CCPA stands for California Consumer Privacy Act. It came into effect on January 1, 2020, in the state of California, United States. CCPA compliance is designed to enhance privacy rights and consumer protection for California residents.
The CCPA grants various rights to California residents and regulates the actions of businesses that collect or sell personal information. However, it leaves the consequences of third-party processing of consumer data somewhat open to interpretation. This prompted an amendment to the CCPA, which has come to be known as the California Privacy Rights Act (CPRA).
The California Privacy Rights Act (CPRA), which became effective in January 2023, expands on a few key elements of the existing California Consumer Privacy Act (CCPA) by further protecting consumers’ privacy. The CPRA supplements – but does not replace nor repeal – the existing framework provided by the CCPA.
In this guide, we explain everything you need to know about CCPA compliance and what you need to do to align with its requirements.
Please note: the compliance section of this guide has been updated to align with the amended version of the CCPA which is currently in force — the CPRA.
The California Consumer Privacy Act is a comprehensive data privacy law, designed to enhance privacy rights and consumer protection for California residents.
The main purpose of CCPA is to provide individuals with greater control over their personal information and to regulate how businesses collect, use, and share that information.
As we already mentioned, the CCPA was amended to include new requirements that were left open to interpretation. In January 2023, the California Privacy Rights Act (CPRA) came into force, integrating the CCPA.
The CPRA builds on the protections provided by the CCPA, but it introduces new requirements for businesses.
Here are a few key differences:
Under the scope of the California Consumer Privacy Act, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
In general, CCPA compliance is needed when BOTH of the following conditions apply:
However, you need to make sure your business falls within the scope of the CCPA. To do that, let’s have a closer look at the key definitions.
Under the CCPA, a “consumer” is defined as a natural person who is a California resident.
Under the scope of the California Consumer Privacy Act, a “business” is defined as a for-profit organization that collects personal information of consumers, determine the purposes and method of the processing, targets Californian residents (whether or not the business is actually based in California), and meets at least one of the following requirements:
Sale within the context of CCPA compliance is defined as: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration“.
While the CCPA does not currently explicitly define “valuable consideration”, under Californian contract law it is defined as “[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.” (Cal. Civ. Code § 1605).
Within this context, a “valuable consideration” can be broadly interpreted as meaning all agreements where personal information is exchanged – and the transferring entity receives any benefit to which it would not be legally entitled to without the agreement.
CalOPPA has not been repealed by the CCPA and still applies. This is something to take note of even if the definition of “business” above does not apply to you, as you may still need to comply with CalOPPA, or both laws may be applicable to you. Read more about CalOPPA here.
Some have called the CCPA “the California GDPR“, so here’s how these two privacy laws actually compare:
| CCPA | GDPR | |
|---|---|---|
| Enforcing body? | The attorney general of the state of California, USA. | National (EU member state) data protection agencies. |
| Who needs to comply? | Any for-profit business that targets Californian consumers and either:
|
Any entities (non-profit or otherwise – including NGOs, individuals, and public entities) that target EU consumers, or which are based in the EU. |
| What types of data are protected? | Any data that relates to, or is capable of being associated with a particular consumer or household, with the exception of public government records. | Any data that can lead to the identification of an individual. |
| Are IP addresses considered Personal Data? | ||
| Consent required before processing? | Only in the case of minors and in cases of previous opt-out. | Yes, unless another legal basis legitimately applies. |
| Must Businesses give consumers the option to opt-out or withdraw consent? | Yes, must provide DNSMPI link and honor opt-out requests. | Users have both the right to withdraw consent and the right to object to processing (potentially applicable even in cases where the processing is justified using a legal basis other than consent). |
| Protections also apply to business to business (B2B) interactions? | No, CCPA protections apply to consumers only. | The GDPR makes no differentiation between protections applied to B2B and B2C (business to consumer) interactions, it simply applies its protections to “data subjects”, who are defined as any “identifiable natural persons” residing in the EU. |
| Security requirements? | The CCPA lists no specific security requirements but gives consumers the explicit right to bring suit for damages resulting from a business’ failure to implement appropriate security practices. | The GDPR requires both controllers and processors to implement security methods appropriate to the particular risk involved. Security methods should be “state of the art” implying that the security methods should on par with the latest standards. |
| Penalties of non-compliance? | Fines of up to $7500 per individual violation. The CCPA also gives consumers the right to bring suit for damages. | Fines of up to EUR 20 M (22 M USD) or 4% of annual global revenue – whichever is greater, potential audits and sanctions. The GDPR also gives data subjects the right to sue if their rights were violated. |
| Applicable users’ Rights at a glance | ||
| Right to be informed | ||
| The right of access | ||
| The right to portability | ||
| The right to rectification | × | |
| The right to be deleted | ||
| The right to object | Somewhat covered by the right to opt-out | |
Under CCPA, consumers have specific rights that you must respect to achieve CCPA compliance.
