CCPA: California's GDPR?

by Jennifer L. Legal writer.
CCPA: California's GDPR?

Like the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) gives individuals more control over how companies use, collect, store, and process their personal information.

The CCPA is one of the most sophisticated data protection laws in the United States. Crucially, it protects California residents from losing control of their personal information.

Although the law passed in June of 2018, it didn't come into effect until January 1st 2020. The CCPA currently affects business operations, and you'll need to take steps to comply.

Put simply, the CCPA regulates:

  • What information businesses collect
  • Who the business shares the information with
  • Who the business sells the information to
  • Why the business collects the data in the first place
  • How the data is stored and processed
  • The consent that businesses must obtain before they can process personal data

Most importantly, the CCPA makes it compulsory for businesses to draft comprehensive Privacy Policies which inform consumers of their various rights under the Act.

The CCPA applies to businesses wherever they are located. It does not just apply to businesses based in California. The CCPA applies when:

  • A company collects or processes the private data from people who live in California
  • The company does business, or makes sales, in California

It's clear that the CCPA, like the GDPR, affects businesses across the United States.

Essentially, the CCPA exists because people want more control over what happens to their data when they shop online, visit websites or share their information with other parties.

People want to know that their data is safe and secure, and that businesses collect the least amount of personal data possible.

They also want to know that businesses can't sell their data to third parties without their consent. Regulating the sale and distribution of personal data is at the heart of the CCPA.

On the other hand, businesses require information about their customers to analyse trends, predict growth, and reach new prospective business opportunities. Much like the GDPR, the CCPA attempts to regulate an increasingly complex commercial world while respecting the rights of the individual.

Although the CCPA applies to businesses, it doesn't apply to every business. Businesses that meet certain criteria are exempt from the CCPA, because it would be disproportionate for them to comply with the rules.

Before considering the CCPA in detail, then - who does the CCPA apply to?

CCPA: Who it Applies to

The CCPA does not apply to charities or other non-profits.

If you run a for-profit company, and your business meets at least one of the following criteria, you're subject to the CCPA. The criteria are:

  • The business receives 50% or more of its annual revenue from selling the data of California residents
  • The company's yearly gross takings exceed $25 million
  • The company processes, receives, or distributes the data from at least 50,000 California residents each year

Remember, you need only meet one of these thresholds for the CCPA to apply.

As an example, if you run a very small business, but most of your annual revenue comes from selling or distributing personal data from Californians, then the CCPA applies to you.

Conversely, if you're a non-profit operating in California, the CCPA doesn't apply, no matter how much data you process.

So, if you're regulated by the CCPA, you're probably wondering who the Act protects. The scope is narrower than the GDPR.

Who the CCPA Protects

The CCPA protects residents of California. It gives these individuals special rights over how businesses process, collect, and distribute their data.

A resident of California is either:

  • Domiciled in California but living or staying elsewhere temporarily
  • Someone domiciled in California, or at least staying there for more than a holiday

Examples will help. If someone lives in California but works in another state for a few months, they're still Californian which means they're protected by the CCPA.

If, on the other hand, someone lives in Ohio, but they're visiting California for a vacation, or they're staying in hospital for a medical procedure, the CCPA does not protect them.

It's helpful to see an example of a clause from a Privacy Policy to see this distinction in action. In the below clause, it's clear that California residents have the right to request the information stored about them. They can also ask how this information is shared.

CDA Privacy Policy: Your California Privacy Rights clause

The CCPA and the GDPR both offer protection for individuals wherever they're located in the world, provided they meet the eligibility criteria. However, the GDPR protects a wider demographic than the CCPA.

Now that we're clear on who the CCPA protects, we can ask the next question: what information is covered by the CCPA?

CCPA and Personal Information

CCPA and Personal Information

The CCPA regulates how a business processes, stores, and shares what's known as personal information. So, what is personal information? Let's look at what Section 1798.140 of the CCPA says.

The CCPA defines personal information broadly, just like the GDPR. Essentially, personal information is data that can identify a person or a household.

Yes, that's right. A household.

Privacy rights under the CCPA go far further than the GDPR, which only protects the individual, not the household.

Here's what the CCPA's definition of personal information looks like:

California Legislative Information: CCPA text - Personal Information definition section

The Act then goes on to describe the kind of data that falls under personal information, but it's worth remembering that this is a non-exhaustive list.

Data protected by the CCPA includes:

  • Names
  • Social security and passport numbers
  • Addresses (including IP addresses)
  • Bio data such as fingerprints and blood types
  • Employment information
  • Purchase records
  • Browsing history

For example, a surname may identify a household, and a passport number identifies an individual.

Public Record Exceptions

Some personal data is exempt from CCPA regulation. It's a fairly dense and complex clause in the Act, but put simply, information that is made publicly available from government records is exempt.

California Legislative Information: CCPA text - Personal Information exceptions definition section

Exempt information, then, includes such data as census records.

Recap

Recap

Let's summarize what we know so far.

The CCPA gives customers more control over how businesses share, process, and use their personal information.

Although the Act primarily affects California residents, businesses which undertake substantial activities in California are subject to the CCPA. Very small businesses are exempt.

The Act doesn't apply to charity or other non-profits, either.

