63% of Internet users believe most companies aren’t transparent about how their consumers’ data is used. With how much information is collected on them every day and how valuable it can be, people do have reasons to worry about their consumer privacy and the safety of their personal information. To address those privacy concerns, many countries have passed privacy laws to protect consumers and their personal information from misuse – like GDPR in the EU or CCPA in California.

Now, let’s focus more on the Californian Consumer Protection – what it is, who it affects, and how you can make your business CCPA compliant.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state-wide law that grants consumers in California several new privacy rights to give them more control over their data. The CCPA is also the first such comprehensive consumer privacy law in the United States. The law was passed by the California State Legislature and signed into law by California Governor Jerry Brown on June 28, 2018, becoming effective on January 1, 2020.

The CCPA was then amended by the California Privacy Rights Act (CPRA, also known as Proposal 24), which came into effect on January 1st, 2023. The information in this article already includes the changes brought on by the CPRA.

Does CPRA replace CCPA?

For the sake of clarity, we want to explain that the CPRA is not a new law, it is a set of revisions to the CCPA. What is now referred to as the CCPA includes every change and expansion that came from the CPRA. Any part of the CCPA that the CPRA didn’t address remains the same as before the CPRA.

As we already mentioned in this article, when we refer to the CCPA, we always mean the CCPA as amended by the CPRA.

Ok, now that we’ve gotten that out of the way, let’s see what specific rights consumers have been granted:

Under the CCPA, California citizens have these consumer privacy rights:

  • The right to know about the personal information a business collects about them and how it is used or shared with other organizations
  • The right to delete personal information collected from them
  • The right to opt out of the sale of their personal information
  • The right to non-discrimination for using their CCPA rights
  • The right to sue a company for breaches that violated their CCPA rights
  • The right to correct inaccurate personal information
  • The right to limit the use and disclosure of sensitive personal information

What’s more, the CPRA introduced a crucial provision known as the "limited purpose" principle. This principle mandates that businesses should only collect data necessary to accomplish explicitly stated objectives and retain this information for the required duration. Businesses must explicitly inform consumers about the type of data being collected, the specific business purposes for its use, and how it will be employed.

What data is protected under CCPA and CPRA?

Although the CCPA is typically viewed as a less strict version of the European privacy law, in some places, the Californian law goes even further – the definition of personal information is one such example.

CCPA refers to personal information as

 “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

The amended version of the CCPA includes the addition of another subset: sensitive personal information.

The range of data falling under “personal information” in the CCPA includes:

  • Personal identifiers such as the consumer’s real name, postal address, phone number, social security number, or driver’s license
  • Online identifiers that could be used to trace a consumer’s online presence back to them, such as cookies, IP addresses, email addresses, account names, usernames, etc.
  • Biometric data such as fingerprint, face or retina scan but also voice recordings or handwriting examples
  • Geolocation, such as geotags on images or location history
  • Internet activity, such as search history or app activity
  • Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences, employment, citizenship or immigration status, and education data

In other words, if the collected information can potentially identify an individual, it is considered personal information and falls under the CCPA and CPRA laws. However, there are some exceptions to CCPA and CPRA protection.

Take, for instance, a phone number. It typically falls under the CCPA law as a “direct identifier”. However, if you shared your phone number by adding it to the contact information on your website or social media account, then it is considered “publicly available information” – and here, CCPA protection doesn’t apply. Likewise, everything stored in government records, such as property records or professional licenses, or information already falling under other existing laws (like medical or financial data), isn’t considered personal information under CCPA either.

Which businesses and organizations does the CCPA apply to?

Compared to other regulations like GDPR that apply to most businesses and organizations, CCPA primarily targets medium and large companies. Non-profit organizations and governments are generally exempt from following the regulations, though there are some exceptions there, too.

So who exactly is subject to the CCPA? Businesses subject to CCPA regulations are for-profit legal entities operating in California that meet one or more of the following criteria:

  • Buy, receive, sell, or share for commercial purposes the personal information of 100,000 or more consumers or households per year.
  • Have an annual gross revenue exceeding $25 million.
  • Derive more than 50% of their annual revenue from selling the personal information of California residents.
  • Share common branding with another business that falls under the CCPA.

