What is the California Consumer Privacy Act (CCPA?)

When it was introduced in January 2020, the California Consumer Privacy Act (CCPA) introduced a new way of approaching data privacy for businesses not only in the state of California but worldwide. 

In this guide, we’ll take a look at the basics of this relatively new privacy law and how they might apply to your business. We’ll explore the rights and responsibilities set out within this landmark privacy law, as well as how you can take steps to stay compliant.

Here's everything you need to know about CCPA Compliance. 

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a leading privacy law brought in to offer additional rights and protections for California residents. It gives them greater control over how their personal data is collected, processed, and shared by businesses.

Within the CCPA, the definition of personal information is information that identifies, describes, relates to, or can reasonably be linked to an individual consumer or household. Different categories of personal information fall under this definition, including: 

• Identifiers — name, mailing address, email address, social security number, driver’s license number, IP address, credit card details
• Network activity — search history, browsing history, 
• Biometric data — eye color, hair color, fingerprints, retina scans
• Geolocation data — the location of a device
• Protected characteristics — age, sexual orientation, race, religion, gender identity

Consumers' personal information which is already protected by federal law isn’t covered by the CCPA. For example, medical information is already covered by the Health Insurance Portability and Accountability Act (HIPAA).

The CCPA gives residents of the state of California new and expanded rights to access, control, and delete their data. It also places responsibilities upon businesses to ensure these rights are upheld, with potential penalties applied if they don’t.

What Does CCPA Stand For?

CCPA stands for California Consumer Privacy Act. The California legislature passed this law in 2018, but the law took effect in late June of 2021. This time period was designed to give businesses time to change their policies and technology to comply with the new requirements.

This particular law was proposed by the citizens of California themselves through a petition process. The petition collected 629,000 signatures — demonstrating just how important these data protections are to Californians.

The purpose of CCPA is to ensure personal data is protected for California consumers. It holds businesses to certain standards to protect information used in the digital marketplace.

What Rights Are Covered by the CCPA?

Since its introduction in January 2020, the CCPA has provided eligible residents with a range of new rights they can exercise. These rights allow people to understand more closely how their data is collected and used, and to control better the ways in which it is used, sold, or shared. 

Let’s take a closer look at the new consumer rights introduced in this landmark privacy law. 

1. Right to Notice

This simple right gives customers the right to understand which categories of personal information are being collected about them at or before the data collection happens. Customers should also be informed of why this data is being collected, so they can be better informed. 

One of the easiest ways for businesses to fulfill this right is to have a clear, user friendly privacy policy or privacy notice. This key document outlines how you collect personal data, the purposes behind it, and informs users of how they can exercise their rights. This privacy policy page can then be displayed to consumers when their data is collected, using a link or pop-up. 

As per the requirements of the CCPA, this privacy policy needs to be updated every twelve months.

2. Right to Disclosure

Under the CCPA, consumers have the right to understand what personal information a business holds about them. This right means that consumers can ask you to disclose any personal information that you hold about them. 

Not only do residents of the state of California have access to their personal data, but you need to supply it in a readily usable format. This helps customers transfer their data to another organization for processing through data portability, similar to a principle within the GDPR. 

When a California resident exercises this right, you should provide them with the following information: 

• Categories of personal information collected — e.g. biometric
• Specific pieces of personal information collected — e.g. the consumer’s eye color
• Where and how this data was collected
• The purpose for data collection and processing
• Information on any third parties this data has been shared with

Trawling through your data inventory over multiple years is a considerable task and often not possible within a small time frame. Luckily, there’s a limitation that this personal data must have been collected within the previous twelve months. This makes it considerably easier to comply with the right to disclosure. 

Not only do residents of the state of California have access to their personal data, but you need to supply it in a readily usable format. This helps customers transfer their data to another organization for processing through data portability, similarly to a principle within the GDPR. 

To fully comply with the CCPA, you should offer at least two ways that people can make this request. This must include a toll-free telephone number, with other great options including an email address, web form, or mailing address.

3. Right to Opt-Out

While there’s no restriction on selling consumers’ data under the CCPA, businesses must offer California residents the opportunity to opt-out of the sale of data. This doesn’t just cover outright sales, but also the rental, disclosure, or transfer of data to third parties too. 

The right to opt-out gives people the chance to retain greater control over their personal data, and helps protect them from future unwanted marketing and promotions from third parties. Companies should create a “Do Not Sell My Personal Information” web page and clearly link to it from their homepage, so consumers can easily make an informed choice and opt-out if they wish. 

If someone exercises this right, an organization must then stop the sale of personal data relating to that consumer. It’s up to the business to then clearly denote between data which is opted in and opted out within their data inventory, so that the consumer’s right is respected.

