The California Consumer Privacy Act (CCPA/CPRA)

The California Consumer Privacy Act (CCPA) A.B. 375 is a privacy law based in California, with far-reaching effects. And it was amended by the CPRA, with the amendments taking effect on Jan 1, 2023. Almost every business that has customers in California will have to comply with the CCPA (CPRA).

This article will break down what the CCPA (CPRA) requires, and what you need to do to comply with it.

What is the CCPA (CPRA)

The CCPA (CPRA) is a consumer privacy law out of California that forces significant changes on businesses involved with personal data of California residents. The law especially affects those operating online. It was passed into law on June 28, 2018, and went into effect at the start of 2020.

The GDPR and the CCPA (CPRA)

The CCPA (CPRA) is centered on the principles of accountability, control, and transparency. It's also based on the EU's General Data Protection Regulation (GDPR). Like the GDPR, the CCPA (CPRA) is designed to give users more control of their personal data.

The CCPA (CPRA) and the GDPR are very similar. The wording in both Acts is very broad, which offers consumers additional protection and places heavier burdens on businesses.

However, the CCPA (CPRA) is more concerned with data selling than simple data protection while the GDPR is primarily concerned with transparency and disclosure.

The CCPA (CPRA) and the GDPR both offer protection for individuals wherever they're located in the world, provided they meet the eligibility criteria. However, the GDPR protects a wider demographic than the CCPA (CPRA).

Who the CCPA (CPRA) Applies to and Affects

The CCPA (CPRA) applies to companies collecting or selling California consumers data, regardless of where they are located. In addition, businesses generating over $50 million in annual revenue that sell at least 100,000 customer records and derive at least 50 percent of their annual revenue from selling or sharing consumers personal information must comply with the CCPA (CPRA).

Any businesses marketing or collecting personal data on California residents are subject to this law. The physical location of a business does not absolve it from complying with the CCPA (CPRA). In other words, you don't have to be located in California to have to comply with the CCPA (CPRA).

The CCPA (CPRA) does not apply to charities or other non-profits.

To make it simple, if you run a for-profit company, and your business meets at least one of the following criteria, you're subject to the CCPA (CPRA). The criteria are:

• The business receives 50% or more of its annual revenue from selling the data of California residents
• The company's yearly gross takings exceed $25 million, or
• The company processes, receives, or distributes the data from at least 100,000 California residents each year

Remember, you need only meet one of these thresholds for the CCPA (CPRA) to apply.

As an example, if you run a very small business, but most of your annual revenue comes from selling or distributing personal data from Californians, then the CCPA (CPRA) applies to you.

Conversely, if you're a non-profit operating in California, the CCPA (CPRA) doesn't apply, no matter how much data you process.

Who the CCPA (CPRA) Protects

The CCPA (CPRA) protects residents of California. It gives these individuals special rights over how businesses process, collect, and distribute their data.

A resident of California is either:

• Domiciled in California but living or staying elsewhere temporarily, or
• Someone domiciled in California, or at least staying there for more than a holiday

For example, if someone lives in California but works in another state for a few months, they're still Californian which means they're protected by the CCPA (CPRA).

If, on the other hand, someone lives in Ohio, but they're visiting California for a vacation, or they're staying in hospital for a medical procedure, the CCPA (CPRA) does not protect them.

CCPA (CPRA) and Personal Information

The CCPA (CPRA) regulates how a business processes, stores, and shares what's known as personal information. It defines personal information broadly in Section 1798.140 as any data that can identify a person or a household.

Privacy rights under the CCPA (CPRA) go far further than the GDPR, which only protects the individual, not the household. For example, a surname may identify a household, and a passport number identifies an individual.

Here's what the CCPA/CPRA's definition of personal information looks like:

The Act then goes on to describe the kind of data that falls under personal information, but it's worth remembering that this is a non-exhaustive list.

