The California Consumer Privacy Act (CCPA) is a landmark piece of legislation passed in the United States, designed to protect the privacy rights of California residents. Signed into law on 28 June 2018 and taking effect on 1 January 2020, the CCPA is one of the most comprehensive consumer privacy laws in the US. It gives California residents greater control over the personal data collected by businesses, establishing new rights concerning the access, deletion, and sharing of personal information. Below is a fact-based breakdown of the key elements, requirements, and implications of the CCPA.

What is the CCPA?

The CCPA was created in response to growing concerns about how personal data was being collected, used, and sold by companies, particularly in light of high-profile data breaches and increased tracking of online behaviour. The law applies to businesses that meet certain thresholds and operate in California, although it has broader implications due to the size of the state’s economy and the number of companies doing business with its residents.

Under the CCPA, personal information is broadly defined to include a wide range of data points, such as names, email addresses, IP addresses, browsing history, and even biometric data. This broad definition is intended to cover all information that can be linked, directly or indirectly, to an individual or household.

Scope and Applicability

The CCPA applies to for-profit businesses that operate in California and meet at least one of the following criteria:

1. Annual gross revenues exceeding $25 million.

2. Buy, receive, or share the personal information of 50,000 or more California residents, households, or devices annually.

3. Derive 50% or more of their annual revenues from selling California residents' personal information.

These thresholds mean that even companies based outside California, or even the United States, may need to comply if they interact sufficiently with California residents.

Consumer Rights under the CCPA

The CCPA grants consumers several important rights over their personal data. These include:

1. Right to Know: Consumers have the right to request and know what personal data is being collected about them, including specific pieces of information, and for what purposes this data is being used. This applies to both the data collected directly from consumers and any data obtained from other sources.

2. Right to Delete: Consumers can request that a business delete any personal information it has collected about them, subject to certain exceptions. For example, businesses may retain information necessary to complete a transaction, comply with a legal obligation, or detect security incidents.

3. Right to Opt-Out of Sale: One of the most significant provisions of the CCPA is the right for consumers to opt out of the sale of their personal information. Businesses are required to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website, allowing consumers to exercise this right.

4. Right to Non-Discrimination: Businesses are prohibited from discriminating against consumers for exercising their CCPA rights. This includes denying goods or services, charging different prices, or providing a different level or quality of service. However, businesses are allowed to offer financial incentives for the collection or sale of personal information, provided they are transparent about the terms.

Business Obligations under the CCPA

To comply with the CCPA, businesses must implement several operational and procedural changes, depending on their size, industry, and how they interact with consumers’ data.

1. Updating Privacy Policies: Companies must update their privacy policies to include detailed disclosures about the types of personal data they collect, the purposes for which it is used, and how consumers can exercise their CCPA rights.

2. Data Access and Deletion Requests: Businesses must provide a method for consumers to submit requests to access or delete their personal data, such as through a toll-free number or an online form. They must also verify the identity of consumers making such requests.

3. Data Security: The CCPA includes provisions requiring businesses to implement reasonable security measures to protect personal data from unauthorised access or theft. In the event of a data breach resulting from inadequate security practices, the CCPA allows consumers to file lawsuits for damages.

4. Training Employees: Companies must ensure that employees handling consumer data requests are trained on the CCPA’s requirements, and they must establish procedures for responding to requests within the timeframes specified by the law (typically 45 days).

5. Responding to Opt-Out Requests: Businesses that sell personal data must respond to opt-out requests and ensure that consumers who opt out are not subject to further data sales unless they later opt back in.

Enforcement and Penalties

The CCPA is enforced by the California Attorney General, who has the authority to bring civil actions against companies that violate the law. Businesses can be fined up to $2,500 for each unintentional violation and $7,500 for each intentional violation. In addition to government enforcement, the CCPA also grants a limited private right of action for consumers whose personal data is compromised in a data breach, allowing them to sue for statutory damages ranging from $100 to $750 per incident.

The Impact of CCPA Beyond California

Although the CCPA is a California state law, it has had a ripple effect across the United States and globally. Given the size of California's economy and the number of technology companies based there, many companies have chosen to extend CCPA compliance practices to all US consumers rather than create separate data-handling procedures.

Additionally, the CCPA has inspired other states to propose or pass their own privacy laws, most notably the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act. These laws share many similarities with the CCPA but include some distinct provisions, contributing to the emerging patchwork of data privacy regulations across the US.

CCPA and the GDPR: A Comparison

The CCPA has drawn many comparisons to the European Union’s General Data Protection Regulation (GDPR), which took effect in 2018. Both laws are designed to give consumers more control over their personal data, but there are some key differences:

• Scope: While the GDPR applies to any entity processing the data of EU residents, regardless of size, the CCPA only applies to businesses that meet certain revenue or data volume thresholds.

• Opt-Out vs. Opt-In: The GDPR operates on an opt-in basis, meaning businesses must obtain explicit consent from consumers before processing their data. In contrast, the CCPA allows businesses to collect and use data by default, giving consumers the right to opt-out of the sale of their information.

• Data Portability: Both the CCPA and GDPR grant consumers the right to access their data and request its deletion, but the GDPR goes further by granting a right to data portability, allowing consumers to request that their data be transferred from one service provider to another.

Recent Developments: The California Privacy Rights Act (CPRA)

In November 2020, California voters approved the California Privacy Rights Act (CPRA), which expands upon the CCPA’s protections and introduces additional obligations for businesses. The CPRA, often referred to as "CCPA 2.0," took effect on 1 January 2023, and introduces several significant changes:

1. Creation of the California Privacy Protection Agency (CPPA): A new regulatory body specifically responsible for enforcing the CPRA and overseeing compliance.

2. Expansion of Consumer Rights: The CPRA introduces new rights, such as the right to correct inaccurate personal information and the right to restrict the use of sensitive personal information (e.g., health data, financial information).

3. Data Minimisation and Retention: Businesses must limit the collection of personal data to what is necessary for specified purposes and are required to disclose how long they intend to retain different categories of personal data.

4. Stricter Requirements for Data Processors: Businesses must establish contractual agreements with third-party service providers that process personal data on their behalf, ensuring compliance with the CPRA’s requirements.

Bringing It All Together

The California Consumer Privacy Act (CCPA) has set a new standard for consumer privacy rights in the United States, forcing businesses to rethink how they collect, use, and share personal data. Its influence extends far beyond California’s borders, prompting legislative action in other states and even inspiring global discussions about data privacy. With the expansion of the CCPA under the CPRA, consumer privacy rights will continue to evolve, requiring businesses to stay vigilant and adaptive in their data privacy practices.

Understand the link between ESG and privacy regulations with the ESG Advisor Certification.