CCPA: California's GDPR?
Like the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) gives individuals more control over how companies use, collect, store, and process their personal information.
The CCPA is one of the most sophisticated data protection laws in the United States. Crucially, it protects California residents from losing control of their personal information.
Although the law passed in June of 2018, it didn't come into effect until January 1st 2020. The CCPA currently affects business operations, and you'll need to take steps to comply.
- 1. CCPA: Who it Applies to
- 1.1. Who the CCPA Protects
- 2. CCPA and Personal Information
- 2.1. Public Record Exceptions
- 3. Recap
- 4. The CCPA and Consumer Rights
- 5. The CCPA and Privacy Policies
- 5.1. Disclosure and Knowledge
- 5.2. The Right to be Forgotten
- 5.3. Non-discrimination
- 5.4. Access
- 5.5. Safeguards
- 6. CCPA v GDPR: What's The Difference?
- 7. Conclusion
Put simply, the CCPA regulates:
- What information businesses collect
- Who the business shares the information with
- Who the business sells the information to
- Why the business collects the data in the first place
- How the data is stored and processed
- The consent that businesses must obtain before they can process personal data
Most importantly, the CCPA makes it compulsory for businesses to draft comprehensive Privacy Policies which inform consumers of their various rights under the Act.
The CCPA applies to businesses wherever they are located. It does not just apply to businesses based in California. The CCPA applies when:
- A company collects or processes the private data from people who live in California
- The company does business, or makes sales, in California
It's clear that the CCPA, like the GDPR, affects businesses across the United States.
Essentially, the CCPA exists because people want more control over what happens to their data when they shop online, visit websites or share their information with other parties.
People want to know that their data is safe and secure, and that businesses collect the least amount of personal data possible.
They also want to know that businesses can't sell their data to third parties without their consent. Regulating the sale and distribution of personal data is at the heart of the CCPA.
On the other hand, businesses require information about their customers to analyse trends, predict growth, and reach new prospective business opportunities. Much like the GDPR, the CCPA attempts to regulate an increasingly complex commercial world while respecting the rights of the individual.
Although the CCPA applies to businesses, it doesn't apply to every business. Businesses that meet certain criteria are exempt from the CCPA, because it would be disproportionate for them to comply with the rules.
Before considering the CCPA in detail, then - who does the CCPA apply to?
CCPA: Who it Applies to
The CCPA does not apply to charities or other non-profits.
If you run a for-profit company, and your business meets at least one of the following criteria, you're subject to the CCPA. The criteria are:
- The business receives 50% or more of its annual revenue from selling the data of California residents
- The company's yearly gross takings exceed $25 million
- The company processes, receives, or distributes the data from at least 50,000 California residents each year
Remember, you need only meet one of these thresholds for the CCPA to apply.
As an example, if you run a very small business, but most of your annual revenue comes from selling or distributing personal data from Californians, then the CCPA applies to you.
Conversely, if you're a non-profit operating in California, the CCPA doesn't apply, no matter how much data you process.
So, if you're regulated by the CCPA, you're probably wondering who the Act protects. The scope is narrower than the GDPR.
Who the CCPA Protects
The CCPA protects residents of California. It gives these individuals special rights over how businesses process, collect, and distribute their data.
A resident of California is either:
- Domiciled in California but living or staying elsewhere temporarily
- Someone domiciled in California, or at least staying there for more than a holiday
Examples will help. If someone lives in California but works in another state for a few months, they're still Californian which means they're protected by the CCPA.
If, on the other hand, someone lives in Ohio, but they're visiting California for a vacation, or they're staying in hospital for a medical procedure, the CCPA does not protect them.
The CCPA and the GDPR both offer protection for individuals wherever they're located in the world, provided they meet the eligibility criteria. However, the GDPR protects a wider demographic than the CCPA.
Now that we're clear on who the CCPA protects, we can ask the next question: what information is covered by the CCPA?
CCPA and Personal Information
The CCPA regulates how a business processes, stores, and shares what's known as personal information. So, what is personal information? Let's look at what Section 1798.140 of the CCPA says.
