, which focuses on protecting specific data, the CCPA concentrates more on what constitutes sensitive information. For example, olfactory data, website browsing history, and user activity records are all included. Under CCPA, "personal information" includes:

  • Any identifier that is unique to consumers. This includes real names, aliases, postal addresses, unique personal identifiers, online identifier IP addresses, email addresses, account names, Social Security numbers (SSN), driver's license numbers (DLN), passport numbers, or other similar identifiers.
  • Biometric information.
  • Commercial information relating to goods or services acquired, considered, or planned and other purchasing or consumption histories or trends.
  • Information related to professional employment.
  • Geolocation data.
  • Information regarding a consumer's online or other electronic network presence, including but not limited to surfing history, search history, and information about a customer's website encounter.
  • Any information conveyed through audio, electronic, visual, or thermal means.
  • Protected classifications under California or federal law.
  • Education information that is not publicly available.
  • Inferences drawn from any data described in this section to develop a consumer profile based on tastes, traits, psychological tendencies, preferences, predispositions, actions, beliefs, intelligence, talents, and abilities.

CCPA Enforcement

The California Attorney General's office enforces any violation of the CCPA and can result in civil penalties of up to $2,500 per violation or $7,500 per intentional violation.

The CCPA also gives consumers the right to file a private right of action if their personal information is breached due to a business's failure to implement reasonable security measures. In such cases, consumers can recover damages of up to $750 per consumer per incident or actual damages, whichever is greater.

A "third party" under CCPA is a person or agency that receives personal information but is outside the business that collects it. This includes businesses that are exempt and any service providers that process personal information on behalf of a business. With the passage of Senate Bill 362 in October 2023, data brokers are now considered third parties and are defined by CCPA as companies that knowingly collect and sell to third parties a consumer’s personal information, even though they don’t have a direct relationship with the consumer.

What Are the CCPA Exemptions?

Any business that doesn’t collect personal information from California residents is exempt from CCPA. Other notable exemptions are businesses governed by different privacy laws, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). It also exempts businesses with less than $25 million in annual revenue, businesses that do not sell personal information, and businesses that collect only a limited amount of personal information.

Exempt consumer data types include:

  • Personal information collected and used “wholly outside” California.
  • Personal employee information, including background checks and wage information.
  • Personal information collected for non-profit activities, such as fundraising or political campaigning.
  • Publicly available personal information, such as court records or phone numbers listed in a directory.

The CCPA provides some leeway for businesses to comply with the law, including partial exemptions for business-to-business contact information handles solely in the context of due diligence. However, it’s important to note that the law applies to all businesses that collect the personal information of California residents.

How Does CCPA Differ From GDPR?

People often refer to CCPA as California's GDPR. However, that's not accurate. Aside from protecting the rights to data privacy for EU citizens, the General Data Protection Regulation has several significant differences from CCPA:

  • CCPA only applies to personal information, while GDPR applies to any data. This includes both personal and non-personal data.
  • CCPA gives consumers the right to know what personal information is being collected about them, the right to delete their personal information, and the right to opt out of having their personal information sold. GDPR gives consumers these same rights plus the right to access their personal data, the right to change their mind (opt-in), and the right to receive a copy of their data in a portable format.
  • CCPA applies only to businesses that collect or sell the personal information of California residents. GDPR applies to any business that processes or intends to process the data of EU citizens, regardless of where the business is located.
  • CCPA applies to businesses with annual revenue of over $25 million whereas GDPR applies to any business that processes or intends to process the data of EU citizens, regardless of the size of the business.

What are the Penalties for Companies That Don't Comply with the CCPA?

Businesses violating CCPA are notified by regulators and are given 30 days to fix the issue. If it isn't resolved within that time, the business is fined:

  • Up to $2,500 per violation and up to $7,500 per intentional violation.
  • Up to $7,500 for intentional or non-intentional violations of a minor’s privacy rights.
  • Between $100 and $750 per violation for not giving consumers an opt-out option.

