Introduction

The California Consumer Privacy Act of 2018 (CCPA) empowers consumers with greater control over the personal information collected by businesses. The CCPA regulations offer detailed guidance on implementing this legislation, establishing significant new privacy rights for California residents.

This article will cover this compliance and its background, who it applies to, and how to achieve it.

Background 

The Californian Legislature unanimously passed the legislation for the CCPA in June 2018, but it only came into effect in 2020. It was the first law of its kind in the United States. In a rush to counter a stricter privacy-focused ballot initiative that had over 600,000 Californian signatures, this legislation was enacted granting Californians the right to see what information businesses collect on them, request its deletion, access data on companies their information is sold to, and instruct businesses to stop selling their data to third parties. This law was similar to the European Union's General Data Protection Regulation (GDPR, which had also just gone into effect in 2018, adding some significant features. 

For example, under the GDPR, businesses are required to take users’ permission before collecting personal data. But often, this permission is asked in an opt-in pop-up where you do not have a choice. The ballot initiative would have prevented businesses from denying service to consumers who opt out of data tracking. CCPA includes similar provisions but introduces the "Spotify exception," allowing companies to offer different services or rates based on the data provided, provided the difference is “reasonably related to the value provided to the consumer by the consumer’s data."

In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which amended the CCPA to enhance privacy protections starting January 1, 2023. The CPRA introduced new consumer rights, including the ability to correct inaccurate personal information and limit the use and disclosure of sensitive personal information. Businesses must comply by addressing consumer requests and providing clear privacy notices. While the CPRA significantly amends the CCPA, it is not a separate law, and both are collectively referred to as the "CCPA" or "CCPA, as amended."

Coverage

The CCPA applies exclusively to California residents, defined as individuals residing in California, even temporarily outside the state. Even if your business is not based in California but is being interacted with by a California resident, they can claim their rights under CCPA.

The CCPA applies to your business if ANY of the following apply to it:

• It has a gross annual revenue exceeding $25 million.

• It buys, sells, or shares the personal information of 100,000 or more California residents or households.

• It derives 50% or more of its annual revenue from selling the personal information of California residents.

The CCPA generally only applies to for-profit businesses that do business in California, including data brokers. It does not apply to nonprofit organizations or government agencies.

What Constitutes Personal Information?

Under the CCPA, personal information includes identifiable details that could directly or indirectly relate to an individual or household, such as names, social security numbers, and browsing history. Sensitive personal information covers more private data, including financial account numbers, precise geolocation, health information, and biometric data. 

Personal information excludes publicly available government records such as professional licenses and public real estate/property records, as well as certain types of information like medical records and consumer credit reports, which have specific exemptions under the law. Publicly available information also includes data that a business reasonably believes is lawfully made available to the general public by the consumer, from widely distributed media, or certain information disclosed by a consumer and made available if not restricted to a specific audience.

Refusing to provide personal information or requesting its deletion may prevent businesses from completing necessary transactions for providing goods or services. Companies can offer incentives for personal information, but these incentives must reasonably reflect the value of the information. Opting out of data sharing or deletion requests may impact participation in these promotional offers, and consumers are encouraged to inquire with the business about specific implications.

Compliance with CCPA

In order to meet all the compliance requirements of CCPA, businesses must ensure they are not violating any of the rights California residents hold under it. These rights include:

Right to Know: Consumers can request that a business disclose (1) the categories and/or specific pieces of personal information collected about them, (2) the categories of sources for that personal information, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information that the business sells or discloses to third parties. This request can be made up to twice a year, free of charge.

Right to Delete: Consumers can request that businesses delete the personal information they collected from them and instruct their service providers to do the same, with certain exceptions (such as legal obligations to retain the information).

Right to Opt-Out of Sale or Sharing: Consumers can request that businesses stop selling or sharing their personal information ("opt-out"), including via a user-enabled global privacy control. Businesses cannot sell or share personal information after receiving an opt-out request unless the consumer later authorizes them to do so again.

Right to Correct: Consumers can request that businesses correct inaccurate information they have about them.

Right to Limit Use and Disclosure of Sensitive Personal Information: Consumers can direct businesses to only use their sensitive personal information (such as social security numbers, financial account information, precise geolocation data, or genetic data) for limited purposes, such as providing requested services.

Additionally, consumers have the right to be notified about the types of personal information being collected and the intended uses before or at the point of collection. Businesses cannot discriminate against consumers for exercising their rights under the CCPA, cannot make consumers waive these rights, and any contract provision that claims to waive these rights is unenforceable.

To comply with the CCPA, businesses must:

• Inform consumers if they sell or share personal information.

• Include a "Do Not Sell My Personal Information" option on their websites and in their privacy policies, along with a toll-free number for consumer requests.

• Obtain affirmative consent to sell data from consumers under 16 or from a parent or guardian for consumers under 13.

• Respond to customers within 15 business days after an opt-out request.

• Provide equal service and pricing regardless of consumers exercising their rights.

• Notify consumers, before collecting personal information, about how it will be used, sold, and shared.

• Collect, use, or share personal information only when reasonably necessary for its intended purposes.

• Delete consumers' personal information upon request, with exceptions under the CPRA.

• Wait at least 12 months before asking their consumers to opt back in to the sale or sharing of their personal information once they have opted out.

Exceptions to Compliance

A service provider under the CCPA refers to an entity that businesses engage to perform specific services on their behalf. For instance, this could include tasks such as processing credit card transactions for retailers or handling delivery services for online orders. The CCPA distinguishes service providers from the businesses they serve, placing the responsibility for responding to consumer requests squarely on the business itself. If consumers direct requests to opt-out or for other privacy-related actions to a service provider instead of the business, the service provider may not be authorized to fulfill these requests and can deny them. Consumers must address such requests directly to the business to ensure compliance with CCPA requirements.

For more details about compliance and exceptions, check out the official Frequently Asked Questions or the entire legislation.

Penalties/Why Businesses Should Comply

The CCPA provides consumers with a private right of action for data breaches involving personal information or email login details, with potential penalties of up to $750 per consumer per violation. The statutory damages can accumulate significantly: a single breach affecting 100,000 California customers could result in $75 million in statutory damages alone, which can be pursued through class action litigation.

The private right of action is applicable only if the business failed to follow "reasonable practices and procedures" to prevent the breach, though the CCPA does not define these practices. The law offers a 30-day cure period for violations but does not clarify how to "cure" a breach that has already occurred. Post-breach implementation of reasonable security measures does not count as a cure. Additionally, the California Attorney General can impose penalties of up to $2,500 per violation or $7,500 for intentional violations and may seek injunctions against companies violating CPRA.

Get CCPA Compliant with Walturn

At Walturn, we integrate CCPA compliance into our product engineering services to ensure your digital solutions meet essential data protection standards. By partnering with us, you can confidently address CCPA requirements while focusing on your core business objectives. Reach out to us to enhance your products with built-in compliance and data security.

Conclusion

In conclusion, the CCPA represents a landmark in privacy legislation, granting California residents substantial control over their personal information. Businesses subject to the CCPA face stringent compliance requirements, including transparency in data practices, responsiveness to consumer requests, and non-discriminatory treatment based on privacy choices. As businesses navigate these obligations, understanding the CCPA's nuances and ensuring robust compliance mechanisms are essential to maintaining consumer trust and avoiding legal repercussions.