Cybersecurity

What Does CCPA Stand for and What Does It Mean for Business?

CCPA stands for the California Consumer Privacy Act (CCPA). It is a data privacy law that ensures consumers in California are aware of which information a business can collect from them.

Blog Post

11 minute read

Mar 07, 2024

The California Consumer Privacy Act (CCPA) is a data privacy law that ensures consumers in California are aware of the information a business can collect from them. It also provides consumers with several key rights regarding the collection and storage of personal information and data.

Since data is one of the most valuable currencies in the world, data privacy legislation plays an extremely important role in protecting consumers from malicious data mining practices.  

For businesses, data privacy regulations define compliance requirements and set the standard for acceptable data security. As such, organizations need to adhere to regulations so they don’t find themselves facing fines or legal backlash due to non-compliance.  

Compliance requirements vary from State to State, so what’s considered standard practice in one region, might not fly in another. Get started with an Impact compliance specialist today who can help you solidify your data practices while ensuring compliance. 

What Does CCPA Cover? 

The California Consumer Privacy Act constitutes the most comprehensive privacy law in the United States.

It covers four key areas:

  • The right to know what businesses use their information for
  • The right to delete information held by businesses
  • The right to opt out of the sale of personal information
  • The right to non-discrimination for exercising their CCPA rights

For example, if you have engaged with a business in the past and you are a resident of California, you have the right to ask that business to provide you the information about you they collected, and also to delete that information.

As awareness grows of consumer expectation regarding their privacy, CCPA is among the first of many data protection laws which has swept the country.

The CCPA was passed in 2018 and is aimed at companies which collect and sell personal consumer information.
 

Intended to give Californians more control over how their data is stored and used, it introduces ground-breaking data protections by giving residents a more substantial say over the fate of their personal information.
 

But, does CCPA apply only to businesses located in California?

Who Does the CCPA Apply To?

Like GDPR will affect American companies with European customers, CCPA can affect non-Californian companies with consumers in the state.


CCPA is concerned with any businesses which operates online and collects data from Californians or does business in California—even if that company is not physically located in California. For the CCPA to apply, a business must meet any one of these three criteria:

  • Generate at least $25 million in annual revenue.
  • Obtain data from 50,000+ customers.
  • Earn at least one half of its annual revenue by selling consumer data.

If a business falls under any of these three criteria, they must meet the CCPA requirements if their consumers reside in California. Not doing so can result in a business paying CCPA fines.

The Scope of the CCPA Privacy Law

The CCPA grants California consumers critical rights when it comes to the use and sale of their data on the internet. Let’s go into more detail about what each means.

  • The right to access information: Consumers in California are entitled to know which categories of personal information was collected or sold, from where, to whom, and why.
     
  • The right to data deletion: Consumers in California may request that a company deletes the personal data it has collected about them.
     
  • The right to opt out of data collection or sale: Consumers in California may direct a company to not collect or sell their information to third parties. The CCPA includes a definition of “sell” which extends beyond a monetary exchange.
     
  • Right of Portability: It allows individuals to obtain their personal data in a structured, common, and machine-readable format and to transfer this personal data freely to another controller.

The CCPA gives Californians a limited ability to sue any business subject to CCPA when their personal information becomes compromised, typically through a breach.

However, it gives the state Attorney General much more general ability to sue on behalf of residents.
 

The CCPA defines personal information as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
 

In other words, any statistic, action, or piece of knowledge which can be linked to an identifiable individual. This broad definition encompasses almost every action within the digital space.

How Do Privacy Laws Affect Businesses?
 

The additional criteria above are specifically designed to protect small and medium businesses.

For companies which do not meet one of the three requirements above, CCPA compliance does not apply and their privacy requirements for Californians remain unchanged.
 

Likewise, CCPA will not affect SMBs if all aspects of their business take place outside of California, including the sale of personal data. However, if that business meets one of three criteria above and has even a single California customer, then CCPA will apply.
 

Nonetheless, there exists significant confusion regarding whether CCPA will apply to a specific business.
 

A survey of 625 business owners and company executives found that at least 34% of respondents didn't know that CCPA affected them, while another 22% claimed to “not care.”

If you’re confused, you are not alone. Be sure to consult with experts in the field to ensure you’re compliant if you must be. Non-compliance with CCPA can result in hefty fines.

CCPA violations are subject to penalties of $2,500 for each violation and $7500 for intentional violations.