CCPA also allows consumers to file a private right of action if their non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to the business' violation. This means individual consumers can sue businesses for damages, which can be costly. In addition, the attorney general has the right to file a civil action against companies for law violations.

Beyond penalties and lawsuits, you'll also face other breach-related costs. These can include notifying consumers of the breach, providing them with credit monitoring services, and dealing with the fallout from a PR and reputational perspective. As consumers become increasingly aware of their data privacy rights, they are more likely to take action against companies that violate them.

All these costs can quickly add up, underscoring the importance of CCPA compliance. Understanding the law and taking steps to comply can help protect your business from costly penalties and reputational harm. With so much at stake, businesses must understand CCPA and take the necessary steps to ensure compliance.

Strategies for Complying With CCPA

CCPA compliance is no easy feat, but companies can take a few steps to ensure they comply with the law.

  1. Determine Whether CCPA Applies to You
    CCPA applies to any for-profit business that does business in California and meets one or more of the following criteria:
  • Has annual gross revenues above $25 million.
  • Buys, receives, sells, or shares the personal information of 50,000 or more California consumers, households, or devices.
  • Earns more than half of its annual revenues from selling the personal information of California consumers.

If CCPA applies to your business, then you need to take steps to ensure compliance.

  1. Identify the Personal Information You Collect and Store.
    CCPA defines personal information as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

    These include names, addresses, email addresses, phone numbers, social security numbers, driver's license numbers, and more. Once you've identified the personal information you collect and store, you must protect this information.

    CCPA requires businesses to take reasonable security measures to protect consumers' personal information from unauthorized access, destruction, use, modification, or disclosure. This includes encrypting personal information and ensuring that only authorized employees have access to this information.
  2. Audit Your Privacy and Information Security Framework.
    The CCPA gives consumers the right to know what personal information is being collected about them, the right to know how this information is being used, the right to have this information deleted, and the right to opt out of data sharing.

    You must ensure that you have policies and procedures to address these rights. This includes ensuring your business has a data retention policy defining how personal information is collected and used, and ensuring consumers can exercise their rights under the law.
  3. Involve All Teams and Departments.
    CCPA compliance is a team effort. It is essential to involve all teams and departments in the CCPA compliance process, from the IT department to the marketing department.

    Each team will have different CCPA-related responsibilities. For example, the marketing team will need to ensure that they're not collecting or using personal information in a way that CCPA prohibits. The IT team will need to ensure that personal information is properly secured.
  4. Develop a CCPA Compliance Plan.
    Develop a CCPA compliance plan that includes the compliance steps your business has adopted, who’s responsible for CCPA compliance, and how compliance will be monitored. It's important to note that CCPA is a fluid law. It's constantly evolving, and new regulations can be added anytime. As such, it's important to regularly review your CCPA compliance plan and ensure it's up-to-date.
  5. Establish a Designated CCPA Roll Out Task Force.
    As you prepare to become CCPA compliant, you can expect disruption at all levels of the organization. To ensure a successful CCPA rollout, it's important to establish a designated task force responsible for developing and implementing the CCPA compliance plan. The task force should also be responsible for educating employees about CCPA and ensuring that all employees know their obligations under the law.
  6. Implement CCPA Compliance Policies and Procedures.
    Once you've developed a CCPA compliance plan, you must implement CCPA compliance policies and procedures. These policies and procedures should be designed to help your business comply with the law. Items to incorporate into your CCPA compliance policies and procedures include data retention policies, opt-out processes, and training programs.
  7. Treat Every Customer Like They are a California Resident.
    CCPA regulations apply to California residents. However, if your business also serves clients outside the state, it doesn’t make sense to have separate security frameworks. It’s easier and less risky to if you also serve clients from outside the state or plan to do so. Therefore, you should treat every customer like they are a California resident to ensure CCPA compliance.

