63% of Internet users believe most companies aren’t transparent about how their consumers’ data is used. With how much information is collected on them every day and how valuable it can be, people do have reasons to worry about their consumer privacy and the safety of their personal information. To address those privacy concerns, several countries have passed new privacy laws to protect consumers and their personal information from misuse – like GDPR in the European Union or CCPA in California.

In our previous article, we have already compared the similarities and differences between the GDPR and CCPA laws
Now, let’s focus more on the Californian Consumer Protection – what it is, who it affects, and how you can make your business CCPA compliant.

What is CCPA?

California Consumer Privacy Act (CCPA) is a state-wide law that grants consumers in California several new privacy rights to give them more control over their data. The CCPA is also the first such comprehensive consumer privacy law in the United States. The law was passed by the California State Legislature and signed into law by California Governor Jerry Brown on June 28, 2018, becoming effective on January 1, 2020. The law was further expanded in November 2020 with the California Privacy Rights Act (CPRA, also known as Proposal 24), which will come into effect on January 1st, 2023.


Under the law, California citizens gained several new consumer privacy rights:

  • The right to know about the personal information a business collects about them and how it is used or shared with other organizations
  • The right to delete personal information collected from them
  • The right to opt-out of the sale of their personal information
  • The right to non-discrimination for using their CCPA rights
  • The right to sue a company for breaches that violated their CCPA rights

The California Privacy Rights Act also grants consumers two additional rights:

  • Right to correct the inaccurate personal information
  • The right to limit the use and disclosure of sensitive personal information

notifications 
Also, businesses must now give consumers explicit notice about what type of data they collect, for what business purpose they need it, and how it will be used.

shopping_cart  
What’s more, businesses that sell consumers’ personal information must also include a “Do Not Sell” link through which consumers can send an opt-out request not to have their personal information sold to other companies or organizations.

What data is protected under CCPA?

Although the CCPA is typically viewed as a less strict version of the European privacy law, in some places, the Californian law goes even further – the definition of personal information is one such example.
CCPA refers to personal information as

 “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

This definition may sound similar to the description of “data subjects” under GDPR law. The main difference though is that GDPR only applies to information that can be used to identify a person, CCPA covers any information that could identify consumers or their households.

The range of data falling under the PI category in CCPA is also much broader as it includes:

  • Personal identifiers such as the consumer’s real name, postal address, phone numbers, social security numbers, or driver’s license
  • Online identifiers that could be used to trace a consumer’s online presence back to them, such as cookies, IP addresses, email addresses, account names, usernames, etc.
  • Biometric data such as fingerprint, face or retina scan but also voice recordings or handwriting examples
  • Geolocation such as geotags on images or location history
  • Internet activity such as search history or app activity
  • Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences, employment, and education data

In other words, if the collected information can potentially identify an individual, it is considered personal information and falls under the CCPA law. However, there are some exceptions to CCPA protection.

Take, for instance, a phone number. It typically falls under the CCPA law as a “direct identifier”. However, if you shared your phone number by adding it to the contact information on your website or social media account, then it is considered “publicly available information” – and here, CCPA protection doesn’t apply. Likewise, everything stored in government records, such as property records or professional licenses, or information already falling under other existing laws (like medical or financial data), isn’t considered personal information under CCPA either.

What falls under the CCPA law?

Compared to other regulations like GDPR that apply to most businesses and organizations, Californian privacy law primarily targets medium and large companies. NGOs, charities, government institutions, as well as smaller businesses are generally exempt from following the regulations, though there are some exceptions here.

So who exactly is subject to the CCPA law? As outlined in the CCPA document, the covered businesses are all for-profit legal entities operating in California that meet one or more of the following criteria: 

  • Buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices per year; or
  • Have an annual gross revenue exceeding $25 million
  • Derives more than 50% of its annual revenue from selling the personal information of California residents
  • Shares common branding with another business that falls under the CCPA

What does the “operate in California” requirement mean, though? Does it mean that only companies working within the state are subjected to comply with the Californian privacy law? Not exactly.

Under the CCPA, any activity in which California residents share personal information with businesses and the businesses collect that information for commercial purposes is considered “doing business in California” – regardless of where the company is located. That means that websites, online stores, mobile apps, and online service providers all fall under Californian law as well, as long as they meet one or more of the main criteria.


