California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020. Is your
business ready for CCPA compliance?
TIP: Many businesses have spent the last 18 to 24 months working on their data
governance and privacy programs to comply with the European Union's General Data Protection
Regulation (GDPR), which went into effect in May 2018. If you're one of those businesses, a
lot of the work you've already done to achieve GDPR compliance will help you with CCPA law,
but there are some important differences – which I explain in this article.
What is CCPA?
The California Consumer Privacy Act (CCPA) defines personal information as "information
that identifies, relates to, describes, is capable of being associated with, or could reasonably
be linked, directly or indirectly, with a particular consumer or household." This definition
is broader than GDPR's definition of personal information, which is limited to information
related to "identified or identifiable living persons."
WARNING: As of this writing, CCPA requirements have has not been finalized and
will likely be amended before the final version is adopted. Go to the official CCPA website
located at https://oag.ca.gov/privacy/ccpa to read the latest updates to CCPA law.
Does CCPA apply to my company?
CCPA applies to any for-profit business (and any entity that controls or is controlled
by a business and shares common branding – such as a shared name, servicemark, or trademark
– with the business) that does business in the State of California and meets one or more of
the following thresholds:
• Has annual gross revenues in excess of $25 million
• Buys, receives, sells, or shares personal information for commercial purposes
of 50,000 or more consumers, households, or devices annually
• Receives half or more of its annual revenues from selling consumers' personal information
Guidelines for CCPA Compliance
If you are asking, we are GDPR-compliant, does it mean that we are CCPA-compliant as
well? Like GDPR, which defines specific rights of data subjects, CCPA defines specific rights
of California consumers, including:
• The right to access specific personal information that is collected about the
consumer, but limited to data collected in the past 12 months.
• The right to be notified about the types of information and the purposes for
which the information will be used, before or when the information is collected. Requirements for
privacy policies and notices under CCPA are less detailed than for GDPR, but there are specific
requirements for where notices must be placed on websites and how notices are to be received
• The right to request a copy of the personal information that is collected in
a portable and easily readable format. However, businesses are only required to provide personal
information to a consumer no more than twice in a 12-month period.
• The right to be forgotten (with broader exceptions than those provided under GDPR)
• The right to restrict processing ("opt-out") of personal information subject to some
limitations. Consumers have the right to opt-out of the disclosure or sale of their personal
information (subject to some limitations), and businesses must conspicuously display an opt-out
link (and toll-free phone number) on their website. More prescriptive guidance is expected
in this area, and some or all of the following are widely anticipated:
• Where and how an opt-out link or button must be displayed on a website
• A mandatory, uniform opt-out logo or button that consumers can easily recognize
• A web form that allows consumers to opt-out of some or all marketing promotions
(such as email lists, loyalty programs, and so on) from the business