The California Privacy Protection Agency has recently unveiled a new website, aimed at providing Californians with comprehensive information about their privacy rights. This online platform serves as a key resource for understanding the protections offered by the California Consumer Privacy Act (CCPA) and offers guidance on various privacy-related issues, enabling Californians to take informed actions regarding their privacy.
Under the CCPA, consumers have a right to be informed about how their information is processed at or before the point of collection.
Under the California Consumer Privacy Act you must disclose:
Under the CCPA, consumers have a right to access their personal information when verifiably requested*.
In particular, consumers have the right to access:
*Verifiably requested or a “verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify . . . to be the consumer about whom the business has collected personal information. Cal. Civ. Code § 1798.140(y)
You must provide consumers with two or more methods for submitting access requests, including at a minimum, a toll-free telephone number, and if the business maintains an internet web site, a web site address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.
Under the California Consumer Privacy Act, the right to data portability is bundled together with the right to access, under Section 1798.100 (d).
Where businesses fulfill Access requests “electronically”, it’s also required that the information be provided to the consumer in “a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance”.
Information requests must be fulfilled, free of charge, within 45 days of the consumer’s verifiable request. This time period may be further extended once by an additional 45 days, if reasonably necessary, and provided that the consumer is given notice of the extension within the first 45-day period.
The disclosures made in the fulfillment of the request should cover the 12-month period preceding the receipt of the request.
Businesses must respond through either regular mail or in an electronic format (such as email, file download, etc.). If delivered electronically, the law mandates that the information must be “portable”, i.e. delivered in a format that’s easy to use and that allows transmission of the information to another entity without hindrance.
The CCPA grants consumers the right to request the deletion of any personal information that has been collected about them. If a verifiable request for deletion is received from a consumer, you must delete the consumer’s personal information from your records and instruct any related service providers to delete the consumer’s personal information from their records.
You must provide consumers with two or more methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the business maintains an internet website, a website address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.
This request must be fulfilled free of charge, within 45 days of the consumer’s verifiable request. This time period may be further extended once by an additional 45 days, if reasonably necessary, and provided that the consumer is given notice of the extension within the first 45-day period.
Businesses are not required to comply with the request of deletion if the information is needed:
Under the CCPA, a consumer has the right, at any time, to tell a business which sells their personal information to third parties, that they must stop selling such personal information.
As mentioned above, under the CCPA, “sell”, “selling”, “sale”, or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or a third party, for monetary or other valuable consideration.
Two less obvious examples of what could* be considered “selling” under the CCPA are:
*Keep in mind that at this stage of implementation some factors may change as the law is further refined.
If you “sell” consumers’ personal information to third parties, you must disclose this fact to consumers, and must also inform them that have the right to opt-out of the sale of their personal information (as per “The right to be informed” listed above).
A consumer cannot be asked to create an account in order to opt-out. Instead, this process should be facilitated via a “Do Not Sell My Personal Information” (“DNSMPI“) link on your website or privacy notice.
If a business receives direction from a consumer not to sell the consumer’s personal information, it is prohibited from selling the personal information of that consumer unless the consumer subsequently provides express authorization for the sale of their personal information (Opt-in).