Let’s take a France-based retail store as an example. If they are selling their products to people living in California, then they obviously already meet the “operating in California” criteria. They don’t have to follow the regulations, though, as long as their revenue is below $25 million and their number of Californian customers is under 50,000.

However, if after analyzing their newest newsletter signup metrics, the store finds out they have gained several new customers from California, and they have reached the 50,000 consumers requirement, the situation changes. As the store is now meeting the consumer threshold and is using the data for business purposes (sending the consumers a newsletter), they are now legally obliged to comply with the CCPA law.

Wholly outside of California – what does it mean?

Technically, CCPA regulations do not apply to businesses that operate “wholly outside of California” either. What does it mean, though? As defined in Section 1798.145(a)(6) of the CCPA, a business is considered “wholly outside of California” if it meets the following criteria:

  • Not collecting PII from California consumers
  • Not selling the consumer’s PII in California
  • No part of the sale of consumer personal information occurred in California

The thing is, meeting those requirements can be quite difficult nowadays. As we mentioned earlier, any means through which companies can collect Californian consumers' information is considered as doing business in California – whether it’s a retail store, online store, mobile app, or email newsletter. In addition, search and browsing history, cookies, or IP addresses are also considered PII under the CCPA. That means that all websites or applications that Californians can use are also covered by the CCPA, as they are passively collecting personal information about the users.

Additionally, there is also a special point to prevent abusing the “traveling Californian” loophole. Businesses can’t store personal information about a California resident while the consumer is in California and then later “collect” that personal information when the consumer is outside of California either.

As a result, meeting the requirements for “being wholly outside of California” might be very difficult (to not say, impossible) in the current digital times – virtually the only option here would be blocking Californian users from using your mobile application or website.

What should companies do to be compliant with the CCPA law?

To know whether your company needs to comply with the CCPA regulations or not, you’ll first need to have a closer look at the main compliance criteria and see whether your business meets the compliance criteria. Keep in mind that besides the “doing business in California” requirement, you’ll need to meet only one of the other three criteria to fall under the CCPA law legally.

Once you’ve analyzed the requirements, compared them with your business metrics, and determined that you should comply with the CCPA, the next question is how you can ensure your business is compliant.

image: 

The main compliance requirements CCPA puts on businesses are:

  • Having an online privacy policy compliant with CCPA rules and is updated at least once every 12 months
  • Adding a privacy notice to their website or mobile that tells consumers what will happen to their PII after being collected by the company
  • Keeping track of the history of data processing activities by maintaining a data inventory
  • Allowing consumers to request accessing or deleting their PII
  • Providing two “designated methods for submitting a request” with a toll-free number as one of the methods
  • Creating a Do Not Sell My Personal Information page if you sell personal information, with a link leading to the page and an opt-out request form put on a clear page on the website
  • Designing a clear process for responding to all questions about consumer rights and following their requests

In order to comply with the regulations, your company might need to change some of its business processes, especially how you collect, store, and protect the information coming from Californian citizens. To give some ideas on where you should start, we outlined some key points on how you can prepare your business for meeting the compliance requirements:

  • Conduct a data audit:

The first thing to find out when you aim for CCPA compliance is to learn what personal and sensitive information you collect on your consumers and where the information is stored. As a part of the audit, you should also check how your employees work with the data: who has access to what information, how they are using it and how the documents or files are shared between employees.

  • Classify the data according to importance:

Once you know what type of data you have in your business, you can begin classifying it based on how important or sensitive it is. This is an essential step as some of your data categories (especially confidential information) will require a much higher level of security and a specific set of guidelines for handling them. To prevent data loss or leaks, it would be a good idea to restrict access to the most critical files only to a few employees and also set limits on what they can do while working with those files.

  • Develop a set of practices for managing data:

The data audit should clearly show you the most significant issues in your organization. Now, it’s time to develop data management guidelines for all your employees. The guidelines should describe how employees are expected to manage customer data, what is the main process for responding to consumer requests, the main safety guidelines, and who is responsible for handling particularly sensitive or confidential information. Such a manual is also an excellent place to instruct your employees on how to react to a data loss or breach.