CCPA Compliance

For companies which do collect and sell personal information, CCPA compliance includes:
 

  • Updating privacy notices and policies. The CCPA requires consumer explicit notification of the company’s intent to collect and sell information “at or before the point of collection.” This notice must include what information is collected and why.
     
  • Updating data inventory with new classifications. Data stored on the backend must include records of the information’s sale, transferal to third parties, time of collection and sale, plus indication if the information is covered by HIPAA or another data privacy law.
     
  • Creating procedures to comply with California consumer rights. Companies need a way for consumers to request access to, deletion of, or opt out of the sale of their personal information.
     
  • Reviewing site and business security. The CCPA requires “reasonable” personal data protection. For SMBs, a managed service provider may lighten this burden.
     
  • Training staff. Train staff on what CCPA is, what its compliance requirements are, how to handle the new procedures, and how to handle potential incidents.
     
  • Starting now. Californian consumers can request data collected up to 12 months prior. Businesses must be able to provide records of collected and sold data as far back as January 1, 2019.
What does it Take to be CCPA Compliant | What Does CCPA Stand for? | Impact Networking

What’s the Difference Between CCPA, CalOPPA, and GDPR?

The rights given under CCPA apply to California “consumers,” meaning residents and employees.

These consumers have the right to access and delete any collected data, plus opt out of future collection by any company with which they do business online.

In contrast, CalOPPA is the California Online Privacy Act of 2003.

It was the first state law in the United States to require commercial websites which collect personal information to post a privacy policy that is visible specifically to California residents.

This privacy policy requires website operators to follow their stated privacy policy. 

GDPR is the General Data Protection Regulations established by the European Union in May 2018

It gives European Union citizens significantly more control over their private data on the internet.

Notably, GDPR updates the way websites acquire consumer consent to gather data, outlines clear guidelines for communicating how personal data is used, and institutes requirements for proof of user consent.

CCPA, CalOPPA, and GDPR are very different in their application and scope.

However, they do all have one critical feature in common—they affect more than just Californian and European Union residents respectively.

Any business operating online which have or interact with residents of either of these two regions find themselves subject to these laws.

Just like the CCPA is not limited to businesses running from California, The GDPR is not limited to businesses located in the European Union. Any global company that handles EU residents' data must be GDPR compliant

Privacy Laws: CCPA, Caloppa, GDPR | What does CCPA stand for? | Impact Networking

California Consumer Privacy Act: CPRA vs. CCPA

CPRA stands for California Privacy Rights Act and is also known as Proposition 24. California voters approved this ballot measure in 2020. It adds amends to CCPA requirements, giving it the nickname "CCPA 2.0." 

CPRA adds:

  • Right of Rectification, which means consumers can request a company to change incorrect information about them
     
  • Right of Restriction, giving consumers the right to limit the use and disclosure of their sensitive personal information
     
  • Right against automated decision making, which gives consumers the right to opt out of technology “profiling” their work performance, economic status, health, interests, etc.

CPRA also puts in place an obligation for organizations to conduct a Risk Assessments and Prohibition of Discrimination. Although the measure was passed in 2020, most of the CCPA revisions won’t become “operative” until 2023.

However, the provision establishing the California Privacy Protection Agency is in effect. In essence, this creates a board of five members with expertise in privacy and consumer rights, who will implement and enforce the CCPA.

Final Thoughts on the CCPA  

The CCPA is the most far-reaching and comprehensive data privacy law in the US. It confers certain rights to California consumers regarding the collection, use, and sale of their data online. 

Although the law has certain exemptions designed for smaller, growing companies, it’s important to note that the law can still potentially affect these organizations as well. 

Ultimately, the CCPA requires significant attention be paid to the collection, storage, and sale of consumer data, as well as how businesses inform consumers of these practices.

Though the CCPA and CPRA, CalOPPA, and GDPR are all different in their definitions and protections of user data, they do have one major thing in common: they affect the way people around the world do business with people living in these regions.  

It’s best to proactively prepare for compliance to avoid litigation. Get started and consult with an expert today to learn what your business needs to do to stay compliant with the federal and stat laws. 

Tags

CybersecurityManaged ITMitigate Cyber RisksCompliance

Share

Impact Insights

Sign up for The Edge newsletter to receive our latest insights, articles, and videos delivered straight to your inbox.

More From Impact

View all Insights