4. Right to Fair Treatment

For some ultra commercially minded businesses, a consumer whose data they cannot sell or who has made a request for disclosure may appear to be less valuable or favorable. Under the CCPA however, every consumer has the right to equal services and prices — and cannot be discriminated against because they’ve chosen to exercise their rights. 

While companies can’t offer unfavorable terms to consumers that have exercised their rights, they can offer reasonable financial incentives to those that do provide their personal information. This incentive needs to be in line with the value the company places on having access to that data. For example, a business may choose to offer a small discount to customers that are subscribed to their mailing list.

5. Right to Request Deletion

Lastly, as with many leading privacy laws, consumers can request the deletion of the personal information that a business holds on them. This can be helpful for consumers that wish to move to a competitor, or no longer require your products or services.

This data must have been collected within the previous twelve months, and care should be taken to verify identity before finalizing the deletion. There are some exceptions where the deletion of data cannot happen — for example, if you’re legally obligated to retain it.

Responsibilities for Businesses Under the CCPA

Like the European Union’s General Data Protection Regulation (GDPR), the CCPA brings not only new rights for consumers but new responsibilities for the organizations that it applies to. 

Let’s examine the CCPA requirements for businesses:

1. Comply With Your Customers’ Consumer Rights

Most importantly, businesses that fall under the requirements for CCPA compliance need to uphold consumers’ rights. This means you should understand what these rights are, respect any requests made by consumers under these rights, and make it easy for people to exercise their rights. 

Examples of complying with consumer rights under the CCPA include: 

• Having a valid, user-friendly privacy policy that clearly outlines your approach to data collection, processing, and sharing 
• Providing a link to your privacy notice at or before data collection
• Supplying clear information about financial incentives and the sale of personal data
• Hosting an easily accessible “Do Not Sell My Information” page
• Providing a reasonable way for consumers to access and/or delete their personal information 

Once you understand your consumers’ rights, it’s easy to put processes and plans in place that make it easy for you to comply with them. You can add the appropriate pages to your website, create internal processes for handling requests, or invest in a streamlined privacy platform to help you manage compliance.

2. Respond to Data Subject Access Requests

Consumer rights under the CCPA allow them to contact you to ask you to disclose personal information, stop the sale of data, and delete data. This means you need to have a clear, robust way of handling these data subject requests. 

Under the CCPA, you have 45 days to act upon the data subject request once you’ve confirmed that it’s valid. This may be extended by a further 45 days when necessary, but in most cases, you’ll need to comply with consumer requests within the original timeframe. 

Before you act on a request, you need to confirm the individual’s identity within a “reasonably high degree of certainty.” The most popular way to do this is by verifying three reliable pieces of data, and collecting a signed declaration that they are the individual concerned. 

Once you’ve confirmed the identity of the individual, you can then process the data subject request. It helps to have a set internal process for this and to clearly document any requests in case you need to refer to the request and actions taken in the future.

4. Maintain Accurate Records

It’s best practice to maintain accurate records when it comes to any data, but it’s especially key if you need to comply with privacy laws like the CCPA. Companies affected by the CCPA need to demonstrate that they are compliant, and the best way to do that is with clear and correct records. 

To help streamline your record management and stay compliant, you should consider keeping records that show precisely: 

• The personal information collected
• Where and by what means it was collected
• What this data is used for
• Any third parties that have or have previously had access to this data
• Whether the data is opted in or out of sale
• Any actions taken that relate to this data — for example, additional data collection or changes made

The more exact your records are, the easier it will be to respond to any future consumer requests. You’ll know exactly where the relevant information is, be able to take action, and have a digital or paper trail that protects you. 

Alongside keeping accurate records to show compliance, businesses should also take a keen interest in consumer data security and cybersecurity. Information should be securely stored and protected appropriately, to minimize the opportunity for data breaches to take place. Combined with accurate record management, this helps keep your valued consumers’ information safe and secure.

Which Businesses Need to Comply With the CCPA?

To help you understand whether you need to comply with the CCPA or not, there’s a simple test. You need to comply if one or more of the following apply: 

• Your annual gross revenue exceeds $25 million
• You collect, process, or transfer the data from 50,000 or more California residents per year
• 50% or higher of your annual revenue comes from the sale of data of California residents 

While the CCPA gives new rights to California residents, it introduces privacy principles that make sense for consumers worldwide. This, coupled with the fact you never know where your next customer is coming from, means it’s sensible to craft a privacy policy and approach that respects the CCPA — even if it doesn’t currently apply to your business.

The CCPA is only applicable to for profit businesses that operate for a commercial purpose. Charities, nonprofits, and other voluntary organizations can rest easy knowing they don’t need to worry about CCPA compliance.