  • Review and update your data security measures

Under CCPA, consumers can sue for damages if their personal information was breached due to a “business violation of its duty to implement and maintain reasonable security procedures and practices .”That means that any data breach could be a significant problem for your organization – both when it comes to the hefty fines and the reputational damage. So while doing the audit, also take a closer look at your security measures – for example, how often backups are made.

  • Update your online privacy policy if you have one:

Privacy policies and collection notices are essential components of the CCPA, and not having one on your website or app can immediately be counted as a violation. But even if you already have a privacy policy on your website or app, it will most likely need an update to be compliant with the CCPA requirements.

What are the fines for non-compliance?

In line with many other laws on data privacy, the California Consumer Privacy Act has some rather severe penalties for non-compliance.

Intentional violations of the California Consumer Privacy Act can bring civil penalties of up to $7500 for each breach, while for less severe violations the fine is $2500 per violation. Plus, consumers affected by the breach can take legal action and file for statutory damages as well, between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” It might not seem like much compared to the famous GDPR fines of several million dollars. However, you should know that CCPA regulations consider each violation separately and impose penalties accordingly.

Zoom learned this the hard way after millions of Zoom users sued the company and claimed their consumer rights were violated after Zoom sold their personal data to social media companies. To settle the lawsuit, Zoom agreed to pay $85 million as a settlement. What’s more, Zoom also agreed to add more security measures to their platform (such as alerting users when meeting hosts or other participants use third-party apps in meetings) and to train their employees on privacy and data handling.

What’s even more important is that there’s no upper limit for the CCPA fines. So if a company the size of Facebook (which has 18 million users in California) has been charged with a CCPA breach, the penalties could reach 45 billion – and that’s just for less serious violations scenarios and not counting statutory damages.

How Safetica can help you?

Making your company CCPA compliant might seem overwhelming at first - there’s data audit to do, classification, securing especially sensitive files, training your employees on following the new guidelines, and handling consumer inquiries as well. 

With Safetica, your business can take care of all of those steps and become CCPA compliant much easier. Here’s how we can help:

  • With Safetica, you can quickly run a data audit and find out what types of data are used in your organization.
  • Safetica can give you a full overview of what sensitive or confidential information is stored in your organizations and help you categorize and secure those. For example, you can quickly set who has access to what type of information and block all activities coming from other accounts.
  • After setting your internal security policies and guidelines, Safetica will keep an eye on everything your employees are doing while handling the data and ensure that they adhere to procedures and security policies. Additionally, you will receive a real-time alert for any policy violations or suspicious activity, such as copying sensitive files to an unknown device.
  • As Safetica monitors all employee activities while handling data, it can identify any risks, illegal activities, and threats and block those before they lead to data breaches and loss.




What’s more, Safetica can also aid you in educating your colleagues on how to classify data, spot, prevent and react to security incidents, as well as stay compliant with GDPR and CCPA regulations. That way, you can be sure that your company’s information is perfectly safe - and that your staff knows how to prevent and respond to any data issues or threats.

Conclusion

CCPA is the first comprehensive consumer privacy law in the US - and in some aspects, it’s actually stricter than its European counterpart. It doesn’t apply to all organizations though - if you don’t meet the revenue or data amount threshold, then you don’t need to be compliant with the CCPA law. However, even if you don’t meet the requirements yet, it’s always better to start in advance so you won’t have to rush everything later.

With Safetica near you, you can make meeting the compliance standards far faster and easier, though, as it can help you both with auditing your data and securing your most important files, and raising awareness about data security among your colleagues as well.

So whether you need to be compliant with the regulations now or are planning for the future, with Safetica, you can make the compliance process easier - and ensure you’ll remain compliant for years to come.

Author
Kristýna Svobodová
Content Strategist @Safetica

Next articles

TISAX: The Scope, Purpose, and How to Comply

TISAX is a globally recognized information and cyber-security standard developed to protect data within the automotive industry. Learn more.

ISO 27001/IEC 27001: The Scope, Purpose, and How to Comply

Following the ISO 27001 27001 international standard means setting up your organization with an effective information security management system (ISMS). Read more.

All you Need to Know About CCPA Violations

What are the main things for which you could be fined under the Californian privacy law and what are the legal consequences for non-compliance? Read the article.