Having taken effect on January 1st of 2020, the California Consumer Privacy Act (CCPA) is widely regarded as one of the most expansive privacy laws in the United States to date. The CCPA places limitations on the collection and sale of a customer’s personal information, while also providing certain legal protections when it comes to that same personal information. But the CCPA isn’t just a US version of the EU’s General Data Protection Regulation (GDPR). While you won’t have to start all over if you’re prepared for GDPR, that doesn’t mean you have all your bases covered for CCPA.
In this blog we’ll be covering the basics of the CCPA, how it compares with GDPR and some of the FAQ’s that have arisen around each and their implementation in US businesses working domestically and internationally.
Who does the CCPA apply to?
The CCPA applies to any business that satisfies one or more of the following conditions:
- Does business in the state of California
- And satisfies one of the following criteria:
- Annual gross revenue in excess of $25 million;
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households, or devices; or
- Derives at least 50 percent of its annual revenues from selling consumers’ personal information.
The biggest differences between the GDPR and CCPA lie in the scope of the application, the extent of collection limitations and the rules around accountability for breaches and challenges for non-compliance. In this chart, you’ll see some of the subtle, but important differences between the GDPR and the CCPA.
Protects EU residents from companies located inside or outside of EU.
Covers the processing and collecting and application of personal data.
Protects CA residents and applies to companies with >$25mil in revenue, derives 50% of revenue from customer’s personal information or processes info on >50,000 residents
Covers the collection, processing and sale of Personal information.
|Personal Data/Information||Defined as any information relating to a person, including publicly available data.||Defined as information that relates, describes, or can be linked directly or indirectly with a person or household.|
|Rights to Access/Disclosure||Requires businesses to inform customers of the rights at the point of collection.||Requires businesses to inform customers at or before the point of collections as to the categories of Personal information to be collected and the purposes of collection.|
|Opt Out||Customers may request the restriction of any type of personal data.||Businesses must provide notice of opt-out rights and provide consumers the right to opt-out of sale of the PI, but not the collection of it. They must provide a ‘Do not sell my personal information’ link on their home page.|
|Data Protection Impact Assessment (DPIA)||Requires a DPIA for any processing likely to risk a subject’s data rights.||No DPIA is required but it is the responsibility of the business to implement and maintain security measures appropriate to protect a customer’s information.|
Frequently Asked Questions
Does this apply to businesses not located in California?
A business does not need to be located in the state of California to be subject to CCPA. This means any business that is ‘doing business’ via online transactions with California residents or has employees that live in the state.
Can companies be fined for non-compliance?
The private right of action in the CCPA is limited to data breaches. Under the private right of action, damages can come in between $100 and $750 per incident per consumer. The California AG also can enforce the CCPA in its entirety with the ability to levy a civil penalty of not more than $2,500 per violation or $7,500 per intentional violation.
I don’t think we really collect personal information. Does the CCPA apply?
CCPA has an extremely broad description of what constitutes personal information. If you collect resumes for job postings, your website tracks cookies or if you have a ‘Contact Us’ form on your website you are collecting personal information.
Is there an exemption for B2B businesses?
Sort of. B2B Companies are given a limited reprieve from complying with each of the requirements of the CCPA when it comes to the transactions and communications with other organizations, companies and government agencies. Personal information that is collected in the course of B2B communications or transactions from or about an employee, owner, director, officer or contractor of a business or government agency is exempt from most CCPA requirements. But this exemption will expire at the end of 2020. Even if your B2B company is not selling business contact information you still need to determine to what extent the information you collect for marketing purposes must comply with CCPA.
How to cover your bases?
The CCPA requires companies to keep detailed records of all personal information categories dating back to January 1, 2019. You should begin to inventory all the data you have collected since that date. You will also need to update your privacy notices and add a “Do Not Sell My Personal Information” link to your home page.
Additional Resources for Business Owners
Magento also provides an excellent, more detailed guide to making sure your site is GDPR and CCPA compliant. It is available here.
For an even greater in-depth review of the CCPA law, please consult this great article from the National Law Review.
While the CCPA has some restrictions that currently limit it to the state of California, there is little doubt that it will have reverberations across the US and the world. California is, after all, the 5th largest economy on earth. With something as complicated as this new law and as important as your business we recommend that you consult with your attorney to confirm if CCPA applies to your business before taking action on compliance.