What Does CCPA Stand for and What Does It Mean for Business?
What Does CCPA Stand For? CCPA stands for the California Consumer Privacy Act (CCPA). It is a data privacy law that ensures consumers in California are aware of which information a business can collect from them. It also gives these consumers the right to ask for disclosure.
The California Consumer Privacy Act constitutes the most comprehensive privacy law in the United States.
It covers four key areas:
- The right to know what businesses use their information for
- The right to delete information held by businesses
- The right to opt out of the sale of personal information
- The right to non-discrimination for exercising their CCPA rights
For example, if you have engaged with a business in the past and you are a resident of California, you have the right to ask that business to provide you the information about you they collected, and also to delete that information.
As awareness grows of consumer expectation regarding their privacy, CCPA is among the first of many data protection laws which has swept the country.
The CCPA was passed in 2018 and is aimed at companies which collect and sell personal consumer information.
Intended to give Californians more control over how their data is stored and used, it introduces ground-breaking data protections by giving residents a more substantial say over the fate of their personal information.
But, does CCPA apply only to businesses located in California?
Who Does the CCPA Apply To?
Like GDPR will affect American companies with European customers, CCPA can affect non-Californian companies with consumers in the state.
CCPA is concerned with any businesses which operates online and collects data from Californians or does business in California—even if that company is not physically located in California. For the CCPA to apply, a business must meet any one of these three criteria:
- Generate at least $25 million in annual revenue.
- Obtain data from 50,000+ customers.
- Earn at least one half of its annual revenue by selling consumer data.
If a business falls under any of these three criteria, they must meet the CCPA requirements if their consumers reside in California. Not doing so can result in a business paying CCPA fines.
Related Blog: Who Needs CMMC Certifications?
The Scope of the CCPA Privacy Law
The CCPA grants California consumers critical rights when it comes to the use and sale of their data on the internet. Let’s go into more detail about what each means.
- The right to access information: Consumers in California are entitled to know which categories of personal information was collected or sold, from where, to whom, and why.
- The right to data deletion: Consumers in California may request that a company deletes the personal data it has collected about them.
- The right to opt out of data collection or sale: Consumers in California may direct a company to not collect or sell their information to third parties. The CCPA includes a definition of “sell” which extends beyond a monetary exchange.
- Right of Portability: It allows individuals to obtain their personal data in a structured, common, and machine-readable format and to transfer this personal data freely to another controller.
The CCPA gives Californians a limited ability to sue any business subject to CCPA when their personal information becomes compromised, typically through a breach.
However, it gives the state Attorney General much more general ability to sue on behalf of residents.
The CCPA defines personal information as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
In other words, any statistic, action, or piece of knowledge which can be linked to an identifiable individual. This broad definition encompasses almost every action within the digital space.
How Do Privacy Laws Affect Small Businesses?
The additional criteria above are specifically designed to protect small and medium businesses.
For companies which do not meet one of the three requirements above, CCPA compliance does not apply and their privacy requirements for Californians remain unchanged.
Likewise, CCPA will not affect SMBs if all aspects of their business take place outside of California, including the sale of personal data. However, if that business meets one of three criteria above and has even a single California customer, then CCPA will apply.
Nonetheless, there exists significant confusion regarding whether CCPA will apply to a specific business.
A survey of 625 business owners and company executives found that at least a 34% of respondents didn’t know if CCPA affected them, while another 22% claimed to “not care.”
If you’re confused, you are not alone. Be sure to consult with experts in the field to ensure you’re compliant if you must be. Non-compliance with CCPA can result in hefty fines.
CCPA violations are subject to penalties of $2,500 for each violation and $7500 for intentional violations.
How SMBs Can Be Compliant with CCPA?
SMBs which are on the path towards or already are GDPR-compliant will find CCPA compliance slightly easier, even though the latter has a broader scope.
For companies which do collect and sell personal information, CCPA compliance includes:
- Updating privacy notices and policies. The CCPA requires consumer explicit notification of the company’s intent to collect and sell information “at or before the point of collection.” This notice must include what information is collected and why.
- Updating data inventory with new classifications. Data stored on the backend must include records of the information’s sale, transferal to third parties, time of collection and sale, plus indication if the information is covered by HIPAA or another data privacy law.
- Creating procedures to comply with California consumer rights. Companies need a way for consumers to request access to, deletion of, or opt out of the sale of their personal information.
- Reviewing site and business security. The CCPA requires “reasonable” personal data protection. For SMBs, a managed service provider may lighten this burden.
- Training staff. Train staff on what CCPA is, what its compliance requirements are, how to handle the new procedures, and how to handle potential incidents.
- Starting now. Californian consumers can request data collected up to 12 months prior. Businesses must be able to provide records of collected and sold data as far back as January 1, 2019.
What’s the Difference Between CCPA, CalOPPA, and GDPR?
The rights given under CCPA apply to California “consumers,” meaning residents and employees.
These consumers have the right to access and delete any collected data, plus opt out of future collection by any company with which they do business online.
In contrast, CalOPPA is the California Online Privacy Protection Act of 2003.
GDPR is the General Data Protection Regulations established by the European Union in May 2018
It gives European Union citizens significantly more control over their private data on the internet.
Notably, GDPR updates the way websites acquire consumer consent to gather data, outlines clear guidelines for communicating how personal data is used, and institutes requirements for proof of user consent.
CCPA, CalOPPA, and GDPR are very different in their application and scope.
However, they do all have one critical feature in common—they affect more than just Californian and European Union residents respectively.
Any business operating online which have or interact with residents of either of these two regions find themselves subject to these laws.
Just like the CCPA is not limited to businesses running from California, The GDPR is not limited to businesses located in the European Union. Any global company that handles EU residents’ data must be GDPR compliant.
California Consumer Privacy Act: CPRA vs. CCPA
CPRA stands for California Consumer Privacy Act. It is also known as Proposition 24. California voters approved this ballot measure in 2020. It adds amends to CCPA requirements, giving it the nickname “CCPA 2.0.”
- Right of Rectification, which means consumers can request a company to change incorrect information about them
- Right of Restriction, giving consumers the right to limit the use and disclosure of their sensitive personal information
- Right against automated decision making, which gives consumers the right to opt out of technology “profiling” their work performance, economic status, health, interests, etc.
CPRA also puts in place an obligation for organizations to conduct a Risk Assessments and Prohibition of Discrimination. Although the measure was passed in 2020, most of the CCPA revisions won’t become “operative” until 2023.
However, the provision establishing the California Privacy Protection Agency is in effect. In essence, this creates a board of five members with expertise in privacy and consumer rights, who will implement and enforce the CCPA.
Related Infographic: MSP vs. MSSP – The Key Differences
The CCPA is the most far-reaching and comprehensive data privacy law in the US. It confers certain rights to California consumers regarding the collection, use, and sale of their data online.
Although the law has certain exemptions designed for SMBs, it can still potentially affect these companies.
CCPA requires significant changes to how notices are given to consumers, as well as how businesses store, classify, and protect personal information.
Though the CCPA and CPRA, CalOPPA, and GDPR are all different in their definitions and protections of user data, they do have one major thing in common: they affect the way people around the world do business with people living in these regions.
It’s best to proactively prepare for compliance to avoid litigation. Consult with an expert today to learn what your business needs to do to stay compliant with the federal and stat laws.
Upholding compliance and cybersecurity can be a complex subject. Watch this video featuring a subject expert, Jeff Leder on Cybersecurity Management, to learn how a managed cybersecurity service can handle compliance while you focus on your business.