Comprehensive Guide to CCPA Compliance Requirements

The California Consumer Privacy Act (the CCPA) is a law enacted by the California legislature that establishes robust privacy rights and consumer protection. The law came into effect at the start of 2020, and applies to any company operating in California or collecting the data of California residents.

The CCPA aims to protect the personal information of California residents, who are the “consumers” mentioned in the text. The law also gives consumers more control over how businesses collect, use, and sell their information.

Per the CCPA, a consumer means an individual, not a legal entity such as a corporation. Furthermore, the law recognizes any individual who is:

• In California for other than a temporary or transitory purpose; or
• Lives in California but is outside the state for a temporary or transitory purpose.

Since the definition of consumer is fairly broad, the law covers California residents even if they are traveling in other states.

The Californians for Consumer Privacy (CCP), a non-government organization, feared that the Internet had endangered consumer privacy concerns. The group sent several suggestions for new consumer privacy rights to the California attorney general in 2017.

That initiative led to the adoption of the CCPA. Then-Gov. Jerry Brown signed the measure into law in 2018. The CCPA is intended to protect consumer data and consumers whose data is compromised in a data breach.

“Personal information” has a broad scope under the CCPA. It refers to any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (Bloomberg Law) in the state of California. The law does not apply to de-identified data, publicly available information (say, city or state voter rolls), and aggregate information about a California resident.

The law established 11 categories of personal consumer information, including:

• Identifiers, including real names, aliases, postal address, unique personal identifier, online identifier, Internet Protocol address (IP address), email address, account name, Social Security number, driver’s license number, passport number.
• Commercial information such as records of property purchased, obtained, other purchasing or consuming histories.
• Biometric data such as fingerprints, face recognition, retina or iris information, hand patterns, height, weight, and eye color.
• Internet activity information such as browsing history, search history, and information regarding the data owner’s interaction with a web page or application.
• Geolocation data.
• Audio, electronic, visual, thermal, olfactory, or similar information.
• Professional or employment-related information.
• Education information that is not publicly available.

Financial, health insurance, or medical information, characteristics such as sexual orientation and marital status, and commercial information including records of personal property also fall under the CCPA’s definition of personal information.

Any of these information categories can allow a business (or data thief) to draw inferences about a particular consumer, and therefore create a consumer profile that reflects the consumer’s preferences, characteristics, predispositions, behaviors, attitudes, abilities, and aptitudes. Businesses use these profiles to improve customer service and enhance customer experiences. Hackers, on the other hand, can use this data to steal personal identities. They can also sell the data on the dark web to earn huge profits.

For example, in 2020, a single high-quality U.S. driver’s license could net the seller $550, while a U.S. passport could fetch $1,500. The CCPA is meant to protect California consumers from such breaches and their consequences.

The CCPA also introduces “probabilistic identifiers” – data that provide a greater than 50 percent chance of identifying an individual, especially if several identifiers are used in combination. One example is the combination of Amazon Prime viewing history and geolocation data.

Probabilistic identifiers are not as specific as deterministic identifiers, which could be somebody’s name or birthdate. The CCPA, however, treats both types of identifiers equally. This means consumers have the same rights, and businesses must meet the same compliance obligations, for either type of information.

The CCPA gives consumers the right to know what type of information a business has collected about them. Consumers can also submit a data subject access request (DSAR) to request a business to disclose these categories and details about the specific pieces of personal information being collected.

In addition, the CCPA gives consumers the right to:

• Ask about the source of that information;
• Ask about the business purpose for collecting the information;
• Request the business to delete the information;
• Opt-out of a business’s sale of their personal information;
• Expect that the business will not discriminate against them if they do opt out.

These rights are similar to those offered under the GDPR, but not identical. For example, both the CCPA and the GDPR offer the “right to be forgotten,” which is the right to request that businesses delete information collected about the consumer. On the other hand, the CCPA allows a consumer to opt out of a business reselling the consumer’s data; the GDPR has no equivalent right.

If a consumer is the victim of a data breach, the CCPA gives them a limited private right of action to sue the breached company.

The CCPA applies to any company doing business in California and non-California companies that collect the personal information of California consumers. Moreover, the law applies to all companies that sell goods or services to California residents, even if the business is not physically located in California or the United States.

Section 1798.140 of the CCPA defines a business as a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information … that does business in the state of California.”

The section also states that any business that meets any of these requirements falls under the CCPA’s regulatory ambit:

1. Generates annual gross revenues of more than $25 million
2. Buys, receives, shares, or sells the personal information of more than 50,000 California residents, households, or devices per year for commercial purposes
3. Earns more than 50 percent of its annual revenue from selling California consumers’ personal information

In sum, any for-profit company within or outside California that has customers or users in California must comply with CCPA’s rules to protect the privacy of consumer data.

Exclusions under CCPA

Nonprofits and companies that do not meet the above conditions are exempt from CCPA compliance. Furthermore, CCPA regulations do not restrict a company from collecting or selling a consumer’s personal information if every aspect of that commercial transaction takes place completely outside California.

The CCPA also does not apply to information that is already subject to other federal regulations, such as:

• The Health Insurance Portability and Accountability Act (HIPAA)
• The Gramm-Leach Bliley Act (GLBA)
• The Fair Credit Reporting Act (FCRA)
• The Drivers’ Privacy Protection Act (DPPA)

At the same time, the CCPA does apply to all business entities covered by these laws if they collect and process other personal information about California consumers.

Under the CCPA, businesses collecting identifiable information from California residents must honor consumer requests to disclose what type of personal information they are collecting about that consumer.

Companies must also provide a toll-free number and website address to facilitate such requests and deliver the information within 45 days of the request.

