California Consumer Privacy Act (CCPA) Compliance Guide

What is the CCPA?

The California Consumer Privacy Act (CCPA), which was signed on June 28, 2018, by the Governor of California, Jerry Brown, is a state law that enhanced consumer rights and consumer protections for residents of California. It established four new consumer rights for California residents and several compliance obligations for subject businesses.

The CCPA has since been amended by the California Privacy Rights Act (CPRA), which took effect on January 1, 2023, applying to personal information collected on or after January 1, 2022. The CPRA strengthened the CCPA by expanding the consumer rights of California residents with two new consumer rights, adding data minimization and security requirements for subject businesses, and establishing the California Privacy Protection Agency (CPPA) to enforce the law and impose penalties for violations.

How does the CCPA differ from the CPRA?

It doesn’t. The CPRA and the CPPA are one and the same. The CPRA was an amendment (revision) to the CCPA, not an entirely new law. For this reason, the governing law for data privacy in California is still referred to as the CCPA (or sometimes the CCPA amended). So, when you ask how to comply with the CPRA, the answer is, by complying with the CCPA – we’ll cover how to do that later in this article.

What rights do consumers have under the CCPA?

The CCPA originally granted residents of California four new rights, which have since been expanded to six rights by the CPRA. The current (amended) rights of California residents are:

1. The right to know: Consumers have the right to know what personal information a business collects about them and how it is used and shared
2. The right to delete: Consumers have the right to request the deletion of their personal information.
3. The right to opt-out: Consumers have the right to opt out of the sale or sharing of their personal information, including via a Global Privacy Control (GPC).
4. The right to no retaliation: Consumers have the right to exercise their consumer rights without discrimination.
5. The right to correct: Consumers have the right to request corrections to inaccurate personal information a business holds about them.
6. The right to limit use of sensitive information: Consumers have the right to restrict how their sensitive personal information is used or disclosed.

What is personal information according to the CCPA?

The CCPA defines personal information as any data that identifies, relates to, or is linked to, a specific consumer or household, unless it is publicly available, deidentified, or aggregated. Personal information includes data like names, addresses, phone numbers, etc.

Some personal information is further classified as ‘sensitive personal information’ and receives additional protection under the CCPA. Sensitive personal information includes data like health information, financial information, genetic data, etc.

What is personal data?

Who does the CCPA apply to?

The CCPA applies to any for-profit company or entity doing business in the State of California that a) collects personal data from California residents, and b) satisfies one or more of the following thresholds:

1. An annual gross revenue exceeding $25 million.
2. Buys, sells, or shares the personal information of 100,000 or more consumers or households annually.
3. Derives 50% or more of their annual revenue from selling or sharing personal information.

Entities controlling or controlled by a business or sharing common branding with a business that meets the above thresholds, are also subject to the CCPA’s requirements.

How do I comply with the CCPA?

Businesses that are subject to the CCPA must meet nine obligations to be compliant with the law.

1. Businesses must provide a clear privacy policy (privacy notice) at or before collecting personal information. It must explain:
   • The categories of personal information and sensitive personal information collected.
   • The purposes for which the categories of personal information and sensitive personal information are collected or used.
   • If the personal information or sensitive personal information collected will be sold or shared.
2. Businesses that sell or share personal information must include a “Do Not Sell or Share My Personal Information” link on their homepage.
3. Businesses must designate clear methods (e.g., a toll-free number, website forms) for consumers to submit requests related to their rights. These requests must be handled within 45 days, with a possible extension of an additional 45 days if necessary.
4. If personal information or sensitive personal information is shared with a third party (service providers, contractors, etc.), businesses must enter into agreements with these parties, ensuring:
   • The data is only used for the purpose for which it was originally collected.
   • The third party provides equivalent levels of privacy protection.
   • The third party notifies the business if they can no longer meet the agreed standard for data privacy.
5. Businesses must implement appropriate security measures to protect personal information and sensitive personal information from unauthorized access, destruction, or alteration.
6. Businesses cannot discriminate against consumers exercising their CCPA rights, such as by denying services or charging different prices, unless the difference is reasonably related to the value of the consumer’s data.
7. Businesses must ensure employees responsible for handling consumer inquiries understand CCPA requirements and know how to direct consumers to exercise their rights.
8. Businesses cannot use personal information or sensitive personal information they collect for purposes other than those for which it was originally collected, without notifying consumers.
9. Businesses cannot retain personal information and sensitive personal information for longer than necessary to fulfill their disclosed purpose. Businesses must disclose the retention periods or the criteria for determining those periods.