Penalties for CCPA Non Compliance

Like most data privacy laws, the CCPA introduces penalties for businesses that fail to comply. This helps encourage companies to uphold consumer rights and respect the spirit and detail of the legislation. 

Noncompliance and violations can include any of the following: 

• Failing to keep consumers informed of their rights — even if it’s through lack of knowledge
• Failing to update the privacy policy 
• Failing to enable subject access requests — for example by not providing the correct contact information
• Failing to respond to requests within the required timeframe
• Charging a fee to consumers that wish to exercise their rights
• Treating customers unfavorably or discriminating against them if they choose to exercise their rights 

The CCPA is upheld and enforced by the California Attorney General, but consumers first need to take action by filing a private right of action (PRA). This notice gives the business the chance to make things right and resolve any issues, before it is taken to the Attorney General. From there, it follows through a process that can result in action being taken by the consumer, the Attorney General, or neither. 

The Attorney General has the opportunity to impose injunctions and civil penalties on businesses for noncompliance and CCPA violations. This penalty is set at $2,500 for each violation, which can rise towards $7,500 per violation if it was considered to be intentional. These penalties are applied per violation. This means if your violation refers to hundreds or thousands of individuals, the penalty can rise steeply. 

Consumers can seek statutory damages, but this is limited. This only applies if the violation relates to the “unauthorized access and exfiltration, theft, or disclosure” as a result of a business failing to apply “basic security procedures and practices.”

The biggest CCPA fine was when the attorney general of California slapped a $1.2 million penalty on Sephora for repeated violations, including a failure to inform users of data sharing, an inability to opt out of data tracking, and lack of forms on their website. 

How to Become CCPA Compliant

The penalties associated with violating the CCPA's privacy practices can feel scary, and nobody wants the bad press that comes alongside it either. The good news is that you can reduce that worry with the help of one simple tool. 

With Enzuzo, you can streamline your approach to data privacy compliance. We have an out-of-the-box CCPA Compliance Page, also known as a Do Not Sell My Information page which you can set up in minutes!

Our privacy platform makes it easy to build a user-friendly privacy policy, manage data subject requests, and create a useful digital trail that demonstrates your compliance.

Generate a Privacy Policy

Next, for CCPA compliance we strongly recommend that you build a privacy policy for all your digital properties. 

Head over to our privacy policy generator, enter the relevant information, and at the end of the generator you’ll have an easy to read privacy policy document built around your consumers’ needs. 

Your consumers can skip to the information that’s most relevant to them, thanks to a drop-down navigation system. This also allows you to share all the details required, without it feeling overwhelming — so you can demonstrate compliance and care about customer experience. Some of our plans also feature translated privacy policy features, giving you even more ways to help your customer stay informed.

CCPA Compliance: Frequently Asked Questions

Understanding data privacy and CCPA compliance doesn’t always come easy. Here are our answers to some of the top questions around CCPA compliance.

How Do I Make My Website CCPA Compliant?

There are two main aspects you need to cover to make your website CCPA-compliant. The first is a privacy policy, and the second is a notice that complies with the right to opt-out of the sale of personal data.

To comply with the CCPA and most major privacy laws, your business should display a privacy policy. This is often found within a web page, and features clear, easy-to-understand information on how you collect, process, share, transfer, and delete personal data. A good privacy policy helps your consumers understand their rights and helps you comply with the requirements set — for example, to provide notice of data collection, and to share how they can exercise their right to disclosure or deletion. 

Secondly, you need to feature a compliant statement around the right to opt-out of sale on your website. This should take the form of a web page, clearly titled “Do Not Sell My Personal Information.” This page needs to outline your organization’s approach to the sale of data, state that consumers can opt-out, and explain how they can do so. A great place to feature this is within your website footer, so it’s easily accessible from any page on your website.

Whose Responsibility is it to Achieve CCPA Compliance?

Data privacy legislation compliance is everyone’s responsibility. While you may have a data protection officer or someone who’s dedicated role is to ensure compliance, everyone that interacts with customers or consumer data needs to be knowledgeable and help towards compliance. 

Adopt a privacy-first approach to the way your business works with data to make this easier. Introduce clear processes and guidance that employees can refer to, to help keep them on track. Host training sessions about CCPA compliance, and have someone available that they can go to with any questions. Putting data privacy and data security at the heart of your business is a great way to help you stay compliant.

Should I Aim for CCPA Compliance Even if It’s Not Required?

Many businesses aren’t required to comply with the CCPA by law, but that doesn’t mean you shouldn’t adopt its principles when it comes to handling and processing data. 

The CCPA shares many core principles, themes, and requirements with other leading privacy laws — like the EU’s GDPR and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). With each privacy law applying to slightly different groups of consumers, it makes sense to futureproof your business and comply with them all as best as possible.