CCPA compliance (California Consumer Privacy Act): an overview

What is the CCPA?

CCPA compliance (California Consumer Privacy Act): an overview

The US state of California has passed into law the California Consumer Privacy Act. We take a look at its history, and the importance of CCPA compliance.

If the state of California was a standalone region, it would be the 5th largest economy in the world. The GDP of California is larger than some countries including India, the UK, France and Italy. With such an economic force in one concentrated area, California is often among the global leaders in tech and tech compliance. Since many of the world’s largest tech companies hail from California, California legislators are generally ahead of the curve when it comes to regulatory compliance.

With several trillion dollar companies in the State, the government of California has stepped in to protect the personal privacy of its residents. As such, it enacted the California Consumer Privacy Act (CCPA). California is one of the only US States to enact privacy legislation, though Colorado passed the Colorado Privacy Act into law in July 2021, which may come into effect on 1 July 2023.

What is the CCPA?

The California Consumer Privacy Act (CCPA) was introduced in 2018 to give Californian consumers more control over their data. The Act looked to protect certain basic rights surrounding consumer data. This is similar to the basic freedoms Americans have, but the CCPA focuses on the digital footprint of consumers. Some of the data rights provided by the CCPA include:

  • The right to know the personal information that businesses have collected from an individual
  • The right to opt-out of the sale of consumer data collection
  • The right to delete personal information collected from them

These rights were not being fulfilled by corporations, so California legislators proposed them and the law was passed.

History of CCPA

The CCPA was introduced on January, 3rd 2018 and was passed in June, 28th 2018 by California Governor Jerry Brown. The CCPA took effect on January 1st, 2020 and is still in effect today. After it was introduced in 2018, the CCPA went through several rounds of amendments in 2018 and 2019. Over the first few years of the CCPA, there were many Assembly Bills introduced to modify different aspects of the CCPA. Only one amendment, The California Privacy Right Act, has been added to the CCPA in September of 2020. It will not take effect till 1 January 2023.

Key provisions for CCPA compliance

The CCPA implemented a number of key provisions and features:

Disclosure

Prior to the CCPA, companies did not have to notify users about any of their data being collected or sold. This caused significant issues. Under the CCPA, companies must disclose when they are using user’s data and users can opt out. Companies have to disclose the data that is being collected, how it is collected and who is the data being shared with.

Consumer protection

The CCPA forbids companies from taking discriminatory actions against consumers who choose to opt out of data collection. It is not uncommon for companies react against legislation by reducing services for users who opt out. Users cannot then take any legal action against companies who do this without suffering dire financial consequences. The CCPA protects users by strictly forbidding companies from engaging in this practice.

Fines

With trillion dollar companies taking advantage of data laws prior to the CCPA, users were often forced to accept unfavourable terms. The CCPA penalizes companies with meaningful amounts to discourage data malpractice. The CCPA takes this seriously and can issue fines of up to $7,500 per civil penalty violation. Companies that intentionally violate CCPA guidelines will be charged up to $7,500 per user and companies that unintentionally violate will be charged up to $2,500 per user. While these fines are hefty, they pale in comparison compared to the EU’s GDPR.

CCPA compliance: what rights are given to users?

Right to delete: California users can request companies to delete all of their information from their databases. This is crucial because this puts data into the user’s authority. Companies may refuse to do this if a user is involved in a security incident, for transaction records or any illegal behaviour.

Right to know: The CCPA gives users the right to know what a company is doing with their data. Businesses that collect California users’ data have to notify them upon collection. They need to include categories of data and the purpose of data collection. Individuals can request this along with which specific data was collected.

Right to download: Many users want to know what kind of data a company has on them. The CCPA gives users the right to download their own data. Users can download their data and easily switch providers for a service. The CCPA requires that this is done free of charge to the user.

Right to opt-out of information selling: The CCPA also gives users the right to opt-out of their information being sold. One of the key issues that introduced the CCPA was companies selling user data without notifying them. Under the CCPA, users can opt-out with no ramifications.

Right to non-discrimination: The CCPA affords California users the right to non-discrimination if they opt-out of any data collection or services. This removes the fear that users have that they will use services that they rely on if they don’t agree to have their data collected.

Who does the CCPA impact?

CCPA compliance applies to companies operating in the state of California that fall under the following categories:

  • Companies that gross more than $25 million annually
  • Companies that generate over $50k in revenue from consumer information
  • Companies that derive more than 50% of their revenue from consumer data
  • Companies that annually buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices

The vast majority of companies are not intentionally trying to steal and abuse their user’s data, although well-intentioned, companies are still liable to face CCPA fines. It’s up to compliance officers and executives at companies to ensure all CCPA guidelines are being followed.

For more on the CCPA, you can watch CUBE’s Nick Bray in conversation with Denise Banks on Demystifying the CCPA.

The importance of CCPA compliance

CCPA compliance is essential for applicable firms to show customers and regulators alike that they are enforcing and protecting the data rights of individuals. As many will have seen by huge fines for GDPR non-compliance, coming out of the EU, data privacy is no trivial matter. While much of the US lags behind in data protection regulation, California is making clear that it is ready to level up to the stringent responsibilities imposed within the EU.


CUBE uses next-generation AI to track, capture and map every relevant regulatory obligation to your business and business areas. So you know what’s changed, what’s in force, and how it applies to your existing policy and control framework, in an instant.


Related resources

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

What is Executive Order 14028 and who must comply with the US regulation? And will it affect the cyb...

What is the US’ Community Reinvestment Act?

What is the US’ Community Reinvestment Act?

Are you aware of the latest updates to the Community Reinvestment Act in the US? Learn more about fi...

What regulations are there for the payment services industry?

What regulations are there for the payment services industry?

Discover the regulations shaping payment services, from PSD2 to AMLD6. Stay compliant with CUBE's in...

What is the CISO (Chief Information Security Officer) responsible for?

What is the CISO (Chief Information Security Officer) responsible for?

CISO's face a number of challenges with regulations constantly changing. Learn more about some of th...

View More