Introduction
“We hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”
These were the words of the California Attorney General in August 2022 after he announced that the state had reached a settlement with a major retailer under the California Consumer Privacy Act (CCPA), the first comprehensive consumer privacy law in the United States. The settlement required the retailer to pay $1.2 million and comply with several injunctive mandates.
The CCPA provides significant legal protections to all California residents with regard to how their personal information is collected and used—and if your business has customers in California, you don’t want the California Attorney General to send you a message next. That means you need to understand the CCPA and keep your data practices in compliance with its requirements.
We’ve got you covered. In this blog post, we’ll give an overview of key differences of the CCPA, including who it applies to, what types of information it protects, the consumer rights it provides, and the disclosures that it requires businesses to make. We’ll also take a quick look at how the CCPA relates to another California data privacy measure, the California Privacy Rights Act (CPRA). Finally, we’ll distill this information into an easy-to-use CCPA compliance checklist and show you how modern technology can support your CCPA compliance efforts.
Let’s get started.
Contents
Types of information protected by the CCPA
Consumer rights under the CCPA
Disclosures that are required under the CCPA
The relationship between the CCPA and the CPRA regulations
The ultimate 2023 CCPA compliance checklist
Achieve effortless CCPA compliance with IPRO solutions
Who does the CCPA apply to?
The CCPA applies to for-profit businesses that do business in California and meet any of the following criteria:
- earn gross revenue of more than $25 million;
- receive, buy, sell, or share the personal information of at least 100,000 California residents, households, or devices; or
- earn 50% or more of their annual revenue by selling the personal information of California residents.
What exactly is “personal information” under the CCPA? Let’s examine the types of personally identifiable information that the CCPA protects.
Types of information protected by the California Consumer Privacy Act
Personal information under the CCPA is broadly defined to encompass any data point that identifies, relates to, describes, and can be associated with (either directly or indirectly) an individual consumer or household. What exactly does that mean? Personal information includes information such as the particular consumer who’s address, phone number, Social Security number, birth date, internet browsing history, GPS information, and more.
More specifically, the statutory definition of personal information sets out a list of eleven specific categories of potentially identifying information, including:
- individual identifiers;
- characteristics of protected classifications under federal or California law, such as race, religion, or sexual orientation;
- biometric information;
- education information that isn’t publicly available such as grades or disciplinary records;
- professional or employment-related information such as insurance information or performance evaluations;
- sensory information such as audio or visual recordings;
- customer records information;
- commercial purpose information;
- inferences or information gathered regarding a customer’s behavior, preferences, attitudes, and so on;
- records of internet activity; and
- geolocation data.
While the CCPA has a fairly extensive reach, certain businesses and categories of data are exempt from its requirements. Exempt businesses include:
- non-profits;
- government agencies; and
- insurance agencies, which are subject to an alternative privacy protection law, California’s Insurance Information and Privacy Protection Act (IIPPA).
Beyond those exempted businesses, certain categories of data are also exempt, such as:
- publicly available data;
- business-to-business communications;
- warranty and recall information;
- consumer reporting information, health information, or financial information that is subject to other privacy protection laws; and
- personal information collected and used entirely outside of the state of California.
So, what specific rights does the CCPA provide for consumers with respect to their personal information?
Consumer rights under the CCPA
Bear in mind that the CCPA, as a state law, only provides rights to California residents. With that said, it gives California consumers a range of rights, including:
- the right to know what kind of personal information a business has collected about them, its sources, and the types of third parties to whom it sells that information;
- the right to have a business delete their personal information—and to tell their service provider to do the same (unless certain legal exceptions apply);
- the right to do an opt out request from having a business sell or share their personal information, though residents between the ages of 13 and 16 are presumed to have opted out and instead have the right to opt in to the sale or sharing of their personal information.
- the right to non-discriminatory treatment should they exercise any of their rights under the CCPA.
The passage of a related ballot measure, the California Privacy Rights Act or CPRA, amended the CCPA to give California consumers two additional rights:
- the right to limit how businesses use their sensitive information to specific purposes only and
- the right to correct any inaccurate information that a business may have about them.
California residents can send an “access request” to a business up to twice a year at no charge. The business must respond to the request within 45 calendar days.Residents can also request that a business notify them before collecting their personal information and advise them about the type of information they will be collecting and how it will be used.
In addition to granting these consumer rights, the CCPA also requires businesses to make certain disclosures about what they do with consumers’ personal information. Let’s turn next to those disclosures.
Disclosures that are required under the CCPA
The CCPA requires businesses to disclose the following:
- the types and categories of consumer personal information that the business has collected;
- the specific pieces of personal information that a business has collected about a consumer;
- the categories of data sources that are used in the collection of data;
- the business’s purpose for collecting the data or how it intends to use the information;
- the types of third parties the business shares personal information with;
- the types of personal information the business has sold or shared, and the types of third parties to whom it has sold or shared that data; and
- the types of personal information that are disclosed for a business purpose.
Remember that terms are broadly defined under the CCPA. As we noted before, “personal information” covers many types and categories of personal information and potentially identifying information. Likewise, “doing business” is broadly defined to cover all kinds of business activities, regardless of whether those activities produce direct profits. Similarly, the word “consumer” is construed to include not only specific customers of a business but all California residents.
