san diego california coastline with clouds

The CCPA: What California’s New Privacy Laws Mean For Your Business


What is the California Consumer Privacy Act?

The CCPA protects consumer privacy by defining how personal information can be used by for-profit businesses in California. On January 1st, 2020, the state of California introduced new requirements for businesses to comply with data protection policies for consumers, as well as additional rights to privacy for California residents. With these changes, companies that conduct business in California are encouraged to follow up with the new compliance requirements as soon as possible and take all necessary steps to ensure compliance and avoid penalties.

The scope of the CCPA applies only to businesses that meet one of the following criteria:

  • Has at least $25 million in revenue
  • Receives information from over 50,000 consumers, households, or devices in a year
  • Gets at least 50% of its annual revenue by selling consumer’s personal information 

“Personal Information” protected under the CCPA is defined as:

  • Personally Identifiable Information (PII) such as full name, social security number, bank information, postal address, IP information, email address, driver’s license or passport number, or other similar identifiers
  • Commercial information, transaction records of products or services purchased, historical consumer data, personal property records
  • Web use history, network activity, browsing and search history, engagement or activity on websites, applications, and ads
  • Geolocation data
  • Biometric data
  • Electronic, visual, audio, thermal, olfactory, or other similar information
  • Professional history, employment status and background
  • Education information

This privacy law affects both companies that are based in California, as well as online businesses who collect data from California residents. The CCPA does not apply to any information subject to federal regulation, such as the Health Insurance Portability and Accountability Act (HIPAA,) the Drivers’ Privacy Protection Act (DPPA,) or the Fair Credit Reporting Act.

How Does the New CCPA Affect Consumers? 

The CCPA grants privacy rights to all residents of California. Consumers will be able to request that companies disclose any data that has been collected from them, request that their data is deleted, and opt out of the resale of their data with no consequences. 

While the new policies under the CCPA may appear similar to the rights guaranteed to EU data under the GDPR, there are several important differences to understand. Rather than the GDPR’s opt-in format, the structure of the CCPA allows consumers to specifically opt out of having personal data collected, as well as the right to request disclosures about how and what personal information is being used. Consumers may also request the specific categories of information a business collects and their purpose for collecting or sharing that information, as well as what information is shared with third parties. 

Consumer Rights Defined by the CCPA

Consumers are protected from discrimination under the CCPA and entitled to equal service and price regardless of whether or not they exercise their rights. The rights are specifically defined as follows:

  1. Right to be Notified – Businesses must notify consumers of personal data collection
  2. Right to Request – Consumers may request specific categories of information being collected
  3. Right to Know – Businesses must disclose to consumers what specific information is being shared when requested
  4. Right to Say No – Consumers may opt out of the collection or sale of personal information with no discrimination
  5. Right to Delete – Consumers may request the deletion of their personal data from record
  6. Right to Equal Service & Price – Businesses may not vary the price or quality of service to any consumers who choose to opt out. However, businesses may offer certain financial incentives to consumers who agree to share personal information.

How Does the New CCPA Affect Businesses and Marketers? 

The new policies defined under the CCPA affect for-profit businesses in California, whether they’re using consumer data to support marketing insights and analytics, deliver targeted advertising, or sell personal data with third party entities. The CCPA defines “sell” in this context as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or third party for monetary or valuable consideration.”

By law, California-based business must comply with any requests for personal information transparency. Under the CCPA, these businesses are prohibited to discriminate against any consumers exercising the rights under these new laws, including charging a different price to consumers who allow continued use of their personal data. Businesses are also prohibited from selling personal data of consumers under the age of 16 unless specific authorization is given.  


How to Ensure Step-By-Step CCPA Compliance:

1. Update your Privacy Policies and Notices

The CCPA requires that companies must send notices “at or before the point of collection” of personal data to inform consumers of the categories of personal data they will collect and for what purpose.

The written notice must explicitly define these categories so that consumers are given ample opportunity to exercise their rights to opt out under the CCPA. Companies must also clearly outline the new consumer rights (listed above) that are now covered by the CCPA in their Privacy Policies. 