Data protected by the CCPA (CPRA) includes:

• Names
• Social security and passport numbers
• Addresses (including IP addresses)
• Bio data such as fingerprints and blood types
• Employment information
• Purchase records
• Browsing history

Public Record Exceptions

Some personal data is exempt from CCPA (CPRA) regulation. It's a fairly dense and complex clause in the Act, but put simply, information that is made publicly available from government records is exempt:

Exempt information, then, includes such data as census records.

How the CCPA (CPRA) Changed Things

The CCPA (CPRA) set a broader definition for personal information to include metrics like geolocation, personal identifiers, psychometric data, inferences about the consumers made by the company and internet browsing history.

It also increased the penalties and fines on violations of existing laws as a way to hold businesses more accountable for privacy breaches and securing consumers' personal information. As a business owner, you can be found to be in violation of the CCPA (CPRA) if you fail to implement and uphold reasonable security procedures.

The CCPA (CPRA) allows California residents to bring their data to another service provider or to have it deleted. Businesses providing highly targeted advertising may have their income greatly affected as the protections allow for far less precise data collection on individual customers.

Restricting Companies' Reliance on Consumer Data

The CCPA/CPRA's requirements created challenges for larger companies who already had established business models in the digital sector. Google, Twitter, Facebook and others generating revenue by targeting advertising through internet platforms had to change their business practices. Internet service providers like Verizon and AT&T that rely heavily on consumer data were also negatively impacted.

The new privacy standards ushered in by the CCPA (CPRA) also hurt data brokers who generate their primary income from selling consumer data to third parties. Any retailers or internet companies who deal with consumer data and have customers in California were and are still affected by this privacy law as well.

Managing New Privacy Standards

Companies with customers in-state and outside the state had to face how to manage the different types of privacy laws. Companies were left with two options: either reform their entire data protection and data rights infrastructures to comply with California's law or institute a patchwork data regime in which Californians are treated one way and everyone else another.

Either two different systems have to be maintained - one specifically tailored around the CCPA (CPRA) - or the entire system must be revamped to be in compliance with the CCPA (CPRA).

It's recommended that you revamp your entire system so that other customers don't begin to take issue with companies affording Californians more protections than everyone else.

Key Requirements and Components of the CCPA (CPRA)

The CCPA (CPRA) has a number of requirements and components addressing topics such as Privacy Policies, consumer rights, protections and safeguards, and non-discrimination practices.

Let's take a deeper look at these requirements.

The CCPA (CPRA) and Privacy Policies

Under the CCPA (CPRA) (and countless other privacy laws), businesses are required to write and publish a Privacy Policy that should transparently detail how data is collected, why its collected, who it's shared with and what rights consumers have concerning those business practices.

Being required to have a Privacy Policy isn't new. Before the CCPA (CPRA), other acts such as the California Online Privacy Protection Act (CalOPPA) required businesses to have and display a Privacy Policy.

But what's different about the Privacy Policy requirement under the CCPA (CPRA)?

Essentially, existing Privacy Policies must be amended to include specific, detailed information. New businesses must draft Privacy Policies to include this information.

The information included in a CCPA/CPRA-compliant Privacy Policy must include the following standard information that should be included in all Privacy Policies:

• What information the business collects
• Why it collects this information, and why it may choose to share or sell this information with other parties
• Which type of third party the business may share the information with
• How individuals can control the information collected and used
• How the business sourced the information

Where things change is that Privacy Policies under the CCPA (CPRA) come with the following additional requirements:

• The Privacy Policy must be updated every 12 months
• It must be clear who the consumer can contact about their data
• Businesses must declare what customer data they've processed in the previous 12 months
• Businesses must tell consumers if they're selling their personal information, and
• Who they're selling the information to
• There must be a right to opt out of any data selling

Under the CCPA (CPRA), people have a right to know who profits from their personal information and take steps to limit this if they wish.