Personal information is any data which can reasonably be linked to an individual or their household. This doesn't include government-sanctioned data collection at federal, state, or local level.

Now we understand what data the CCPA applies to, let's consider what new rights the Act gives individuals, and what new responsibilities commercial businesses must accept.

The CCPA and Consumer Rights

Under the CCPA, consumers are given a number of rights. Businesses are required to write and publish a Privacy Policy. Privacy Policies aren't new. An earlier Act, the California Online Privacy Protection Act (CalOPPA), required businesses to produce Privacy Policies.

But what's different about the Privacy Policy requirement under the CCPA?

Essentially, existing Privacy Policies must be amended to include specific, detailed information. New businesses must draft Privacy Policies to include this information.

The information included in the Privacy Policy must cover five broad topics:

  • What information the business collects
  • Why it collects this information, and why it may choose to share or sell this information with other parties
  • Which type of third party the business may share the information with
  • How individuals can control the information collected and used
  • How the business sourced the information

Most importantly, consumers must be able to access the Privacy Policy easily. It must also be very clear whether vendors sell the personal data they collect, so that consumers can opt out of this.

As with the example below from Vans, providing a link to the Privacy Policy in the website footer is a great way to discreetly publish the Policy without ruining the look and feel of your site.

Vans website with footer links: Privacy Policy highlighted

Depending on the business you're running, it might make sense to break the Privacy Policy into smaller documents for readability, like with this example from Marina:

Marina Plastic Surgery website footer with multiple links for Privacy Policies

What's the reasoning behind these Privacy Policy changes? Let's look at the principles in more detail.

Privacy Policies under the CCPA are governed by these broad principles:

  • Disclosure
  • The right to be forgotten
  • Non-discrimination
  • Access

So, how do these principles work in practice, and how do they influence your Privacy Policy?

The CCPA and Privacy Policies

The CCPA and Privacy Policies

As mentioned, Privacy Policies under the CCPA are more onerous than the CalOPPA:

  • The Privacy Policy must be updated every 12 months
  • It must be clear who the consumer can contact about their data
  • Businesses must declare what customer data they've processed in the previous 12 months
  • There must be a right to opt out of any data selling

Here's a good example of a California-focused clause from Vans' Privacy Policy. As you can see, the retailer makes it very clear that California residents have enhanced rights, and that they can enforce these rights by taking certain steps:

Vans Privacy Policy: California residents clause

Other retailers, such as The Gap, make it obvious from the homepage that California residents have a special Privacy Policy, which is a very effective strategy:

Gap website footer links with California Privacy Rights link highlighted

Disclosure and Knowledge

A business must disclose what information it collects, and for what purpose. Aside from disclosing what information the business collects, the two main rules are:

  • Businesses must tell consumers if they're selling their personal information, and
  • Who they're selling the information to

People have a right to know who profits from their personal information.

The Right to be Forgotten

Everyone has the right to request that a business deletes their data. It's your responsibility to fulfil this request.

Most importantly, customers must understand that they can ask you to delete their personal information. You should ensure that third parties with whom you shared the data delete it, too. Why? Because the CCPA makes you responsible for safeguarding a customer's data.

Non-discrimination

At the heart of the CCPA is the ethos of non-discrimination. Customers must be treated fairly, even if they opt out of sharing data with you. If, for example, a customer refuses to let you sell their personal information, you cannot treat them any differently from how you treat other customers.

Access

There are two points here.

Firstly, you should make consumers aware that they can access the information you hold on them at any time.

Secondly, you must tell customers what data you plan on collecting before you collect it so they can opt out if they wish. It's a good idea to include a pop-up on the landing page explaining what your data policy is. That way, potential customers can leave the site before they share any data (if they so wish).

For reference, here's a good example of a Privacy Notice that pops up on Leaf Group's website as soon as the visitor lands on the homepage:

Leaf Group Privacy Notice: Third party vendors section

Violating the CCPA is costly. Businesses face fines of up to $2,500 for accidental infringements, and up to $7,500 for intentional infringements. To protect your business, draft an airtight, CCPA-compliant Privacy Policy.

Safeguards

Data breaches are alarmingly common, but the CCPA holds businesses responsible for the data in their care. Ultimately, if you choose to collect personal information from customers, you are responsible for what happens to it.

A good rule is to only collect as much personal information as you need to for commercial purposes. For example, you don't need someone's passport number for a simple commercial transaction on a website.

Whether your safeguards are robust enough is generally an objective question determined on the facts of each case, but you must take all reasonable steps to keep personal information safe.

CCPA v GDPR: What's The Difference?

CCPA v GDPR: What's The Difference?

The CCPA and the GDPR are very similar. The wording in both Acts is very broad, which offers consumers additional protection and places heavier burdens on businesses.

However, the CCPA is more concerned with data selling than simple data protection. On the other hand, the GDPR is primarily concerned with transparency and disclosure.

Conclusion

Businesses must comply with the CCPA and how it's changing data processing. The first thing you should do is revise your existing Privacy Policy and ensure it's comprehensive, clear, and transparent.

Make it especially clear how California residents can opt out of data sharing, and only collect as much data as you need.

Last updated on 23 June 2020

Article categories

Jennifer L.

Legal writer.