If your business operates in California or handles the personal information of California residents, you’ve likely heard of the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA). These privacy laws have set a new standard for consumer data protection in the U.S. But what do these laws entail, how do they differ and what steps should you take to ensure compliance? Read on as we break it down into digestible pieces of information.
What is CCPA?
CCPA stands for the California Consumer Privacy Act. It's a piece of legislation that has set a high bar for consumer privacy rights in the United States, especially as it applies to businesses that collect and use personal information. This law came into effect on January 1, 2020, and is designed to give California residents more control over their personal information. The act allows consumers to know what personal data is being collected about them, to whom it’s being sold, and the ability to access, delete or opt out of the sale of their data. Essentially, CCPA grants consumers greater transparency and control over their personal information.
Does CCPA apply to my business?
Determining whether the CCPA applies to your business is step number 1. The CCPA applies to for-profit businesses that do business in California and meet one of the following criteria:
- Annual gross revenue exceeds $25 million.
- Buys, receives, sells or shares the personal information of 100,000 or more California consumers or households.
- Earns 50% or more of its annual revenue from selling California consumers' personal information.
If your business meets any of these thresholds, you are required to comply with the CCPA.
How Does the CCPA define personal information?
Under the CCPA, "personal information" is broadly defined as any data that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household. This includes obvious identifiers like names and email addresses, plus things like IP addresses, browsing history and geolocation data. The broad scope of this definition means that most businesses will need to carefully assess the types of data they collect and store.
What is the difference between CPRA and CCPA?
The California Privacy Rights Act (CPRA) does not replace the CCPA but rather amends and expands it. Often referred to as “CCPA 2.0,” the CPRA was passed by California voters in November 2020 and became fully enforceable on January 1, 2023. The CPRA introduces new concepts like "sensitive personal information," creates a new enforcement agency, the California Privacy Protection Agency (CPPA), and gives consumers even more rights, such as the right to correct inaccurate information. Businesses need to understand these additional requirements to stay compliant.
What are the CCPA requirements?
The CCPA requires businesses to:
- Disclose what personal information is collected, where it’s sourced, the purpose of its collection and to whom it is shared.
- Provide access to the specific pieces of personal information collected about a consumer.
- Allow deletion of personal information upon request, with some exceptions.
- Give consumers the right to opt out of the sale of their personal information.
- Avoid discrimination against consumers who exercise their CCPA rights.
How to Prepare for CCPA and CPRA Compliance
Preparation for CCPA and CPRA compliance involves several key steps:
- Data mapping: start by mapping out and understanding the personal data your business collects, stores and shares.
- Update privacy policies: your privacy policy needs to be clear, accessible and updated to reflect CCPA and CPRA requirements. It should inform consumers about their rights and how they can exercise them.
- Implement consumer rights processes: Establish processes for consumers to access, delete, and opt out of the sale of their data. Ensure these processes are user-friendly and can handle the volume of requests you might receive.
- Train your staff: employees should be trained on CCPA and CPRA requirements, especially those who handle consumer data or respond to consumer inquiries.
- Review contracts with third parties: if your business shares data with third parties, ensure that contracts reflect CCPA and CPRA requirements, particularly regarding the use and protection of personal information.