As the United States' first comprehensive data privacy law, the California Consumer Privacy Act (CCPA) is a landmark piece of legislation. It promotes transparency on the part of businesses and gives Californians more control over how their personal data is collected, used, and sold.

For consumers, this means they will be able to find more details in a business's privacy policy regarding what personal information is being collected, why it is collected, and whether that information is disclosed to other parties. They also have the right to make certain privacy requests: requests to know what personal information has been collected, requests to delete that information, and requests to opt out of the sale of their personal information.

For businesses, being CCPA compliant means honoring these consumer privacy rights. They must carefully examine their data collection and usage practices, make all the necessary disclosures in their privacy policy, and respond to privacy requests in a way that meets all legal requirements. They must also institute reasonable cybersecurity measures to prevent data breaches.

Here are the CCPA's key features at a glance.

Want to learn more? Read our Complete CCPA Guide.

Who Has Rights Under the CCPA?

As a California law, the CCPA grants privacy rights to California residents ("consumers"), defined as:

• Every individual who is in the state for other than a temporary or transitory purpose
• Every individual domiciled in the state who is outside the state for a temporary or transitory purpose

It's an inclusive definition that does not require a business-customer relationship. Employees and job applicants are considered consumers, just like anyone else.

Which Businesses Must Follow the CCPA?

The CCPA's definition of a business is a for-profit entity that collects personal information, does business in California, and meets at least one of these three thresholds:

1. Gross annual revenue in excess of $25 million
2. Annually buys, sells, or shares the personal information of 100,000 or more consumers or households
3. Derives more than 50% of its annual revenues from selling or sharing consumers' personal information

The third threshold requirement can be a bit deceptive. Under the CCPA’s definition, “sharing” personal information covers a lot of everyday activity, including the use of interest-based advertising. For example, when a customer clicks on a retargeting ad and makes a purchase, that revenue is “derived” from selling consumers’ personal information and should be included in this threshold calculation.

In some limited circumstances, the CCPA can also The California Privacy Protection Agency

Does the CCPA Have a Private Right of Action?

The CCPA does not create a private right of action for consumers to sue businesses over violations of their privacy rights. However, it does create a private for consumers in the event of a data breach. According to the CCPA, consumers can sue a business if their nonencrypted and nonredacted personal information is subject to unauthorized access due to the business's failure to implement and maintain reasonable security procedures. Plaintiffs can recover statutory damages of up to $750 per consumer per incident, or actual damages, whichever is greater. This provision is likely to give rise to a new type of class-action lawsuit.

Read more:

CCPA Private Rights of Action

Is CCPA the Same as GDPR?

The CCPA takes a lot of inspiration from the European Union's General Data Protection Regulation (GDPR), but they are not identical. They use different definitions, have slightly different consumer rights, and are enforced differently. In many ways, the GDPR is more stringent, so businesses that are already compliant with the European law should find it easy to become CCPA compliant.

Read more:

Getting CCPA Compliant

Learn GDPR

How to Prepare Your Business for CCPA Compliance

Becoming CCPA compliant requires an examination of your business's current data practices from every angle, as well as a complete understanding of how the law's various components work together. The process can be divided into four steps:

1. Data Mapping - This is an in-depth analysis of where your business collects consumer data, how the information is stored, and when it is disclosed to outside parties. Your compliance team must also decide what data qualifies as personal information, and what falls under the law's exceptions (publicly available information, HIPAA medical information, etc.).
2. Classifying Vendors - Businesses must review their contracts with every vendor that receives consumers' personal information and determine whether the vendor qualifies as a CCPA service provider. Otherwise, the transaction may be considered a sale of personal information.
3. Updating Privacy Policies - The CCPA requires businesses to inform consumers as to what information is being collected and how it is used, and include it all in their privacy policy. Though this step seems relatively straightforward, it can't be fully implemented until the previous two steps are completed.
4. Responding to Consumer Requests - Depending on your business, consumer requests may be more or less frequent, but they all have a number of rules and exceptions that businesses should be aware of. Planning out responses in advance will help ensure they meet all of the legal requirements.

Read more:

Getting CCPA Compliant

Staying CCPA Compliant

Getting Started with CCPA Compliance

‍