We’ll be at Compliance Week National 2024 in Washington, D.C., April 2-4. Learn more or schedule a time to meet with us at the show here.

#Article

California Consumer Privacy Act (CCPA): What You Need to Know


California Consumer Privacy Act (CCPA): What You Need to Know in 2021

On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect to protect consumer data. Is your business complying?

Forty million.

That's the number of current California residents, and also the number of people who now have their personal data protected by the strongest state privacy legislation the US has ever seen.

The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, but how do you know if it applies to you? And what do you do if it does? This guide can help you ensure compliance with the new law.

Having clear, transparent policies can help answer consumer questions and protect your business when the CCPA goes into effect. Download our Data Security Policy Template to get started.

What is the California Consumer Privacy Act?

Passed into law in June 2018, the CCPA aims to give California residents more control over their personal data. According to Californians for Consumer Privacy, the Act's goals are to give residents the rights to:

  1. Know what information businesses are collecting about them. Businesses must clearly disclose, via a privacy policy on their website, if they collect consumer data. Consumers can also request information including the categories of data being collected, what specific data the business collected about them, the methods and purpose of collecting data and to which third parties the data may be sold or shared.
  2. Tell businesses not to sell or share their personal information. Consumers can also request that a business delete their data.
  3. Protections against businesses that do not value privacy and keeping personal data safe. In addition, consumers are entitled to the same pricing and standard of service whether or not they exercise their rights under the Act.

Not only does California have millions of residents, but many of the world's biggest tech companies (including Google and Facebook) are headquartered there. For this reason, the CCPA has potential to change the way the entire US handles data privacy.

CCPA Definitions

So how do you know if the California Consumer Privacy Act applies to you? To better understand the Act, you first have to know some important definitions.

A consumer is defined as "a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations."

business is a for-profit entity that conducts business in California and collects consumers' personal information and/or sells consumer data for business purposes. It does not have to be physically located in California. To fall under the CCPA, a business must also meet at least one of the following three criteria:

  • Make at least $25 million in annual revenue
  • Earn at least 50 per cent of its annual revenue by selling consumers' personal information OR
  • Possess personal data from at least 50,000 consumers

Perhaps the most confusing definition of the CCPA is personal information. The Act defines it as "a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information.” Some of the specific types of data mentioned include:

  • Personal identifiers (e.g. address, social security number, passport number)
  • Commercial information (e.g. records of property purchased, purchasing history)
  • Internet activity information and history
  • Geolocation data
  • Biometric data
  • Education information

RELATED: GDPR Compliance: Does It Apply to Me?

Steps to CCPA Compliance 

Complying with the California Consumer Privacy Act doesn't have to be difficult or stressful. Take these steps now to ensure your business is fully compliant.

Organize Your Data

Under the CCPA, consumers have the right to request reports on information that businesses have collected about them. In order to respond quickly and accurately, you need an organized data storage system. Evaluate your data inventories and strategies to streamline your process for answering these inquiries.

Update Policies and Procedures

Having clear, transparent privacy and data collection policies and procedures can help answer consumers' questions as they adapt to the law. Revise your policies to fit with the CCPA's regulations, including outlining the rights for California residents under the law and the categories of data that your business collects and why.

Update your business's procedures to guarantee these new consumer rights fit seamlessly into your everyday operations. Train employees on how to handle information report and deletion requests, as well as opt-outs. Most importantly, make sure anyone who handles data knows and understands the specifics of the CCPA.

Improve Data Security

Under the CCPA, businesses must protect consumer data with "reasonable" security. To do this, take a risk-based approach when addressing threats to the confidentiality, integrity and availability of personal information you collect. Assess these threats and rank them according to risk level, then work toward resolving the highest-risk threats first.

Use Case Management Software

Case management software can help your business manage risk by detecting compliance problems early, allowing you to address them quickly. Choose a solution with a robust reporting tool for a fast, complete look at problem areas and trends.

Because you're dealing with sensitive data, case management software with role-defined access is better for complying with the CCPA than spreadsheets or other solutions. The ability to control who can access what consumer information improves privacy and, therefore, compliance.

Want to learn more about how case management software can help you manage data security investigations? Download our free eBook.