CCPA Compliance Requirements : Guide to California’s Data Privacy Law

GDPR was the first compliance law that mandated businesses to adopt processes and policies that aimed to protect the rights of users and ensure the integrity of their personal data. After GDPR, California’s CCPA was able to mandate businesses to adhere to its privacy law at scale. 

CCPA – California Consumer Privacy Act is a comprehensive data privacy law for business entities. Your business comes under the purview of CCPA if you collect, process, or sell any personal data of California residents, much like GDPR, which applies to European residents/citizens.

The consequences for non-compliance are high. Non-compliant businesses were levied penalties worth millions of dollars, and lawsuits were filed too. Likewise, the consequences of non compliance with CCPA are high. So, if you are under its purview and have not started your compliance process, you know what to do. 

In this article, we have outlined the CCPA requirements for you to follow.

Let’s dive in…

What are CCPA requirements?

CCPA requirements are a list of processes that apply to for-profit businesses that conduct business anywhere in California. The CCPA requires you to comply with user requests for all the data you collect and store. 

It all boils down to whether your company falls under the California Consumer Privacy Act’s (CCPA) definition of a ‘business.’ If it does, compliance is a must.

So, what defines a ‘business’ under CCPA?

• For-Profit Entity: Your company needs to be a for-profit entity.
• Collects Consumers’ Personal Information: In CCPA terms, a ‘consumer’ is a California resident for tax purposes. ‘Personal information’ is broadly defined as covering any data associated with a specific consumer.
• Doing Business in California: It is crucial to understand what it means to ‘do business’ in California.

Hence, if you are a business eligible for any of the above points on consumer rights, you should prepare for the privacy regulations to get CCPA compliant with additional resources (following the requirements).

Let’s take a look at that in the next section below…

List of CCPA Requirements

If you are on the journey of CCPA compliance, this CCPA requirements checklist will greatly help you. 

Here is the list of requirements you need to follow:

1. Right to disclosure

The key obligation that highlights the “right to disclosure” is that if you collect information about a Californian consumer protected by CCPA, you must inform them.

You have to inform them about your intentions of using their info in plain and understandable language on or before collecting the data to maintain privacy rights.

For example, this information may include financial account numbers, social security numbers, or genetic data.

2. Right to contact information

Did you add a visible link to the privacy policy on your website as part of your privacy rights?

According to this requirement, you must inform the customers where they can find additional information about the privacy policy.

Apart from the basics, you also need to give access to a toll-free telephone number or online contact details if the consumers want to contact you regarding their CCPA-related queries.

3. Right to opt-out of data sales and marketing collaterals

Opt-in and opt-out under the CCPA privacy policy are used in data protection. They come in many forms, from simply accepting cookies to requesting the information to be forgotten.

With CCPA, consumers can opt out of selling or sharing their information. The Attorney General even promoted this right by developing a Uniform opt-out icon that any profit entity can use on their websites.

Hence, you must have a separate webpage that displays this option, preferably with a link to the page for your business purposes.

4. Right to Access

According to this obligation, consumers will have the right to request information in a readily usable format. This information should be given free of charge within 45 business days (+45 day extension period), failure to which you will face statutory damages.

The requirement highlights that the info should be readable clearly and concisely.

The privacy verifiable request from consumer personnel under CCPA regulations can include:

• The categories of info you collect
• The specific information you have about the said customer
• From which sources do you get information?
• Categories of third parties in disclosing privacy information
• The purpose or intentions of your collecting information

Note: Usually, businesses must honor the customer request twice a year. This is to reduce the burden on the business to address every time.

5. Right to fair treatment

“Discrimination no matter how small is wrong,” this additional requirement states that you cannot discriminate against the consumer in any way. The discrimination parameters can be age, sexual orientation, or subscriber.

Under the CCPA, consumers have equal rights to services and prices.

Here are some things you cannot do as service providers for consumers who want their own privacy preferences:

• Deny access to goods or services to the customer
• Give different rates to consumers or more discounts to specific customers
• Giving different tier levels or qualify of goods to consumers who choose opt-out or opt-in status that benefits you
• Giving any suggestions that the consumers will receive an additional rate or discount by choosing to opt-in

6. Right to be Forgotten

You can implement the “Right to be Forgotten” in many ways, like data masking and anonymization, but the safest method so far is “Complete erasure.” This is because anonymization could result in the re-identification of individuals.

Under CCPA, you must immediately delete personal data and info if a customer requests this obligation.

However, you can always hold on to the client data to fulfill some legal obligation.

7. Update privacy policies

The CCPA mandates that you update the privacy policy notices once every 12 months. As mentioned above, the privacy policy should also be linked to your website.

The consumer has the right to information that you have collected of them for the past 12 months as part of your reasonable security measures.

Consequences of not following CCPA requirements

The consequences of not following the CCPA requirements are severe. The attorney general may impose a penalty of $2500 on any violation each, even if that is accidental, and $7500 for an intentional violation.

Also, users can get up to $750 for the damages caused by each privacy breach.

Some examples of violations that are the requirements for businesses are:

• Not maintaining Privacy Policy updates mandated by CCPA – a comprehensive privacy law
• Selling or sharing consumer information without providing an option for the opt-out
• Not responding to the consumer’s privacy requests on the type of information you collect within the stipulated timeline
• Not providing a notice before collecting private information
• Exercising the CCPA rights by discriminating against consumers
• Not having a toll-free number on your website for the consumer to reach out

Are you following the CCPA Requirements?

Now that you clearly understand the CCPA requirements to be CCPA compliant, did you check how many of the rules you are following and where you fall short?

If so, the next step is to identify an automation tool to help you comply with compliance requirements and avoid actual damages.

We at Sprinto have a history of helping cloud companies comply with data privacy laws like GDPR and CCPA in a fraction of the time you spend with a private consultant or seeking legal advice.

Here are a few detailed case studies on this subject.

Now, how does Sprinto help?

Sprinto is an always-on continuous control monitoring platform that will detect and alert your security team if there are any anomalies or unusual activities and address them promptly.

With your security team on their toes to respond to potential data privacy breaches, you can conduct multiple remediation actions on the go.

So, if you are ready to leap, it’s time to get on a call with our experts to learn more about how you can achieve CCPA requirements with automation.

FAQs

1. Is CCPA the Same as GDPR?

No, CCPA is not the same as GDPR. CCPA has a narrow scope compared to GDPR. The former only applies to California residents and does not go outside the U.S. However, GDPR applies to personal data collected by EU residents regardless of where the country is located.

2. What is Personal Information Under the CCPA?

The personal information under the CCPA applies to any data that can identify a consumer or related to or linked with their household information. 

3. Who needs to comply with the CCPA 2.0?

Businesses that collect more than 100,000 residents or households must comply with CCPA 2.0. The standard CCPA threshold is similar to that of 50,000 California residents.

4. What types of data are regulated by CCPA?

The types of data that CCPA regulates are several. The primary data types are:

• Personal information (name, email address, etc.).
• Unique identifiers (IP address or device IDs).
• Commercial information.
• Internet activity.
• Data drawn from inferences.