The California Consumer Privacy Act (CCPA): How to ensure your business is CCPA Compliant?

It was only last year that the General Data Protection Regulation (GDPR) came into effect.  It impacted how companies used personal data across the world. Businesses have now become accustomed to adjusting to new privacy and data laws. Now, on January 1st, 2020, the state of California will roll out the California Consumer Privacy Act (CCPA), which is the first state-level privacy law in the United States.

If you are just a consumer curious about your personal rights or a business owner worried about compliance, this blog has you covered!


What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) aims to enhance privacy rights and consumer protection for residents of California, United States.

With a variety of major tech giants based in California, including Google and Facebook (both of which have recently suffered data breaches), AB 375 is poised to have far-impacting effects on data privacy.


What rights does the CCPA provide?

The CCPA provides California residents with the right to

  1. Know what personal data is being collected, sold or disclosed about them and to whom.
  2. Request to delete any personal information about the consumer.
  3. Freely exercise their privacy rights without being discriminated against.


How do I know if CCPA can impact my business?

CCPA can apply to any company that buys, sells or shares personal information of California residents and meets one or more of the following criteria:

  1. Has an annual revenue of $25 million or more.
  2. Possesses personal data of 50,000 or more consumers, households, or devices.
  3. Earns more than 50% of its annual revenue by selling personal information.


What are the penalties for violation of CCPA?

The maximum penalty for violation of CCPA laws is $7500 for intentional violations. For other violations that lack intent, the maximum penalty is $2500 per violation. The CCPA provides consumers the opportunity to independently sue the entity responsible.


Comparisons with GDPR

Although GDPR and CCPA are very similar in terms of how they protect personal data, there are many differences between the two regulatory acts.

  1. GDPR laws apply to businesses of every kind (any entity that deals with personal data), whereas CCPA’s protections are limited to identifiable people to which personal data belongs.
  2. GDPR broadly considers “processing” of all personal data, no matter what the data is intended for. On the contrary, CCPA is a little more particular when it comes to the kind of data it protects under different circumstances. For instance, GDPR requires entities to clearly gain user consent with “opt-in” before accessing any of their data. Whereas, CCPA only requires the business to supply an option to “opt-out” when user information is actively sold or shared.
  3. Non-Compliance of GDPR laws can incur a penalty as high as $24 million or 4% of the company’s annual turnover – whichever is higher. On violation of CCPA, the maximum fine is $7500 for intentional violations.


How to ensure your business is CCPA compliant?

  1. Update privacy policies to accommodate new CCPA rights.
  2. Establish methods to respond to customer requests within 45 days after receiving them.
  3. Ensure you can provide consumers with the information on how you collect their data, where it resides and how you use it.
  4. Notify your consumers that their personal data is being shared or sold.
  5. Implement a process to honor opt-out requests. We email our contacts for getting client-specific opt-outs and it tags them as per email conversations.


Connect with us to learn more about the intricacies of CCPA, data and privacy regulation. With our 10+ years of industry experience, we have developed CCPA and GDPR aligned processes where we protect consumer data by setting stringent rules on how we gather and process individual data.