The California Consumer Privacy Act (CCPA) is the first privacy law in the United States to regulate the collecting, managing, and selling of website users' personal information. It was signed in 2018 and became effective on January 1, 2020. The CCPA applies to California residents, which are called Consumers in the law. You may ask "What is the CCPA meaning?" CookieScript, the company behind the popular cookie privacy compliance tool, has put together this guide that will answer everything you need to know about the CCPA and how it will impact your business.
What is the California Consumer Privacy Act (CCPA)?
CCPA stands for the California Consumer Privacy Act. It is a data privacy law that regulates the collection and processing of the personal information of California residents.
The CCPA went into effect on January 1, 2020, and applies to businesses all over the world that deal with the personal information of California residents. Read the full CCPA full text on the California Legislative Information website.
Who does CCPA Apply to?
The CCPA law applies to any for-profit business if it collects data about California residents, no matter where the business is based. The CCPA law applies to businesses that conduct business in California and meet one of the following criteria:
- Sales of consumer data account for 50% (or more) of annual revenue, regardless of total revenue.
- Your business has total revenues of over $25 million, even if the sale, receipt, or purchasing of personal information is only a small percentage of your business's total revenues or business activities.
- Your organization sells, rents, receives, or purchases consumer information on 50,000 (or more) individuals within a given calendar year (365 days).
Exceptions for Organization under the CCPA
The following organizations are exempted from the CCPA:
- Financial institutions, such as subject to the Gramm-Leach-Bliley Act (GLBA).
- Healthcare institutions, that treat personal data by adhering to other laws, such as the Health Insurance Portability and Accountability Act (HIPAA).
Consumers' Rights under the CCPA
The CCPA regulates how businesses treat consumers' personal information and privacy. California's consumers have these main rights under the California Consumer Privacy Act (CCPA):
- Right to notice. Consumers have the right to know what personal data is being collected about them and the purposes for which the information is being used.
- Right to know. Consumers have the right to know the third parties with whom the business shares the information and whether their personal data is sold or disclosed.
- Right to disclosure. Consumers have the right to access their personal data upon request.
- Right to opt-out. Consumers have the right to agree or disagree to collect, manage, or sell their personal data.
- Right to deletion. Consumers have the right to ask for the deletion of their personal data.
- Right to equal services and prices. Consumers must not be discriminated against for exercising their privacy rights.
Be mindful of consumers' age. The CCPA offers extended protection for consumers under the age of 16. If a business knowingly collects information regarding a consumer’s age, the commercial entity is prohibited from selling that person's information without express consent from the individual or the individual’s parent or legal guardian. Children under the age of 13 require the consent of a parent or guardian.
The CCPA personal information definition
Under the CCPA, personal information is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Many types of data are considered personal information, including:
- direct identifiers, such as a real name, alias, postal address, unique personal identifier,etc.
- unique identifiers, such as online identifier, IP address, email address, account name, social security number, driver's license number, license plate number, passport number, cookies, etc.
- internet activity, such as browsing history, search history, etc.
- biometric data
- geolocation data
- sensitive information, such as health data, personal characteristics, behavior, religious or political convictions, sexual preferences, education data, financial and medical information, credit or debit card number, health insurance information, etc.
- professional or employment-related information.
What does the law mean by "collecting data?” The CCPA text informs that "Collecting data" is a broad definition and means collecting information that is freely received, rented, accessed, obtained, gathered, purchased, or derived in any manner.
Publicly available information is not considered personal information.
Why does it mean collecting data for "commercial purposes” under the CCPA? This is an area of the law that is also broadly defined. But, in a general sense, "commercial purposes" can mean any type of activity with a commercial component, such as the purchase, rental, lease, sale, or exchange of any type of good or service.
The act does not restrict businesses to collect, use, retain, sell or disclose consumer personal information that is de-identified. The CCPA defines de-identified data as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”
CCPA compliance requirements are set to protect website users' privacy and to treat personal information according to the CCPA consumer rights.
CCPA Compliance Checklist
Businesses can follow these six basic steps to get CCPA compliance:
- Assign a person or team to be responsible for data privacy and train your employees. The responsible person should focus on CCPA and other compliance standards and the consumers' personal information protection.
- Create a data inventory. Start by creating an inventory of what personal information you have collected from consumers. Examine the last year of your business' data activities, and especially how you use the data you collect. Conduct an inventory of consumer data held by your organizations, and those you share with third parties and vendors. This also means taking stock of so-called "offline" data, which might include personal details collected in person.
- Inform consumers before or at the point of data collection that you want permission to collect their personal information.
- Give consumers the right to access their personal information.
- Give consumers the right to request to delete their personal information.
- Create a Do Not Sell My Personal Information button on a cookie or a separate web page if you sell personal information.
- Respond to consumer requests. If California residents requested a detailed account of what information was collected on them over the span of the last 12 months or requested to delete their personal data- provide the information or delete it, correspondingly.
- Implement a system that allows certain data to be immediately and securely purged in response to requests deriving from consumers at the individual level.
- Inform consumers that you collect their personal information.
- Inform consumers why you collect this information.
- Inform consumers what are you planning to do with their personal information.
- Inform consumers how they can refuse your access to their personal information.
- Inform consumers that you won't discriminate against them if they do not provide your right to use their personal data for marketing purposes.
What does the CCPA Say About Cookies?
Cookies and other website tracking technologies, such as tracking pixels, are classified as unique identifiers and are considered personal information under the CCPA. Cookies may collect user browsing history, user search history, online shopping details, website preferences, or a user's interactions with a website. Because of the right to know, businesses have to inform consumers what data they collect via cookies, for what purposes, and how that data is used.
Businesses must therefore know what data their website collects, for what purpose, and with which third parties, if any, it shares this data.
What are the penalties for non-compliance with the CCPA?
The CCPA protects California consumers' privacy. Infringement of the CCPA law is subject to enforcement by the California attorney general's office which can seek civil penalties of $2500 for each law violation. If the CCPA law violation was issued, but the company did not take any actions to cure the privacy issues, this could lead to civil penalties of $7500 for each intentional law violation. If a business collects data from many California residents, the penalty could reach millions of dollars.
Your Best CCPA Compliance Solution
Frequently Asked Questions
When did CCPA go into effect?
What does CCPA stand for?
What is CCPA?
The California Consumer Privacy Act (CCPA) is a data privacy law that regulates the collection and processing of the personal information of California residents and protects consumers' privacy on the internet. The CCPA went into effect on January 1, 2020, becoming the first data privacy law in the USA of such a kind.
What is CCPA compliance?
Who does CCPA apply to?
The CCPA law applies to any for-profit business if it collects data about California residents, and meets one of the following criteria: sales of consumer data account for 50% (or more) of annual revenue; has total revenues of over $25 million; or sells, rents, receives, or purchases consumer information on 50,000 (or more) individuals within a given calendar year.
Does the CCPA Apply to Me?
The CCPA law applies to any for-profit business which conducts business in California, and meets one of the following criteria: sales of consumer data account for 50% (or more) of annual revenue; has total revenues of over $25 million; or sells, rents, receives, or purchases consumer information on 50,000 (or more) individuals within a given calendar year. CookieScript can help you to comply with the CCPA.
What is CCPA in summary?
The CCPA regulates how businesses treat California consumers' personal information and protects consumers' privacy. In summary, consumers have these main rights under the CCPA regarding their personal data: the right to notice, right to know, right to disclosure, right to opt-out, right to deletion, and right to equal services and prices.