CCPA/CPRA Compliance Guide
Understand CCPA/CPRA requirements, the difference between CCPA and CPRA, how to fulfill data rights for California consumers, and what's expected to keep your business in compliance.
What is the CCPA?
Passed in 2018, the California Consumer Privacy Act (CCPA) established consumer data rights in California and placed new requirements on businesses processing personal data from California residents.
Two years later, in 2020, California passed Proposition 24. More commonly known as the California Privacy Rights Act (CPRA), this bill amended the CCPA—adding and expanding consumer rights, increasing the data processing threshold, and establishing the California Privacy Protection Agency.
The CCPA is already in effect—with the CPRA going into effect on January 1, 2023.
Understanding the CCPA/CPRA's scope and requirements is critical for organizations who operate in or market goods and services to Californians.
Keep reading to learn more about CCPA requirements, consumer rights provided by the CCPA, how this law is enforced, and key CCPA amendments made by the CPRA. At the end, there's a checklist to help your organization get started with CCPA compliance.
Who does CCPA/CPRA apply to?
The first question to ask when figuring out if the CCPA/CPRA applies is: Does our organization conduct business in California (CA) or process personal data from CA residents?
If the answer is an unequivocal 'No,' then CCPA/CPRA doesn't apply and you're off the hook. However, if the answer is 'Yes'—you'll want to keep reading.
The CCPA/CPRA applies to organizations that conduct business or market/sell goods in California. In addition, an orgnaization must:
- Process data for 50,000 or more CA residents (until January 1, 2023 when that threshold increases to 100,000) OR
- Have a gross annual revenue of over $25 million OR
- Derive over 50% of annual revenue from sharing or selling personal data from California residents
To be clear, the data processing requirment means that if your commerce website has visitors from California, no matter your company's location, the CCPA applies for that group.
It’s also worth noting that the CCPA covers subsidiaries, so businesses can’t “offshore” consumer data in order to bypass California’s privacy requirements.
Who enforces the CCPA/CPRA?
California’s privacy laws are relatively new, so enforcement is still actively evolving. While the CCPA came into full force in July 2020, the CPRA won’t be enforceable until 2023. There are however a few important things to remember.
Under the CCPA, the California Attorney General had exclusive rights to CCPA enforcement. However, with the creation of the California Privacy Protection Agency (CPPA), the water has become a bit murky.
The CPRA states the Attorney General may still enforce the CCPA, but that the California Privacy Protection Agency will also have the “full administrative, power, and jurisdiction to implement and enforce” the CCPA.
Though it’s not yet clear exactly how the arrangement will work in practice, this is what we know so far:
- Both the CPPA and the CA Attorney General may enforce California’s privacy laws.
- The Attorney General has precedence, in that they may ask the CPPA to hold off on an investigation until their office has either completed the same inquiry or decided not to pursue the matter further. (1798.199.90 (c))
- If the CPPA has already issued a decision about an investigation or violation, the Attorney General’s office may not pursue a double jeopardy civil suit. (1798.199.90 (d))
At the time of this writing, many CCPA non-compliance notices have been filed, but the Attorney General has yet to levy any fines—at least none that have become public record.
While CCPA compliance requirements include thousands of companies, they don’t include every organization in California. The regulation excludes nonprofits and businesses under existing federal privacy laws, including:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Fair Credit Reporting Act (FCRA)
- Personal info under the Driver’s Privacy Protection Act
The CCPA also excludes any company that doesn’t do business in the state of California.
Important CCPA/CPRA definitions
The CCPA/CPRA applies specific definitions to common words, so we’ve compiled some of the most important below.
A consumer is any individual in California for non-temporary and non-transitory reasons, including California residents traveling outside the state who plan to return.
The CPRA, like most privacy laws, defines business in a very specific way. Businesses must be for-profit entities, selling goods or services in California, and meeting one or more of the following criteria:
- Gross annual revenue of at least $25 million
- Buys, sells, or shares the personal data of at least 100,000 consumers
- Makes at least half of its revenue from selling data
A business must inform consumers that they use and sell personal data, and provide an easily accessible link that will allow consumers to opt-out.