As a result, businesses should always seek to err on the side of caution in collecting personal information and making required disclosures about what they do with that information.
We mentioned the CPRA earlier. Let’s look at how these two measures are related.
The relationship between the CCPA and the CPRA regulations
The CCPA took effect in June of 2018. In late 2020, California voters passed a ballot measure to strengthen the CCPA by creating the CPRA which took effect in January of 2023. The CPRA is not a separate law; rather, it significantly amended and expanded the protections of the CCPA.
The CPRA also established the California Privacy Protection Agency (CPPA). Before the passage of the CPRA, the California Attorney General was solely responsible for enforcing California residents’ privacy protections. Today, the CPPA also has the power to implement and enforce the protections of the CCPA as amended by the CPRA
The CPRA changed a few aspects of the CCPA. For example, it:
- added a new category of personal information, known as “sensitive personal information,” that is subject to stricter guidelines;
- provided new and expanded consumer rights, as we mentioned above;
- introduced new legal obligation(s) for businesses regarding the sharing of personal information; and
- provided new private rights of legal action for consumers who are exposed to a data breach.
So, what does your business need to do to comply with the new and improved CCPA? We’ve compiled a checklist to answer that question.
CCPA compliance checklist [Ultimate 2023 Edition]
Compliance with any complex statutory scheme can seem overwhelming—but the good news is that it doesn’t have to be. Start with this checklist and you’ll be well on your way to CCPA compliance.
1. Determine whether the CCPA covers your business.
Some businesses, such as non-profit organizations, are not subject to the CCPA. Additionally, your business may not be subject to the CCPA if it doesn’t meet the criteria of revenue or number of California consumers served.
2. Audit your data collection processes.
If the CCPA does apply to your business, you’ll need to routinely audit and monitor your data collection processes to understand the types of personal information you collect and how you store, use, sell, or share that information, as well as who in your company has access to it.
3. Ensure third-party compliance.
Many businesses share consumer information with third parties. The CCPA requirements imply that those third parties must comply with information protection policies and consumer requests as well. As a result, consider implementing a system of auditing those businesses to ensure their ongoing compliance with CCPA privacy policies.
4. Ensure that you have sufficient data security systems in place.
The data protection of of personal information is paramount under the CCPA. Create sufficient data security systems to prevent security breaches.
5. Publish a privacy policy that complies with CCPA rules.
The CCPA requires businesses to publish a privacy policy that explains to consumers how their information is collected, shared, and sold. The privacy policy must also explain consumers’ rights under the CCPA and how they can exercise those rights.
6. Notify consumers that you will be collecting their data before doing so and seek permission to collect that data.
Often called a “notice at collection,” this notice must explain the types of information your business collects and why you collect it. If the you sell personal information, the notice must include a “Do Not Sell” link that gives customers the choice to opt out of having their information sold.
7. Maintain a data inventory of your data processing history.
Providing customers with an explanation of the data you collect and the purposes you use it for is important, but maintaining clear and detailed records regarding the data you’ve collected and how you’ve processed or used it is also essential.
To maintain a data inventory, identify all data sources where personal data is processed or stored, then document their details, such as data type, purpose, and retention period. Keep the inventory up to date and review it regularly to ensure compliance with privacy regulations.
8. Create a system to comply with customers’ requests to access their personal information.
Under the CCPA, customers have the right to request access to their personal data. You must be prepared to provide that data within 45 days of the date the request is made.
To avoid any CCPA violations, it is necessary to have a robust system in place that allows for the quick identification and retrieval of the requested data. Having a streamlined and efficient system not only ensures compliance with legal requirements but also demonstrates a commitment to transparency and accountability, fostering customer trust and loyalty.
9. Explain to customers how they can request the deletion of their personal data.
Some customers may wish to have their data deleted. If a customer asks your business to find and delete their data, you need to be able to do so promptly.
Failing to do so can result in legal and reputational consequences. Therefore, businesses must have robust data management systems that allow for the efficient identification and deletion of customer data.
10. Develop a plan to respond if a security incident occurs.
A data breach and a CCPA violation can happen despite reasonable prevention efforts. When they do, you need to have a plan of action that will allow your business to respond quickly and effectively to protect customer information.
To complete all of these tasks efficiently and cost effectively, businesses are turning to advanced data management tools.
Achieve effortless CCPA compliance with IPRO solutions
There’s a lot to do to be CCPA compliant. Fortunately, modern technology can help businesses understand their data and manage it effectively. At IPRO, we specialize in providing organizations with the tools they need to streamline and simplify compliance with data privacy laws like the CCPA and the GDPR.
For example, Live Early Data Assessment (EDA) can quickly return valuable insights about an organization’s data and information management practices, revealing where data is stored and how it is used. If a consumer asks to access, delete, or correct their personal information, Live EDA lets the organization search for that information across all of its data stores—including multiple repositories—quickly and easily, all from a single interface.
For more information about Live EDA and other IPRO solutions, contact our team or schedule a demonstration today.
