The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. The law is similar to the European Union's General Data Protection Regulation (GDPR), and it's the first law in the U.S. to enact a comprehensive set of rules for how businesses can use consumer data.
Leading up to the GDPR's effective date in 2018, many U.S. businesses worked to make sure their data governance and privacy programs comply with the GDPR. If you’re one of those businesses, a lot of the work you’ve already done to achieve GDPR compliance will help you with CCPA law, but there are some important differences – which I explain in this article.
What is CCPA?
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition is broader than GDPR’s definition of personal information, which is limited to information related to “identified or identifiable living persons.” © Igor Moskalenko / Shutterstock.com
Does CCPA apply to my company?
CCPA applies to any for-profit business (and any entity that controls or is controlled by a business and shares common branding – such as a shared name, servicemark, or trademark – with the business) that does business in the State of California and meets one or more of the following thresholds:- Has annual gross revenues in excess of $25 million
- Buys, receives, sells, or shares personal information for commercial purposes of 50,000 or more consumers, households, or devices annually
- Receives half or more of its annual revenues from selling consumers’ personal information
Guidelines for CCPA Compliance
Like GDPR, which defines specific rights of data subjects, CCPA defines specific rights of California consumers, including:- The right to access specific personal information that is collected about the consumer, but limited to data collected in the past 12 months.
- The right to be notified about the types of information and the purposes for which the information will be used, before or when the information is collected. Requirements for privacy policies and notices under CCPA are less detailed than for GDPR, but there are specific requirements for where notices must be placed on websites and how notices are to be received by consumers.
- The right to request a copy of the personal information that is collected in a portable and easily readable format. However, businesses are only required to provide personal information to a consumer no more than twice in a 12-month period.
- The right to be forgotten (with broader exceptions than those provided under GDPR)
- The right to restrict processing (“opt-out”) of personal information subject to some limitations. Consumers have the right to opt-out of the disclosure or sale of their personal information (subject to some limitations), and businesses must conspicuously display an opt-out link (and toll-free phone number) on their website. More prescriptive guidance is expected in this area, and some or all of the following are widely anticipated:
- Where and how an opt-out link or button must be displayed on a website
- A mandatory, uniform opt-out logo or button that consumers can easily recognize
- A web form that allows consumers to opt-out of some or all marketing promotions (such as email lists, loyalty programs, and so on) from the business
Minimum CCPA Compliance Requirements
To comply with the CCPA, businesses need to adopt a compliance strategy and create a CCPA-compliance checklist that minimally includes the following components:- Identify. Identify, label, classify (or categorize), and index the personal information that you collect and store on all individuals (not just California consumers). More privacy regulations are forthcoming – it’s inevitable.
- Define. Establish appropriate data governance policies and processes to ensure compliance with CCPA requirements. Ensure you have adequate procedures in place (and automate as much as possible) with a CCPA compliant website to respond to the various consumer rights that consumers can exercise under CCPA. In most cases, businesses only have 45 days to respond to verified requests from consumers.
- Protect. If you’ve already implemented the “privacy by design” and “privacy by default” principles and the data minimization requirement specified under GDPR, you’re off to a good start.
- Manage. Compliance is not a one-time activity; it requires ongoing management to be successful. Everyone in your business needs to understand what CCPA specifically requires of them in their individual job roles. The requirements defined under CCPA are still evolving so diligence and awareness is essential for compliance.
- California Office of the Attorney General (https://oag.ca.gov/privacy/ccpa)
- Californians for Consumer Privacy (https://caprivacy.org)
- The International Association of Privacy Professionals (https://iapp.org)