What is CCPA? Learn all about CCPA here on our website!
Are you aware of what CCPA is, and who it applies to? Read all about CCPA compliance, CCPA fines, and CCPA consent here.
What Is CCPA?
CCPA stands for California Consumers Protection Act 2018. It is the most comprehensive data protection regulation in California and the United States.
It has been passed as a response to the GDPR and other data protection laws. It is not as comprehensive as the EU law, yet it grants consumers with more rights about their data privacy than ever.
The California government was the first ever US state to pass a data privacy law. It has been updated multiple times.
CCPA vs. CalOPPA
Yes, you have to comply with any data protection law that is currently in force in California, and that includes CalOPPA and other laws as well.
The CCPA is not a replacement for any existing California data protection law. All of them are in effect after 1 January 2020; therefore, you’ll have to comply with every data protection regulation adopted in the state.
CCPA was meant to complement the current personal data protection, not to replace it. CalOPPA and other personal data protection laws will keep to exist, which means the requirements for your business remain. Introducing the CCPA doesn’t change anything regarding your duties to comply with other California privacy laws, such as the CalOPPA, Shine the Light, and the Privacy Rights for California Minors in the Digital World Act, as well as federal laws such as HIPAA.
What Is CCPA Compliance?
What are CCPA compliance requirements?
Who does CCPA apply to?
The California Consumer Privacy Act (CCPA) applies only to businesses that meet the requirements for applicability.
It applies to every company in the world if:
- They collect personal data of California residents, and
- They (or their parent company or a subsidiary) exceed at least one of the following three thresholds:
- Annual gross revenue of at least $25 million,
- Obtains personal information of at least 50,000 California residents, households, and/or devices per year, or
- At least 50% of their annual revenue is generated from selling California residents’ personal data.
A California resident is defined by California’s Privacy law as any person who:
- Is in California for other than a temporary or transitory purpose, or
- Is domiciled in California, but is outside the state for temporary or transitory purposes.
Does CCPA Apply To SME Businesses?
CCPA may apply to any business. It may apply even to small and medium businesses if they meet the applicability standards. It doesn’t matter how big the business is. California’s new privacy law is not focused on the size of your business, but on whether it meets certain criteria as mentioned above.
What Are The Fines For Non-Compliance With The CCPA?
Failure to comply with CCPA puts you at risk of huge fines. You can expect the Attorney General to initiate a process against you if you do not meet CCPA requirements after 30 days upon being notified about it.
This brings a risk of being fined up to $7500 per violation in case of a data breach. It means that if you violate the CCPA-guaranteed rights of 1000 users, you might receive a fine of up to $7.500.000 in total ($7500×1000 users).
Is CCPA The California Version Of GDPR?
No, it is not. The government of California may have used the momentum created by the introduction of the EU’s General Data Protection Regulation (GDPR) to augment the ePrivacy Directive, but the CCPA requirements are not as extensive as the GDPR cookie consent obligations.
How Do You Do CCPA Vs GDPR Comparison?
When comparing GDPR vs CCPA, several differences are obvious.
In general, GDPR requires the user to opt-in for collection and processing of their data. CCPA does not require that. It only provides an opportunity to opt-out.
We Are Compliant With The GDPR. Does It Mean That We Are CCPA Compliant?
No, if you comply with GDPR, it doesn’t guarantee CCPA compliance by default. Chances are you already meet some of the CCPA requirements simply by being GDPR compliant, but you still have some work to do.
Simply put, you need to address the differences between the GDPR and the CCPA.
What Is A CCPA Service Provider?
A CCPA service provider is what a data processor is according to the GDPR - the entity processing data on someone else’s behalf based on their instructions.
For example, your email marketing provider helps you collect email addresses and process them. They are your CCPA service provider.
Although CCPA contains a number of service provider exceptions, it prescribes some duties that service providers must abide by.
What Is Personal Information Under The CCPA?
Personal information under the CCPA is any information that could identify, describe, or be linked, directly or indirectly, with a particular consumer or household. Read all about what personal information under the CCPA is right here.
Can We Sell Our Users’ Personal Information Freely?
The CCPA doesn’t prevent you from selling your users’ data, but it obliges you to allow them to opt-out of their personal information being used for a business purpose. Read all about personal information under the CCPA here.
- What kind of information you collect and process
- Why do you collect and process information
- How do you collect and process information
- How users can request access, change, move, or deletion of their personal data
- The method for verifying the identity of the person who submits a request
- Sales of users’ personal data and how they can opt-out of the selling of their data
- Information on financial incentives where providing personal information is involved.
Do I Need To Obtain The User's Consent Before Using Cookies To Collect And Process Their Personal Data For CCPA Compliance?
What Is CCPA 2.0?
Officially known as the California Privacy Rights Act (CPRA), CCPA 2.0 builds upon and amends the California Consumer Protection Act (CCPA), and in the process, expanding the privacy rights of California residents.
When Does CCPA Come Into Effect?
Although some of the changes to the current CCPA will be enforced immediately, most will not take effect until Jan 1, 2023, and apply only to personal information collected after January 1, 2022.
It is hugely important to start your CCPA 2.0 compliance efforts in advance to avoid penalties for violations.
Who Needs To Comply With The CCPA 2.0?
The businesses that need to comply with the CCPA need to comply with the CCPA 2.0 as well. The only difference in the applicability requirements is that one of the thresholds has been updated - the threshold of 50.000 California residents or households from whom the business collects data has been moved up to 100.000 residents or households.
What Changes Does The CCPA 2.0 Bring?
The CPRA will introduce several changes to the current CCPA setup in the form of minor revisions, new concepts, and expansion of California consumers’ rights.
CCPA 2.0 changes include;
- New regulations for a category of personal information known as “sensitive data’’
- A new definition of consent that introduces GDPR-like requirements
- A new definition for ‘sharing’ personal information
- Clarifications on the definition of a business under the CCPA
- Changes to CCPA service provider requirements
- New disclosure requirements
- An update to users’ right of action under CCPA
- The California Privacy Protection Agency
- Removal of the 30-day cure period
- Extension of CCPA’s employee data and business-to-business data exemptions
What Is Sensitive Data Under The CCPA?
CCPA 2.0 introduces a new subcategory of personal data referred to as “Sensitive Personal Information".
It consists of a user’s:
- Racial or ethnic background
- Religious beliefs
- Union membership
- Contents of email or text messages
- Genetic information
- Sexual orientation
- Account login, financial account, debit or credit card, alongside any other necessary security or access code, password, or credentials that facilitate access to an account
- Specific geolocation
Want to try
Get your free cookie banner up and running today!
More than 14,000 complaints filed with the CNIL in 2021
When processing personal data on your website, you must be sure to follow a number of rules and recommendations. If you do not, you expose yourself to fines and procedures.
What is the Latvian DPA Cookie Guidelines and How Can You Comply with Them?
In this guide, we explore the Latvian DPA Cookie Consent Guidelines.
The One Stop Guide to EU Cookie Guidelines
Cookies and similar tracking technologies (cookies) are tools used to collect data about internet users for various purposes, including remarketing and audience measurement. Read all about Cookie Guidelines here.
- Cookie banner