    This involves ensuring that all personal information is properly secured and that only authorized employees can access this information. It also includes ensuring that consumers can exercise their rights under CCPA, regardless of their residence.

    By doing so, you'll insulate the company from the hassle of adjusting to security frameworks from other states as they're implemented.
  8. Integrate CCPA Practices Into Your Culture.
    CCPA compliance should not be viewed as a one-time event. Instead, it should be integrated into your company culture. CCPA compliance should be an ongoing process that's regularly reviewed and updated as needed.

    One way to do this is to make CCPA compliance part of your employee onboarding process, ensuring that all new employees know and understand their obligations under the law and the value the company puts on compliance.
  9. Conduct Regular Staff Training.
    Employees play a central role in a business’s capacity to achieve and maintain CCPA compliance. Companies must take steps to ensure employees understand CCPA and how it applies to their job functions.

    One way to do this is by conducting regular CCPA training for all employees. The training should be designed to help employees understand CCPA and how it affects their day-to-day work. By conducting routine staff training, you help ensure employees are always up-to-date on CCPA and that they understand their obligations under the law.
  10. Monitor CCPA Compliance.
    Monitoring CCPA compliance includes regularly auditing your privacy and information security framework, ensuring that consumers can exercise their rights under CCPA, and monitoring changes.

What Does CPRA Mean for CCPA?

Put into effect in January 2023, the CPRA does not replace the CCPA; rather, it amends it in several keyways. One of the most significant is the creation of a new enforcement agency, the California Privacy Protection Agency (CPPA), which has the authority to investigate complaints, issue fines, and create regulations.

New rights in addition to those provided by the CCPA include:

  • The right to correct inaccurate personal information a business has on them.
  • The right to limit the use and disclosure of the sensitive personal information a business has collected, including race, ethnicity, religion, and sexual orientation.

Other key changes include:

  • The expansion of CCPA's private right of action. Under CCPA, only consumers whose non-encrypted or non-redacted personal information is subject to unauthorized access, and exfiltration, theft, or disclosure as a result of a business' violation could file a private right of action. CPRA expands this to include any violation of CCPA, regardless of whether there’s a risk of harm, meaning more consumers can now sue companies for CCPA violations, and the potential damages will be higher.
  • Strengthening of CCPA's opt-out requirements, expanding the "Do Not Sell My Personal Information" link on their homepage rule to require businesses to explicitly state in their privacy policies whether they sell consumers' personal information and what type of personal information they sell. If a business does sell personal information, it must also provide an opt-out button on every page where personal information is collected.

How Arctera Can Help

With concerns about data privacy increasing, organizations can expect more regulations to come up and existing ones to be updated. That means adopting an even more proactive and robust approach to managing consumer data.

At Arctera, we understand that data compliance and governance can be intimidating, especially with emerging and evolving regulations. Our industry-leading solutions provide everything you need to comply with CCPA, streamlining regulatory compliance with a suite of specialized capabilities that allow you to gain greater visibility and control of data and regulations. You can easily capture, archive, and find relevant data from over 120 content sources, optimizing data compliance and addressing any loopholes in your data governance.

Conclusion

The CCPA is a groundbreaking law that gives consumers more control over their personal information by requiring businesses to take steps to protect sensitive data and allowing consumers to exercise their privacy rights, including the ability to opt-out of the sale of their personal information.

Contact us today to learn more about how Arctera can help keep your organization in compliance with CCPA and other regulatory laws.

About Arctera

Arctera helps organizations around the world thrive by ensuring they can trust, access, and illuminate their data from creation to retirement. Created in 2024 from Veritas Technologies, an industry leader in secure multi-cloud data resilience, Arctera comprises three business units: Data Compliance, Data Protection and Data Resilience. Arctera provides tens of thousands of customers worldwide, including 70% of the Fortune 100, with market-leading solutions that help them to manage one of their most valuable assets: data.

Learn more at www.arctera.io
Follow us on X @arcteraio