What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) empowers Californians with control over their personal data since it was signed into law in June 2018. Amid growing demand for consumer privacy, how can organizations navigate the CCPA?
In brief:
- The CCPA grants California residents rights to access, delete, and opt-out of data sales to protect their privacy.
- To protect consumer privacy under the CCPA, businesses have numerous requirements centralized around transparency.
- Google was hit with a $93 million fine following violations of the CCPA in 2023.
What is the CCPA?
Often dubbed a landmark law, the CCPA regulation has significantly impacted the data privacy landscape for businesses operating in California or collecting data from California residents.
According to the State of California Department of Justice, the CCPA grants California residents the following privacy rights:
- CCPA right to know: California residents are entitled to know what personal information a business collects about them and how it’s used and shared
- CCPA deletion requests: This grants the right to delete personal information collected from California residents (with some exceptions)
- CCPA opt-out: This refers to the right to opt-out of the sale or sharing of personal information
- The right to non-discrimination for exercising their CCPA rights
CCPA regulations outline invaluable guidance on how organizations can implement the law and meet their obligations, which include:
- Transparency about data practices
- Responding to consumer requests
- Ensuring responsible data use and disclosure
CCPA data retention
While CCPA data retention periods aren’t specifically outlined in the legislation, organizations must align their data retention practices in a way that is compliant with the CCPA.
We’ll look at organizations’ obligations under the CCPA in more detail later in this article.
Who does the CCPA apply to?
Despite its name, the CCPA’s reach extends beyond businesses physically located in California. Importantly, the CCPA applies to any for-profit organization conducting business in California and that meet any of the following criteria:
- Has a gross annual revenue of over $25 million
- Buys, sells, or shares the personal information of 100,000 or more California residents or households
- Derives 50% or more of its annual revenue from selling California residents’ personal information
This broad scope necessitates careful consideration by organizations that have a national or even international footprint.
Hitting the headlines: CCPA enforcement action
Since the CCPA effective date of January 1, 2020, there have been multiple cases where organizations have breached CCPA regulations and enforcement action has followed.
In 2023, Google hit the headlines when it was ordered to pay a whopping $93 million following a judgment by California’s attorney general, declaring that Google deceived users about their ability to opt-out of data collection measures.
In a press release issued on September 14, 2023, California Attorney General Rob Bonta said;
“Our investigation revealed that Google was telling its users one thing – that it would no longer track their location once they opted out – but doing the opposite and continuing to track its users’ movements for its own commercial gain. That’s unacceptable, and we’re holding Google accountable with today’s settlement.”
Those who breach CCPA regulations don’t just risk hefty fines, since reputational damage can have a far greater impact in the long-term, even if an organization does have deep pockets.
Empowering organizations: How to comply with the CCPA
As an organization, to be CCPA compliant requires a comprehensive approach to data governance and consumer rights management.
Achieving CCPA compliance involves several key steps, which we’ve put together in the below CCPA compliance checklist:
- Data mapping:
Identifying and mapping all personal information collected about California residents is crucial. This includes understanding the source, purpose, and duration of data storage. - Consumer rights implementation:
Procedures for handling consumer requests to access, delete, or opt-out of the sale of their data must be established and readily accessible to California residents. - Transparency:
Clear and comprehensive privacy policies outlining data collection and usage practices are essential. These policies should be easily accessible and written in a way that consumers can understand. - Data security:
Robust data security measures are necessary to safeguard personal information and prevent unauthorized access or disclosure. - Ongoing monitoring: Regularly reviewing and updating data governance practices is vital to ensure ongoing compliance with the CCPA’s evolving requirements.
CCPA compliance solutions
In view of the broad scope of the CCPA and the severity of compliance breaches, organizations are increasingly turning to tools that facilitate CCPA compliance.
Global Relay’s compliance technology enables firms to address specific requirements such as a data subject’s right to know and right to be deleted, with tools that rapidly search and retrieve data or defensibly delete it.
CCPA vs CPRA: What’s the difference?
Since the CCPA enforcement date of 2020, there have been significant amendments which have culminated in the final CCPA regulations.
The California Privacy Rights Act (CPRA) amendments to the CCPA passed in January 2023 have broadened the scope of the original legislation. It’s important to note that the CPRA has not replaced the CCPA.
Under the CPRA, two important additional rights have been granted to California consumers:
- The right to correct inaccurate personal information
- The right to limit use and disclosure of sensitive personal information
The right to limit use and disclosure of sensitive personal information
CCPA vs GDPR: Key differences
While both the CCPA and the General Data Protection Regulation (GDPR) aim to enhance data privacy rights, there are key distinctions to navigate.
Overall, GDPR has a broader reach and wider range of rights compared to the CCPA, as well as steeper consequences in cases where organizations violate GDPR legislation.
This is in addition to the differences in geographical application of the CCPA and the GDPR.
Summary
While the CCPA has established a strong foundation for data privacy rights in California, its focus on specific rights and lack of clear retention guidelines leave some room for interpretation.
This presents both a challenge and an opportunity for organizations to whom the CCPA applies. Consequently, organizations must undertake robust data governance practices that exceed the CCPA’s baseline to fuel their compliance engine.