What does the “operate in California” requirement mean? Does it mean that only companies working within the state are subjected to comply with the Californian privacy law? Not exactly.

The “operate in California” requirement encompasses any business activity where California residents share personal information with companies, and those companies collect such information for commercial purposes, regardless of the company's physical location. This expanded definition means that websites, online stores, mobile apps, and online service providers also fall under Californian law as long as they meet one or more of the main criteria, no matter where they are based.


Let’s take a France-based retail store as an example. If they are selling their products to people living in California, then they obviously already meet the “operating in California” criteria. They don’t have to follow the CCPA’s regulations, though, as long as their revenue is below $25 million and their number of Californian customers is under 100,000.

However, if after analyzing their newest newsletter signup metrics, the store finds out they have gained several new customers from California and they have reached the 100,000 consumers requirement, the situation changes. As the store is now meeting the consumer threshold and is using the data for business purposes, they are now legally obliged to comply with the CCPA.

What should companies do to be compliant with the CCPA law?

First, to figure out if your company has to follow CCPA rules, check the main qualification criteria and see if your business fits. Besides the "doing business in California" part, meeting any of the other main criteria means you legally need to comply with the CCPA.

Once you've looked into these rules, compared them with your business metrics, and determined that you should fall under the CCPA, the next question is how you can ensure your business is compliant.

The main compliance requirements that the CCPA imposes on businesses include:

  1. Privacy policy: Businesses are mandated to maintain an online privacy policy (one that includes data retention details) that is updated at least once every 12 months.
  2. Privacy notices: It is mandatory for companies to add a privacy notice to their website and mobile apps that tell consumers how their personal information will be used and handled by the company.
  3. Cookie policy: Businesses must include a cookie policy on their website that informs consumers about the data they collect, how, and why.
  4. Data inventory: Businesses must keep track of the history of their data processing activities, maintaining a comprehensive data inventory of collected information.
  5. Consumer rights management: Consumers have the right to request access, amend, correct, or delete their personal data. Businesses must provide data subject access request forms for consumers to follow through on their rights.
  6. Opt-out requests: Businesses must create and prominently display "Do Not Sell My Personal Information" and “Limit the Use of My Sensitive Personal Information” links on their website homepage.

To comply with the regulations, your company might need to change some of its business processes, especially how you collect, store, and protect personal information coming from Californian citizens. To give some ideas on where you should start, we outlined some key points on how you can prepare your business for meeting the compliance requirements:


  • Conduct a data audit

The first thing to find out when you aim for CCPA compliance is to learn what personal and sensitive information you collect from your consumers and where the information is stored. As a part of the audit, you should also check how your employees work with the data: who has access to what information, how they are using it, and how the documents or files are shared between employees.

  • Classify your data

Once you know what type of data you have in your business, you can begin classifying it based on how important or sensitive it is. This is an essential step as some of your data categories (especially sensitive personal information) will require a much higher level of security and a specific set of guidelines for handling them.

To prevent data loss or leaks, it is a good idea to restrict access to the most critical files only to those employees who specifically need it for their role and also set limits on what they can do while working with those files.

  • Develop a set of practices for managing data:

The data audit should clearly show you the most significant issues in your organization. Now, it’s time to develop data management guidelines for all your employees. The guidelines should describe how employees are expected to manage customer data, what is the main process for responding to consumer requests, the main safety guidelines, and who is responsible for handling particularly sensitive or confidential information. Such a manual is also an excellent place to instruct your employees on how to react to a data loss or breach.

  • Review and update your data security measures

Under CCPA, consumers can sue for damages if their personal information was breached due to a business’s failure to implement and maintain reasonable security measures. That means that any data breach could be a significant problem for your organization – both when it comes to the hefty fines and the reputational damage.

So, while doing the audit, also take a closer look at your security measures – for example, how often backups are made, if you use proper encryption, if you require two-factor authorization, and if you have a response system in place, so you know how to react to suspicious activities.

