California Consumer Privacy Act (CCPA)

Privacy laws in the United States are continuously developing, especially for Californians. Some aspects of the regulations governing collecting personal data from California residents are more stringent than the European General Data Protection Regulation (GDPR).

To effectively comply with the privacy safeguards offered by the California Consumer Privacy Act (CCPA), companies within and outside the United States need to understand its requirements comprehensively. The CCPA is one of the pioneering pieces of legislation addressing the country’s digital consumer data privacy rights.

What is CCPA?

The CCPA law took effect on January 1, 2020, to safeguard the data privacy rights of individuals residing in California. Companies must provide consumers additional data collection, storage, and utilization information. The primary goal is to improve transparency and grant customers authority over their confidential data. Thus, citizens can check whether their data is sold or shared with any third party. The CCPA also gives customers the right to opt out of disliked practices. 

Who is Affected by the CCPA Regulation?

The California Consumer Privacy Act includes corporations, defined as ‘for-profit legal entities’ that collect and sell customers’ confidential data. 

The CCPA regulations apply to businesses that meet any of the below-mentioned criteria:

• Have a gross revenue of over $25 million annually
• Receive, sell, or buy customers’ personal data from over 50,000 California devices, households, or residents
• Generate over 50% of the annual profits by selling the confidential information of California residents

Moreover, California legislators have incorporated clauses to exempt companies already subject to federal data protection laws. The exempted entities are:

• Insurers and healthcare providers that fall under the Health Insurance Portability and Accountability Act (HIPAA)
• Credit reporting agencies that are the subject of the Fair Credit Reporting Act
• Banks and financial institutions which the Gramm-Leach-Bliley Act covers

What are the CCPA Requirements?

The CCPA imposes specific requirements on firms regarding clients’ privacy rights related to their confidential information. 

Here are the fundamental CCPA compliance requirements:

1. Right to Disclosure: Whenever any company collects a consumer’s data protected by the CCPA, it is mandated to inform the clients of their intentions during or before collecting their confidential details.
2. Right to Access: Customers enjoy the right to access their data, and the companies must provide them with the information within 45 days of the request. 
3. Right to be Forgotten: The  California Consumer Privacy Act mandates corporations to delete customers’ personal information whenever they request it, except when keeping the data is essential to abide by the regulations.
4. Right to Contact Information: It is obligatory for businesses to inform their consumers about where they can get information related to CCPA compliance and privacy policy. Furthermore, the companies should provide clients with a toll-free telephone number to reach out to the company to exercise any CCPA rights.
5. Opt-out of Data Marketing and Sales: When a firm sells visitors’ confidential data, it must give consumers the choice to opt out of the financial transaction. Companies should maintain a web page that clearly features the opt-out option, ideally linked to its privacy policy page. 
6. Right to Fair Treatment: Firms must not discriminate against users based on whether they exercise CCPA consumer rights. 
7. Periodic Privacy Policy Updates: Companies must update their data privacy policies after 12 months. This ensures that customers are aware of any changes in how firms collect, sell, process, or handle data compared to the previous policy or if they are gathering more information than previously disclosed.

Suggested Read: A Comprehensive Guide to UK AML and KYB Regulations and Complexities

What are the Penalties for Violating CCPA? 

Civil penalties for not abiding by CCPA law start from $2,500 for every unintentional violation. When non-compliance is determined as intentional, the fines can increase to $7,500 for each breach. Moreover, companies have a specific timeframe to respond to the violations. As per the California Consumer Privacy Act,  if a business rectifies non-compliance within a month of getting notice of the breach, it gets a warning. However, if firms do not resolve the issue within a month, they become subject to heavy financial penalties.

Suggested Read: H1’23 Recap: Know Your Business and Anti-Money Laundering Fines Worldwide

CCPA Compliance Checklist

Below are several suggestions and steps to help you fulfill the requirements of the California Consumer Privacy Act:

1. Preparation

• Identify and categorize the data assets
• Familiarize your team with the newly granted consumer rights
• Perform a thorough data risk assessment
• Examine your systems to uncover concealed data

2. Implementation

• Revise and update your firm’s data privacy policy
• Put in place processes to address consumer rights
• Fine-tune permission and access controls
• Deploy AI-based systems as per the company’s unique requirements

3. Maintenance

• Regularly check and update the privacy policy 
• Conduct ongoing CCPA training for your team
• Routinely eliminate unnecessary data
• Streamline processes related to responding to consumer rights requests