In addition to consumer data privacy rights, the CCPA includes a data security component. It requires companies to implement and maintain “reasonable security procedures.” To this end, the California government refers to the Center for Internet Security’s top 20 controls and the NIST’s Critical Infrastructure Security (CIS) Framework as baselines.

To comply with the CCPA, businesses must satisfy a number of requirements. These requirements are explored in detail in the following section.

Penalties for non-compliance

CCPA violation penalties can be harsh for businesses. Since the CCPA is incorporated under the California Civil Code, businesses will be subject to lawsuits for data breaches that result in the improper disclosure of consumer information.

Breached companies may incur statutory damages of $100 to $750 per California resident and breach incident if non-encrypted or non-redacted consumer information is compromised. A consumer may also bring legal action for actual damages if that harm is greater than the statutory damages.

An intentional violation can be fined up to $7,500, while unintentional violations can incur fines of up to $2,500. These penalties are enforced by the state attorney general, who may target the reasonability of a company’s security measures.

Covered organizations must meet their legal obligations to achieve and maintain CCPA compliance and avoid the costs of non-compliance. These requirements are explained below.

1. Update privacy notices and policies

   The California Online Privacy Protection Act of 2003 required companies processing the personal information of California consumers through commercial websites to post a privacy notice on their websites. The CCPA further adds an “at or before the point of collection” requirement for such notices.

   Covered companies must inform consumers about the categories of personal information the business collects, and why. The notice must also explain the categories of personal information the company collects, discloses, or sells and state that consumers have the right to opt-out of having their information sold.

   The privacy policy must also contain:

   • Information about the consumer’s right to know, right to delete, and right to non-discrimination;
   • Instructions on how consumers can exercise these rights;
   • A link to the company’s “Do Not Sell My Personal Information” page;
   • Information about the categories of personal information the business has collected, sold or disclosed over the past 12 months for commercial purposes.

   CCPA-complying companies must ensure that the privacy policy also complies with other privacy laws, such as:

   • GDPR
   • California Online Privacy Protection Act (CalOPPA)
   • The federal Children’s Online Privacy Protection Act (COPPA)

2. Conduct a personal information audit

   To comply with the CCPA, a covered business must understand how it uses personal information, the sources of this information, and which information it sells or shares for business purposes.

   The company may collect personal information directly from consumers via forms, email, social media messages, research surveys, website cookies, and so forth. A business may also acquire consumer information from third parties such as market research companies or public sources like online forums or job sites. The business must understand these sources to ensure that using them doesn’t break CCPA rules.

   The business must inform consumers how their personal information is shared for business purposes in the Privacy Policy, or when the consumer raises a request under the CCPA’s right to know. The company must also maintain an up-to-date data inventory to track data processing activities, track consumer right requests, and comply with CCPA data minimization requirements.

3. Implement protocols to protect consumer rights under CCPA

   The business must assure that California consumers can exercise the rights granted to them by the CCPA. To this end, the company must provide at least two ways for consumers to submit requests for information, including a toll-free telephone number and a website address.

   They must also:

   • Explain the various rights in their privacy policy and review or update the information every 12 months;
   • Create a “Do Not Sell My Personal Information” page (if the company sells personal information for business purposes) and link to that page from the website homepage;
   • Conduct a personal information audit.

4. Make security updates

   The CCPA mandates that all covered businesses must protect personal data with “reasonable” cybersecurity. It’s also helpful to take a risk-based approach to address threats to the confidentiality, integrity, and availability of personal data.

   Companies’ risk management activities should include:

   • Assess the threats to data;
   • Rank the risks of any detected vulnerabilities;
   • Prioritize high-risk vulnerabilities for mitigation or elimination.

5. Update third-party processor agreements

   Businesses that contract with other companies to process their data must update their third-party contracts and carry out all the below activities:

   • Insert standard contractual clause language into each contract;
   • Mandate vendor data inventories;
   • Send due diligence questionnaires to each vendor;
   • Provide processing records;
   • Sync their consumer response processes with the vendor’s processes;
   • Mandate onsite assessments and audits of the vendor;
   • Map the data elements shared with each third party.

6. Provide training to employees handling consumer inquiries

   Businesses must train all employees who handle consumer inquiries and right of access requests. These employees must know the law’s requirements and the penalties of non-compliance.

   For a more detailed look into CCPA compliance, check out our CCPA compliance checklist.

Similar to the GDPR, the CCPA gives California consumers the right to transparency about data collection, the right to be forgotten, and the right to opt out of having their data sold (opt-in for minors). In these aspects, the CCPA overlaps with the GDPR.

One difference is that under the GDPR, consumers have the right to rectify incorrect personal data. California residents do not have this right under the CCPA.

Another difference is that the GDPR requires explicit consent from consumers when they hand over their data to a business. The CCPA does not require explicit consumer consent. Instead, it only requires businesses to publish a privacy notice on their website informing consumers about their right to opt-out of certain data collection.

The California Consumer Privacy Rights Act (CPRA) expands the CCPA in California. The new law will be effective from January 1, 2023, and give California consumers the right to:

• Prevent businesses from sharing their (the consumer’s) personal information;
• Correct inaccurate personal information;
• Limit businesses’ use of sensitive personal information, including the consumer’s geolocation, race, religion, private communications, and specified health information.

The CPRA also prohibits companies from retaining personal information for longer than reasonably necessary.

Looking for an easier and smarter path to CCPA compliance? Try Reciprocity ZenComply. This compliance and audit management solution automates tedious manual processes to minimize the time and effort required to set up a successful CCPA compliance program.

ZenComply seamlessly integrates with Reciprocity ZenRisk and the Reciprocity ROAR platform to provide a unified, real-time view of risk and compliance. If your company’s goal is to achieve CCPA compliance and keep an eye on the progress of your program, try ZenComply for free. Schedule a demo.