CCPA Compliance: an ultimate guide to get compliant

The California Consumer Privacy Act (CCPA), as per the legislators, is the very first consumer privacy act within the USA and is similar to the General Data Protection Regulation (GDPR).

The CCPA consists of a transparency right which stipulates that a company must inform consumers about how it collects its data and shares it. It also facilitates a common person by granting him/ her a right to access his/ her data, delete it or opt-out. 

Companies must ensure that they implement a CCPA compliant cookie consent solution on their website to become compliant.

Dig a little deeper

The California Consumer Privacy Act (CCPA) is merely designed for the protection of data privacy rights of Californian citizens. Under this law, companies are obliged to provide more information to the consumers regarding how their data is being handled and who is it shared with.

Most consumers do not even know about sharing and selling their personal data. The CCPA addresses this issue and ensures that they are given a chance to opt-out if they have any concerns regarding the terms or in case they change their mind.

ccpa compliance

When did the CCPA come into effect?

Fundamentally, the legislation was approved by Governor Brown in June of 2018, and it came into force on January 1, 2020.

From the outset of the CCPA, the focus has been on the protection of consumer privacy, compared to the broad scope of the GDPR. This means employee data does not fall under the provisions set out by the CCPA.

Who will be affected by CCPA?

It covers any business which collects and sells consumer personal information. The CCPA provides some exemptions as well. If a company meets one or more of the following, it is required to comply with the CCPA:

  • A company’s annual revenue should be $25 million more or less.
  • It must process the personal data of more than 50,000 consumers, households or devices.
  • It must earn more than half of its annual revenue by selling consumer’s personal data.

The lawmakers behind CCPA exempted certain health and financial companies that are already covered under the federal data security law. CCPA compliance is not applicable to:

  • Health providers and insurers who are already governed under the Health Insurance Portability and Availability Act (HIPAA)
  • Banks and financial companies who are covered by the Gramm-Leach-Bliley Act
  • Credit reporting agencies (Equifax, TransUnion, etc.) who are covered under the Fair Credit Reporting Act.

CCPA and personal information

The CCPA is applicable to personal information that, “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

In this world of data compliance laws, this is about as broad as personally identifiable information (PII) gets. The words “relate” or “reasonably linked” opens up an extensive class of non-traditional identifiers, beyond name, address and social security number.

To ensure that companies have understood what is going on, the lawmakers listed a few specific examples, including:

  • Email address
  • Online handles
  • IP address
  • Biometric information
  • Geolocation data
  • Browsing and search history
ccpa compliance

Frequently Asked Questions (FAQs):

Q1, Does CCPA apply to SME businesses?

Size of the organisation does not really matter here. However, there are certain criteria set by the CCPA, if you meet these, then CCPA applies to you. The criteria are mentioned above.

Q2, What are the penalties for non-compliance with CCPA?

It is a Privacy Act; obviously, there will be nasty consequences if you don’t comply with this legislation. If you are notified as being non-compliant, you have to take corrective measures within 30 days. Otherwise, the Attorney General can initiate a civil case against you. Fines can reach up to $7500 per violation.

If you violate the CCPA rights of any user then you could potentially receive a fine of $7500 for each user whose rights have been violated.

Q3, Is CCPA similar to the GDPR?

No, this is not the case. The government of California has used this momentum created by the introduction of GDPR, but it is not as extensive as the GDPR. The GDPR has similarities with other privacy laws, but they have significant differences.

Q4, If you are GDPR-compliant than does it mean that you are CCPA-compliant as well?

Being a GDPR compliant doesn’t really mean that you are compliant with CCPA. Whoever is GDPR compliant, automatically meets some aspects of the CCPA already due to the broader scope of GDPR. However, there are still discrepancies between the two laws and there are a few additional steps that need to be taken to be CCPA compliant.

First, you will have to make amendments in your privacy policy and include a “Do Not Sell My Personal Information” link on your home page. Moreover like GDPR, there need to be mechanisms for requests for accessing, changing and erasing data, establishing a process for verification of the identity of the person making a data-related request and establishing a method for obtaining prior consent by minors before selling their personal data & becoming CCPA compliant.