The CCPA (CPRA) and Consumer Rights

The CCPA (CPRA) explicitly guarantees California residents a number of rights concerning personal data collected online, including but not limited to:

• The right to know what personal information is being collected about them
• The right to know whether their personal information is sold or disclosed, and to whom
• The right to say no to the sale of their personal information
• The right to access their personal information held by a company
• The right to equal service and price, even if they exercise their privacy rights

Customers in California are given the right to request a number of disclosures from a business with access to their personal data:

• The categories of information collected
• The categories of sources where it has been collected from
• The business or commercial purpose behind collecting or selling the information
• The categories of any third parties a business shares personal information with
• The specific pieces of information that have been collected about the requesting individual

If you do receive a personal information data request from a user, CCPA (CPRA) guidelines require it to be responded to in a timely manner, within 45 days. The CCPA (CPRA) allows users to make these disclosure requests two times per year.

More User Control for Consumers

The CCPA (CPRA) provides consumers with the right to opt out. At any time, consumers have the right to direct a business to stop selling their personal information to third parties.

Businesses need to provide users with the ability to refuse the sale of personal data while promoting this option through a link on the homepage and within the privacy policy, titled as "Do Not Sell My Personal Information."

According to the CCPA (CPRA), companies can now provide consumers age 16 and younger with the right to opt-in. However, in order to sell the information of someone age 13 or younger, you're still required to receive their permission from their parents or guardians.

Businesses are also required to ensure they are honoring consumers' requests to have their data completely deleted.

Protection and Safeguards for Consumer Privacy

Since the CCPA (CPRA) allows users to sue companies over privacy losses caused by data breaches, securing customer information is an even higher priority than ever before. In order to keep customer data safe, there should be regular audits, assessments of the systems used to manage data and some strategic approach to maximizing protection.

Data breaches are alarmingly common, but the CCPA (CPRA) holds businesses responsible for the data in their care. Ultimately, if you choose to collect personal information from customers, you are responsible for what happens to it.

A good rule is to only collect as much personal information as you need to for commercial purposes. For example, you don't need someone's passport number for a simple commercial transaction on a website.

Whether your safeguards are robust enough is generally an objective question determined on the facts of each case, but you must take all reasonable steps to keep personal information safe.

Being Non-Discriminatory with Consumers

The CCPA (CPRA) prohibits businesses from discriminating against users who choose to exercise any of the consumer rights provided. The CCPA (CPRA) outlines a number of actions you could take that would be considered discriminatory against a consumer:

The CCPA (CPRA) does allow you to offer different qualities or prices of goods or services if its reasonably related to the value provided to the customer by their consumer data. Companies who do engage in altering their offers for access to consumer data could potentially expose themselves to customer backlash.

What are the Penalties for Not Complying with the CCPA (CPRA)?

If a business fails to cure alleged noncompliance within 30 days following notification from the state, you could be considered in violation and charged a civil penalty of up to $7,500 per violation.

Any business operating in California that isn't compliant with CCPA (CPRA) could face civil damages of up to $750 per violation, per user. While not a costly as the GDPR, sizable data breaches for companies with thousands of customers in California could quickly total up to around $1 million in CCPA (CPRA) fines.

The CCPA (CPRA) also allows consumers to file lawsuits for privacy losses without showing any evidentiary loss of property or money. Unlike traditional lawsuits, those filed for CCPA (CPRA) privacy violations do not need to be founded on proof of damages.

Since the CCPA (CPRA) is California legislation, penalties and enforcement for not complying are led by the Attorney General's office.

Summary

Here are some key things to remember about the CCPA (CPRA):

• Consumers have the right to access all the data a business collects about them
• Consumers can choose to not have their information sold to third parties
• Consumers can request that companies completely delete their personal data
• Consumers have the right to know which category of third parties their data was sold to
• Consumers have the right to know the reason for the data collection
• Enforcement is led by California's Attorney General
• Consumers can take legal action without proof of damages if they are subjected to a beach of privacy

Any business working with data involving consumers in California will benefit from learning more about the new privacy standards and how to adjust their data management and privacy practices accordingly.