California Consumer Privacy Act (CCPA) Business Guide

Data has been described as “the new currency,” and many businesses are still learning how to harness its power. At the same time, consumers are becoming more aware of the amount of data businesses collect. Concerns over privacy and safety have led governments around the world to begin passing data privacy laws.

California Consumer Privacy Act (CCPA) regulation applies to companies and organizations doing business in California that meet certain requirements.

The California Consumer Privacy Act (CCPA), passed on June 28, 2018, brings regulation similar to the EU’s GDPR to businesses in the state of California and is considered to be the most comprehensive privacy law in the USA. Effective as of January 1, 2020, the regulation is designed to minimize unauthorized data use, provide transparency and give consumers more control over their personal information.

How should businesses handle data privacy?

Consumer protection is the main goal of data privacy laws. For businesses, this means making privacy an integral part of company goals, objectives and processes. Because data plays a role in everything from marketing initiatives to customer service, this could require restructuring common business processes to comply with privacy regulations.

However, true protection goes beyond basic compliance. Complying simply to avoid fines ignores the larger objective of helping customers feel safe when conducting transactions. By committing to a data privacy policy that prevents the use of customer information for anything beyond the purpose for which it was shared, businesses avoid overstepping privacy boundaries, reduce breach risk and establish trust with both customers and stakeholders.

Why is data privacy important to individuals?

Data privacy laws clarify the rights of anyone who shares information with a business or organization and put data back under personal control. Customers, students and patients have the power to decide who sees and uses:

• Names and aliases
• Account names
• Addresses
• Email addresses
• Social security numbers
• Driver’s license numbers
• Passport numbers
• Personal health records

Other identifying information may also be protected as per the wording of specific regulations.

Under such laws, owners of data can grant or revoke the privilege of seeing, sharing, selling and otherwise handling identifying information. Individuals are also assured that only data needed for transactions and interactions is collected. Together, these regulations create better relationships and establish a safer digital environment.

The CCPA accomplishes these goals by allowing California residents to:

• Know what data is being collected about them
• Know whether data is being sold or disclosed and to whom
• Opt out of all data sales
• Access their own personal data at any time
• Request deletion of collected data
• Not be subject to discrimination for taking actions to preserve data privacy

Who should care about CCPA compliance?

CCPA may impact any organization collecting personal data for the purpose of selling goods or providing services. This includes businesses, educational institutions and healthcare providers, as well as groups engaged in market research, social research and research and development activities.

The CCPA defines personal data as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes:

• Personal property records
• Past purchasing behaviors
• Browser and search history
• Website interactions
• Geolocation information
• Professional and/or employment data
• Privately available education information
• IP addresses
• Cookie IDs
• Biometric data

Businesses often use such data to build customer personas—semi-fictitious “psychographic profiles” of their audiences—for marketing purposes. The CCPA classifies even these profiles as protected information, which could have a significant effect on how companies research, track and market to their prospects.

Which businesses must comply with CCPA?

CCPA data privacy regulation applies to companies and organizations doing business in California that also meet at least one of the following criteria:

• Earning a gross annual revenue of $25 million or more
• Buying, receiving or selling the personal information of 50,000 or more consumers and/or households
• Earning more than half of annual revenue from selling consumers’ personal information

“Doing business” encompasses any activity in which a business “determine[s] the purposes or means of processing” data on its own or in collaboration with other entities. This includes, but isn’t limited to, deciding:

• To collect or process personal data
• What types of personal data to collect
• Whose data to collect
• To process data as part of a contract

Online businesses must be particularly diligent in assessing data collection activities to determine whether CCPA compliance is required. Because online entities collect and process consumer data on a regular basis, any business meeting CCPA criteria and interacting with customers in the state of California is likely to be subject to the regulation.

Compliance costs and penalties

According to an official publication from the California State Department of Justice, initial CCPA compliance is expected to cost $55 billion. Ongoing costs could range from $467 million to $16 billion from 2020 to 2030. Failure to comply also carries a hefty price tag: Businesses could be charged up to $7,500 per violation in the event of a data breach.

Businesses and organizations notified of noncompliance have 30 days to address the issue before penalties are applied. Should an entity fail to respond, the state attorney general is authorized to initiate a civil case to resolve the matter.

What are the CCPA compliance requirements?

Entities falling under CCPA jurisdiction are required to create and post a privacy policy on their websites. This policy must include:

• What information is collected and processed and why
• How collection and processing is conducted
• Details of data sales
• How individuals can request data access and change, move or delete their data
• A method to verify identities in the event of such requests
• An option to opt out of personal data sales

Annual policy updates are required to reflect any changes in the way data is collected, handled, processed or sold. In addition, website homepages must include a “do not sell my personal information” link leading to a page where consumers can prevent the sale of personal data for 12 months or more. If consumers don’t opt out, businesses are still required to obtain consent to sell data from 13- to 16-year-olds and from the parents of anyone under the age of 13.

Preparing for compliance provides businesses with greater data visibility and reduces or eliminates unnecessary data, which not only improves data privacy but may also reduce breach risk. While compliance alone isn’t enough to keep hackers at bay, incorporating compliance measures into cybersecurity protocols results in a more robust approach to breach prevention and mitigation.

Is the CCPA a forerunner of federal data protection regulations?

California isn’t the only state introducing data privacy laws. In 2019, New York, Massachusetts, Texas and Washington were also focused on developing legislation to give consumers greater control over personal information. However, no federal regulation similar to the GDPR yet exists in the U.S.

This may change in the future in response to growing consumer demand for data privacy. A single nationwide privacy law would unify compliance requirements, provide consumers with clarity and simplify enforcement across state lines.

For now, businesses required to comply with CCPA should already have measures in place to enable greater consumer control over data. For companies outside the state, CCPA provides a potential framework for future data privacy regulations. Starting preparations now will ensure proper systems and protocols are in place to support compliance with eventual federal regulations.

Identity and Access Management blog, articles, news, analysis and reports
Visit our blog to read other articles.