2. Update Data Inventories & Processes

Companies must employ the use of a data inventory to track any and all data processing efforts including business processes, third party information sharing, and any products, devices, or applications used to manage personal consumer data. Under the CCPA, data inventories must now include columns that identify the following:

  • Whether the data use includes the sale of information
  • What specific categories of personal data are collected/shared
  • Any categories of personal data that are protected by HIPPA, the FCRA, or any other federally-regulated protection policies
  • Any data collected over 12 months prior, which is potentially exempt

The database must also have the ability to track all consumer requests under the CCPA. 

3. Implement Procedures & Protocols to Ensure Compliance to Consumer Rights

Businesses must take steps to ensure that all consumer rights defined by the CCPA are granted, including the pre-emptive disclosure of the intent to collect and/or share personal information. Businesses must also be prepared to comply with any consumer information requests, free of charge to the consumer, and the information disclosure must be provided by mail or electronically. Any electronically delivered information disclosed by businesses must be made readily portable and transmittable in format. 

Consumers may request that businesses delete any personal information collected, to which the business must comply and direct to any affiliated third parties. This information must be deleted unless it is being used to:

  • Provide goods or services requested by the consumer or uphold a contract or business relationship with the consumer
  • Detect threats to security, including malicious, fraudulent, illegal, or deceptive activity
  • Debug or repair functionality errors 
  • Exercise free speech or ensure the right of another consumer to free speech
  • Comply with the California Electronic Communications Privacy Act
  • Engage in research pertainable to the public interest, such as peer-received historical, scientific, or statistical research
  • Enable solely internal use of information aligned with the expectations of the consumer based on the consumer’s relationship to the business
  • Comply with any legal obligations
  • Otherwise use the consumer’s information internally, lawfully, and compatible with the context in which the consumer provided the information

The Right to Opt Out must be made readily accessible on the business homepage with a clear, conspicuous link titled “Do Not Sell My Personal Information” that enables consumers to opt out. Businesses must wait 12 months before requesting to sell personal information for any consumer who chooses to opt out. 

Businesses must offer at least 2 ways for consumers to submit requests for information, including a toll-free phone number and a website address. Protocols must be established for businesses to respond to consumer requests within 45 days of receiving a verifiable request. This information for consumers and description of rights must all be readily disclosed in the Privacy Policy and updated at least once every 12 months. 

4. Update Security Protocols & Applications

Businesses are required by the CCPA to protect personal consumer data by taking a risk-based approach toward confidentiality threats and online availability of personal information. Vulnerabilities must be continuously assessed and mitigated, prioritizing high-risk gaps over moderate-low risk gaps.

5. Update Third-Party Agreements

Businesses will need to modify any third-party agreements, contracts, and processes to require data vendor inventories, due diligence questionnaires, processing records, syncing of consumer responses and processes, onsite assessment and auditing, and mapping all transfers of data elements to each individual third party. Processes must be in place to require third-party compliance with requests to opt out or delete consumer information. 

6. Employee Training

Businesses should train staff to be ready to fulfill requests and understand all requirements under the CCPA at a minimum. Any additional employee training is recommended but not required.

What are the Penalties for Non-Compliance?

The Attorney General is responsible for enforcing all policies defined by the CCPA. There are private rights of action in place in certain instances of unauthorized access, theft, exfiltration, or otherwise compromised non-encrypted or non-redacted personal information. However, if the compromise of consumer information is due to the failure of reasonable security, consumers may take legal action for statutory damages ranging from $100 to $75 per instance, or actual damages (whichever is greater.) Civil penalties from the Attorney General can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation. A business is liable if it fails to remediate alleged noncompliance after 30 days from receiving the notification of noncompliance. For certain types of noncompliance, such as data breaches, remediation may be impossible. 

Questions about how the new CCPA policies might affect your business, marketing strategy, data analytics, social media, website, or life in general? Send us a message!

Note: The information above is intended to provide about the CCPA, but is neither a replacement for law interpretation, nor legal advice regarding compliance for your business. 

Want to learn more about how Hark can help?