What is the CCPA?
The California Consumer Privacy Act (CCPA) is the most comprehensive personal data protection law in the United States. The CCPA creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.
The CCPA applies to all businesses, regardless of location, that meet the following criteria:
- Has annual revenue of $25 million or more
- Controls or possesses the data of 100,000 or more California residents
- Derives 50% or more of its revenue from the sale of personal data
For organizations that meet the applicability criteria, here is a breakdown of what is required for CCPA compliance:
- Businesses must honor a consumer’s request for the categories and specific elements of their personal information the business has collected. Consumers also have the right to request their personal data be deleted (exemptions apply)
- Businesses must give consumers the ability to opt out of the sale of personal data
- Businesses are prohibited from discriminating against consumers that exercised any of their CCPA rights
- Organizations are required to provide four types of notices: 1 Privacy Policy, 2. Notice at Collection 3. Notice of Financial Incentive and 4. a “Just-in-Time” Notice
Vendor requirements
Businesses must determine whether vendors that process the personal information of California consumers on their behalf are considered a “service provider” or a “third party” as defined under the CCPA. Businesses that lack a contract or the specific language required in contracts with vendors may be subject to the sale of personal information requirements based on the relationship. The definitions are as follows:
Service provider: a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.
Third party: a person or business entity who is NOT:
- The business that collects the PI from consumers; or
- The recipient of PI from a business for a business purpose pursuant to a written contract (contract must prohibit the sale of the PI or other use outside of the written contract).
Contracts must be updated or put in place and include specific requirements regarding personal information processing activities. Contractual provisions must outline that the service provider is prohibited from:
- Selling personal information;
- Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract; and
- Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
Contracts must also include a statement confirming that the service provider understands the restrictions outlined above.
Achieving CCPA Compliance
To achieve CCPA compliance organizations need to have the appropriate privacy controls implemented to honor consumer rights, address proper disclosure requirements, and maintain records of processing. A data privacy assessment is typically the first step toward compliance. The assessment will provide organizations with a roadmap by helping them understand their CCPA obligations, risk exposure, and if their current controls satisfy CCPA requirements.
The Risk of Noncompliance
The California Attorney General’s office can levy penalties of $2,500 for each violation or $7,500 for each intentional violation. In August of 2022, personal care and beauty product company Sephora had a $1.2m settlement issued against it for CCPA violations.
The CCPA gives consumers a private right of action in the event of a data breach. Individuals can file a civil suit if their non-encrypted or non-redacted personal information was included in a breach that was a result of a business’s CCPA violation. Damages in a civil suit range from $100-$750 per consumer incident, or more if the actual damages exceed $750.
The private right of action opens the door to class action lawsuits, which greatly increases an organization’s financial risk for CCPA violations.
How we can Help
CompliancePoint provides a full suite of services that help organizations manage and respond effectively to privacy requirements, including CCPA, GDPR, and other state laws. We help organizations proactively identify their gaps, build out frameworks to meet compliance requirements, and can manage their privacy program on an ongoing basis to maintain compliance.
Let's get you started with CCPA Compliance
Frequently Asked Questions
CCPA stands for the California Consumer Privacy Act.
The CCPA applicability thresholds for businesses are:
- Annual revenue of $25 million or more
- Control or possess the data of 100,000 or more California residents
- Derive at least 50% of revenue from the sale of personal data
The CPRA is a series of amendments to the CCPA that added new privacy rights. The CPRA amendments went into effect in January 2023.
10 Billion+
Records Audited
150+
Cases as an
Expert Witness
2,500+
Companies Served
+86
Net Promoter Score - Our Customers Love Us!