What does my website need for compliance with the CCPA?

If your business is subject to the CCPA, you’ll need to meet the CCPA website requirements for compliance. There are eight essential features your website must have to meet the CCPA’s requirements.

1. A Privacy Policy
   Provide a detailed privacy policy explaining your business’s privacy practices, the consumer rights of your users, and how your users can exercise their consumer rights. Your privacy policy must be linked from your homepage.
2. A “Notice at Collection”
   Provide a “notice at collection” before or at the moment of collecting any personal information from your users. It must include a link to your company’s privacy policy, and a list containing the different categories of personal information your business collects at that point and the purpose each category is used for. The easiest way to provide a notice at collection is with a Cookie Consent Banner.
3. A “Do Not Sell or Share My Personal Information” mechanism
   Provide a mechanism that enables users to opt out of the sale or sharing of their data, accessible without requiring account creation. This must be linked from your homepage.
4. “Limit the Use of My Sensitive Personal Information” mechanism
   A mechanism enabling users to restrict the use of sensitive data for unexpected purposes, linked from your homepage.
5. A “Manage Privacy Choices” page (recommended)
   Rather than using two separate links for points 3 and 4, you can opt to use a single link labelled “Your Privacy Choices” or “Your California Privacy Choices”, consolidating opt-out options for data sale and sensitive information use. It must be linked from your homepage. A great example of a “Manage Privacy Choices” page is Microsoft’s third-party ad settings page.
6. Mechanism for consumers to exercise their rights
   Provide at least two methods (e.g., toll-free number, online form) for users to request access, deletion, or correction of their personal information. We recommend placing this in your privacy policy.
7. Integration with Global Privacy Control (GPC) signals
   Ensure your website recognizes GPC signals as valid opt-out requests for selling or sharing personal information.
8. Accessible notices and consent mechanisms
   Ensure your privacy notices and consent tools follow accessibility standards like WCAG 2.1 to accommodate users with disabilities.

Are any business exempt from the CCPA?

Yes, if your business is classified as a not-for-profit or if it doesn’t meet the criteria we covered under ‘who does the CCPA apply to?’, then it is exempt.

What types of personal information are exempt from the CCPA?

Only personal information covered by other regulations is exempt from the CCPA – e.g. Health Information is regulated by the HIPAA and CMIA and financial information is covered by the GLBA. To be clear, this data is exempt from the CCPA because you’ll instead need to comply with the relevant law. It is not exempt from all privacy laws.

Who is covered by the CCPA?

The California Consumer Privacy Act (CCPA) protects consumers residing in California. This includes individuals who are either:

1. Active residents: They are in the state for purposes other than temporary or transitory reasons.
2. Domiciled residents: They reside in California but are temporarily outside the state.

How is the CCPA enforced?

The California Privacy Protection Agency (CPPA) is responsible for investigating, enforcing, and imposing fines for violations of the CCPA.

Consumers also have the right to file a civil lawsuit if they’re affected by a data breach involving compromised login details or non-encrypted or non-redacted personal information due to a business’s failure to maintain reasonable data security practices.

What are the penalties for violating the CCPA?

Businesses that violate the California Consumer Privacy Act (CCPA) can face fines of up to $7500 per violation and be ordered to pay up to $750 in damages per incident.

Fines

Businesses that violate the CCPA can receive fines of up to:

• $2,500 for each unintentional violation.
• $7,500 for each intentional violation.
• $7,500 for each violation involving the personal information of an individual under the age of 16.

What this means is that a single failure to comply with the law is multiplied by the number of instances of that violation. For example, if you unknowingly fail to respond to the opt-out requests of 50 users, you can be fined up to $2,500 for each of the 50 users (a total fine of $125,000).

Damages caused by data breaches

Consumers can file lawsuits if their personal information – such as login details, unencrypted or unredacted personal information – is accessed, stolen, or disclosed due to a business’s failure to implement reasonable security measures. In these cases, businesses may be required to pay damages of between $100 to $750 per consumer per incident or actual damages (whichever is greater) and take action to fix the problem or prevent further harm.

What’s the best compliance tool for the CCPA?

GetTerms! We can help you generate a privacy notice and implement a notice of collection on your website. We’ll also store the consent preferences of your users anonymously, so you have total proof of compliance. Check out our Privacy Policy Generator, Cookie Consent Banner and consent management platform.