The CCPA defines personal information broadly, just like the GDPR. Essentially, personal information is data that can identify a person or a household.
Yes, that's right. A household.
Privacy rights under the CCPA go far further than the GDPR, which only protects the individual, not the household.
Here's what the CCPA's definition of personal information looks like:
The Act then goes on to describe the kind of data that falls under personal information, but it's worth remembering that this is a non-exhaustive list.
Data protected by the CCPA includes:
- Social security and passport numbers
- Addresses (including IP addresses)
- Bio data such as fingerprints and blood types
- Employment information
- Purchase records
- Browsing history
For example, a surname may identify a household, and a passport number identifies an individual.
Public Record Exceptions
Some personal data is exempt from CCPA regulation. It's a fairly dense and complex clause in the Act, but put simply, information that is made publicly available from government records is exempt.
Exempt information, then, includes such data as census records.
Let's summarize what we know so far.
The CCPA gives customers more control over how businesses share, process, and use their personal information.
Although the Act primarily affects California residents, businesses which undertake substantial activities in California are subject to the CCPA. Very small businesses are exempt.
The Act doesn't apply to charity or other non-profits, either.
Personal information is any data which can reasonably be linked to an individual or their household. This doesn't include government-sanctioned data collection at federal, state, or local level.
Now we understand what data the CCPA applies to, let's consider what new rights the Act gives individuals, and what new responsibilities commercial businesses must accept.
The CCPA and Consumer Rights
Essentially, existing Privacy Policies must be amended to include specific, detailed information. New businesses must draft Privacy Policies to include this information.
- What information the business collects
- Why it collects this information, and why it may choose to share or sell this information with other parties
- Which type of third party the business may share the information with
- How individuals can control the information collected and used
- How the business sourced the information
Privacy Policies under the CCPA are governed by these broad principles:
- The right to be forgotten
The CCPA and Privacy Policies
As mentioned, Privacy Policies under the CCPA are more onerous than the CalOPPA:
- It must be clear who the consumer can contact about their data
- Businesses must declare what customer data they've processed in the previous 12 months
- There must be a right to opt out of any data selling
Disclosure and Knowledge
A business must disclose what information it collects, and for what purpose. Aside from disclosing what information the business collects, the two main rules are:
- Businesses must tell consumers if they're selling their personal information, and
- Who they're selling the information to
People have a right to know who profits from their personal information.
The Right to be Forgotten
Everyone has the right to request that a business deletes their data. It's your responsibility to fulfil this request.
Most importantly, customers must understand that they can ask you to delete their personal information. You should ensure that third parties with whom you shared the data delete it, too. Why? Because the CCPA makes you responsible for safeguarding a customer's data.
At the heart of the CCPA is the ethos of non-discrimination. Customers must be treated fairly, even if they opt out of sharing data with you. If, for example, a customer refuses to let you sell their personal information, you cannot treat them any differently from how you treat other customers.
There are two points here.
Firstly, you should make consumers aware that they can access the information you hold on them at any time.
Secondly, you must tell customers what data you plan on collecting before you collect it so they can opt out if they wish. It's a good idea to include a pop-up on the landing page explaining what your data policy is. That way, potential customers can leave the site before they share any data (if they so wish).
For reference, here's a good example of a Privacy Notice that pops up on Leaf Group's website as soon as the visitor lands on the homepage:
Data breaches are alarmingly common, but the CCPA holds businesses responsible for the data in their care. Ultimately, if you choose to collect personal information from customers, you are responsible for what happens to it.
A good rule is to only collect as much personal information as you need to for commercial purposes. For example, you don't need someone's passport number for a simple commercial transaction on a website.
Whether your safeguards are robust enough is generally an objective question determined on the facts of each case, but you must take all reasonable steps to keep personal information safe.
CCPA v GDPR: What's The Difference?
The CCPA and the GDPR are very similar. The wording in both Acts is very broad, which offers consumers additional protection and places heavier burdens on businesses.
However, the CCPA is more concerned with data selling than simple data protection. On the other hand, the GDPR is primarily concerned with transparency and disclosure.
Make it especially clear how California residents can opt out of data sharing, and only collect as much data as you need.