Read further: What is phishing | ISO 27001 international standard for setting up an effective information security management system

  • Update your online privacy policy

Privacy policies and cookie notices are essential components of the CCPA, and not having them on your website or app can immediately be counted as a violation. But even if you already have a privacy policy on your website or app, it will most likely need an update to be compliant with the CCPA requirements.

What are the fines for CCPA non-compliance?

In line with many other laws on data privacy, the California Consumer Privacy Act has some rather severe penalties for non-compliance.

Intentional violations of the California Consumer Privacy Act can bring civil penalties of up to $7500 for each breach, while for less severe violations, the fine is $2500 per violation. If the violation involves children under 16, every violation can bring a $7500 penalty, not just intentional ones.

Plus, consumers affected by the breach can take legal action and file for statutory damages as well, between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” It might not seem like much compared to the famous GDPR fines of several million dollars. However, you should know that CCPA regulations consider each violation separately and impose penalties accordingly.

Zoom learned this the hard way after millions of Zoom users sued the company and claimed their consumer rights were violated after Zoom sold their personal data to social media companies. To settle the lawsuit, Zoom agreed to pay $85 million as a settlement. What’s more, Zoom also agreed to add more security measures to their platform (such as alerting users when meeting hosts or other participants use third-party apps in meetings) and to train their employees on privacy and data handling.

What’s even more important is that there’s no upper limit for the CCPA fines. So, if a company the size of Facebook (which has 18 million users in California) has been charged with a CCPA breach, the penalties could reach $45 billion – and that’s just for less serious violation scenarios and not counting statutory damages.

How can Safetica help you?

Making your company CCPA compliant might seem overwhelming at first – there’s a data audit to do, classification, securing especially sensitive files, training your employees on following the new guidelines, and handling consumer inquiries as well. 

With Safetica, your business can take care of all of those steps and become CCPA-compliant much easier. Here’s how we can help:

    • With Safetica, you can quickly run a data audit and find out what types of data are used in your organization.
    • Safetica can give you a full overview of what sensitive or confidential information is stored in your organization and help you categorize and secure that data. For example, you can quickly set who has access to what type of information and block all activities coming from other accounts.
    • After setting your internal security policies and guidelines, Safetica will keep an eye on everything your employees are doing while handling the data and ensure that they adhere to procedures and security policies. Additionally, you will receive a real-time alert for any policy violations or suspicious activity, such as copying sensitive files to an unknown device.
    • As Safetica monitors all employee activities while handling data, it can identify any risks, illegal activities, and threats and block those before they lead to data breaches and loss.




What’s more, Safetica can also aid you in educating your colleagues on how to classify data, spot, prevent, and react to security incidents, as well as stay compliant with CCPA (and other) regulations. That way, you can be sure that your company’s information is perfectly safe – and that your staff knows how to prevent and respond to any data issues or threats.

Conclusion

CCPA is the first comprehensive consumer privacy law in the US – and in some aspects, it’s actually stricter than its European counterpart, the GDPR. It doesn’t apply to all organizations, though – if you don’t meet the revenue or data amount threshold, then you don’t need to be compliant with the CCPA law. However, even if you don’t meet the requirements yet, it’s always better to start in advance so you won’t have to rush everything later.

With Safetica near you, you can make meeting the compliance standards far faster and easier, though, as it can help you both with auditing your data and securing your most important files and raising awareness about data security among your colleagues as well.

So, whether you need to be compliant with the regulations now or are planning for the future, with Safetica, you can make the compliance process easier – and ensure you’ll remain compliant for years to come.


Talk to us

Author
Kristýna Svobodová
Content Strategist @Safetica

Next articles

HITRUST framework: The Scope, Purpose, and How to Comply

This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.

Understanding SOC 2: The Scope, Purpose, and How to Comply

Get started with your SOC 2 compliance efforts: what SOC 2 is, why it matters, and, most importantly, what steps you need to take if you want to get a SOC 2 report for your organization.

European Data Act: The Scope, Purpose, and How to Comply

Find out more about European Data Act, its key elements, and how it will affect businesses, and how Safetican can help you to comply.