Businesses may only ask for a consumer’s authorization one more time, and only 12 months after the consumer have opted-out.
Businesses are prohibited from selling the personal information of consumers if the business has actual knowledge that the consumer is under the age of 16. In such cases, businesses may only sell the information if:
To achieve CCPA compliance, businesses are prohibited from discriminating against consumers for exercising their rights granted under the law. Prohibited forms of discrimination include:
Consumers have the right to sue* businesses that violate the law. The associated fines will be between $100 and $750, or any higher amount related to actual damages (where larger damages can be proven).
*This only applies to the actual businesses themselves and not “service providers” acting on behalf of the business.
The state can bring charges of up to $2,500 per violation for businesses that unintentionally violate the CCPA, and fines of up to $7,500 per violation, for businesses that commit intentional violations.
While these fines might not seem particularly large in comparison to other privacy laws, do consider that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.
CCPA compliance is, similarly to compliance with other privacy laws, a multi-faceted process that involves honest review, planning and technical and legal implementation.
Regardless of how you choose to approach the implementation process, there are still a few basic steps you’ll need to take before even getting to the implementation stage. Let’s take a look at them, as well as the rest of the implementation process, below.
(This compliance section has been updated to align with the amended version of the CCPA which is currently in force — the CPRA.)
Perhaps one of the most important steps for CCPA compliance is to honestly review and assess your own processes and systems.
Some questions to ask yourself here are:
The service, quality, levels and/ or prices you charge/ offer to consumers must not be influenced by or dependent on whether or not they’ve chosen to exercise their rights. The only exceptions to this rule are in cases where the value of service or good offered relies upon the data collected about the consumer (see example above).
You may offer financial incentives (including payments) to consumers in exchange for accessing their personal information, however, you may only use financial incentives that are fair, reasonable, non-coercive and not extortionate. In all such cases, consumers must first be notified of such incentives via the homepage of your website.
As a requirement under the consumer’s right to opt-out, you must provide an easily accessible, clear and conspicuous “Do Not Sell My Personal Information” (“DNSMPI”) link on your website’s homepage and within your privacy policy (with the appropriate disclosures of the associated consumer right).
The link must take the user to a page where they can opt-out of the sale of their personal information.
Where technically feasible, you are allowed to host and redirect California residents to a separate homepage with the visible DNSMPI link.
Access, portability and deletion rights must be honored, at no cost to the consumer, within 45 days of receiving a verifiable request. The fulfillment period can be extended (only once) by a further 45 days if necessary, provided that the consumer is given notice of this fact.
When fulfilling access and portability requests, the information returned to the consumer must be given in an easy-to-use and easily transmittable format.
When a consumer exercises their opt-out rights (the right to say no to the sale of their data), you must comply upon receiving the request.
In cases where you are aware of the fact that the consumer is a minor under the age of 16, you must not sell their information unless explicitly authorized to do so by a parent or guardian (for minors under 13) or if explicitly authorized to do so by the minor consumer in cases where the minor is between the ages of 13-16.
Implementation can be complicated. This is where iubenda comes in: we take the weight off your shoulders by offering powerful software solutions — backed by our international legal team — which allow you to handle even the most complex situations within a few clicks and fully customize when needed.
Our 360° solutions crafted by our expert legal team and help to keep you covered with minimal effort.
Get a CPRA-compliant Privacy Policy, customizable based on 1800+ clauses and available in 11 languages.
Add a Privacy Controls widget to your site allowing California users to opt-out from processing.
Among the few providers compatible with GPP & GPC, making it easier to honor these opt-out requests.
Automatically store user preferences and document CPRA opt-outs.
Laws, like the people, needs, and ideas they serve, are often dynamic “living” things. Similarly, your own business purposes, partners and processes may shift with time.
For this reason, it’s vital that you periodically review and assess your internal processes, technical capabilities, and legal documents, and keep them up-to-date with legal requirements.
Our solutions take the guesswork out of CCPA compliance by doing the heavy technical and legal lifting so that you can focus on growing your business.
(This compliance section has been updated to align with the amended version of the CCPA which is currently in force — the CPRA.)
