The California Consumer Privacy Act (CCPA) is the first privacy law in the United States to regulate the collecting, managing, and selling of website users' personal information. It was signed in 2018 and became effective on January 1, 2020. Read the full text of the California Consumer Privacy Act on the California Legislative Information website.
What Organizations Are Subject to the CCPA?
The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, conducts business in California, and satisfies at least one of the following criteria:
- Sales of consumer data account for 50% (or more) of annual revenue.
- The business has total revenues of over $25 million.
- The organization sells, rents, receives or purchases consumer information on 50,000 (or more) individuals.
How to comply with the CCPA?
If your organization is subject to the CCPA, it must comply with the CCPA. Please see the key steps to CCPA compliance:
Step 2. Update the record-keeping requirements
Companies have to maintain a data inventory, which would allow tracking their data processing activities, including the business processes, third-parties, products, devices, and applications that process consumers' personal data.
Companies must identify:
- which data is used for the sale;
- what categories of personal information are transferred to third-parties;
- are there any categories of personal information, covered by HIPAA, the FCRA, or another law that would exempt the data from the CCPA’s scope;
- when the data was collected. The consumers' personal data has to be kept for 12 months.
The database has to be kept up to date and be able to track all consumer right requests.
Step 3: Implement protocols to ensure consumer rights
California's consumers have these main rights under the CCPA:
- Right to notice. Consumers have the right to be informed what personal data is being collected about them and the purposes for which the information is being used.
- Right to know. Consumers have the right to know the third parties with whom the business shares the information and whether their personal data is sold or disclosed.
- Right to disclosure. Consumers have the right to access their personal data upon request.
- Right to opt-out. Consumers have the right to agree or disagree to collect, manage, or sell their personal data.
- Right to deletion. Consumers have the right to ask for the deletion of their personal data.
- Right to equal services and prices. Consumers must not be discriminated against for exercising their privacy rights.
Step 4: Update security issues
The CCPA requires businesses to protect personal data with “reasonable” security. It means that personal data should be kept “reasonably” confidentially and should not be made available to non-related parties.
Step 5: Update Third-Party processor contracts
If businesses use other companies to process personal data collected by them, businesses need to update their third-party contracts regarding consumers' personal data.
Step 6: Perform training
The CCPA requires that employees handling consumer personal data and related inquiries be informed of all CCPA requirements.
Read more about the CCPA.