Personal information is anything that might identify an individual or household. The CCPA defines personal information as:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Keep in mind that personal information does not include information that's been “de-identified.” De-identified information has been stripped of identifying aspects so that businesses can use it safely. To count as de-identified information, the data cannot be re-identified later and businesses must have prevention procedures in place.
Sensitive personal information
Sensitive personal information (SPI) was a designation, added by the CPRA, that builds on the concept of personal information. SPI includes:
- Driver’s license and social security numbers
- Log-in information for financial accounts
- Credit and debit card numbers
- Geolocation data
- Data on a consumer’s religion, ethnicity, or race
- A consumer's mail, email, or texts
- Biometric and genetic data
- Data about a consumer's sexual orientation or health
Processing refers to the collection, possession, or handling of consumer data, both manual and automated. Collecting data through a form and tracking cookies are two common forms of data processing.
Beholden to the CCPA/CPRA’s third party regulations, third parties are any external organization that collects, stores, or processes data on behalf of another business.
Consumer rights provided by the CCPA
California tends to lead the way in consumer rights, and the CCPA is no exception—creating a broad spectrum of new data rights and protections.
Right to know
Customers have the right to know what data and categories of data a business is collecting on them. They also have the right to know how that data is being collected and how it’s being used by both the business and any third parties.
Right to access
Consumers have the right to request access to any personal data a business has collected.
Right to erasure
Businesses must delete a consumer's data upon request, as long as the consumer's identity can be verified. In addition, the business must direct any vendors and other service providers to do the same.
Right to opt-out
At any time, a consumer has the right to tell a business that sells their personal information not to do so.
Right to equal service and price
Consumers must be able to exercise their data rights without facing penalties from the business. Meaning, regardless of a consumer’s opt-out status, the business may not deny service, charge a higher price, or suggest that price or quality of service is dependent on opt-out status.
However, businesses may offer a bonus or other incentive in exchange for a consumer’s personal information.
CPRA vs CCPA
While the CCPA was California's first landmark privacy law, businesses must also consider the California Privacy Rights Act (CPRA). Passed in 2020, the CPRA amended the CCPA—expanding consumer rights, adding the sensitive personal information data designation, removing the 30 day cure period, and more.
Expanded privacy rights for consumers
The CPRA has the same intent as the CCPA, protecting consumer data privacy in California, but goes even further. Under the CPRA, consumers were given four net new data rights:
- Right to correction
- Right to limit sensitve personal information
- Right to access information about automated decision making
- Right to opt-out of automated decision making
The CRPA also expanded the right to know, opt-out, and delete, which already existed under the CCPA.
New category of protected data
The CPRA extends legal protection to any “sensitive personal information” (SPI). A broader category than the CCPA's personal data designation, all of the following are considered SPI:
- Social Security numbers
- Driver’s license numbers
- State ID card numbers
- Passport numbers
- Account logins and passwords
- Precise geolocation
- Racial and ethnic origins
- Religious and philosophical beliefs
- Union membership status
- Contents of mail, email, and text not sent to the business
- Genetic data
- Health records
- Sex life details
- Sexual orientation
Increased data processing threshold
Before CPRA, a business processing data for 50,000 or more consumers fell under the CCPA's scope. The CPRA doubled this number—increasing the threshold to 100,000 consumers.
This means that, under the CPRA, many smaller CA businesses may end up being exempt. However, there are other scope criteria so make sure those are considered.
Elimination of the automatic 30 day cure period
Under the CCPA, businesses automatically had 30 days to address or "cure" a violation after receiving notice. The CPRA made the cure period discretionary, meaning it will only be provided on a case-by-case basis by the California Privacy Protection Agency.
Establishment of the California Privacy Protection Agency
The CPRA created the California Privacy Protection Agency (CPPA), which is tasked with creating and enforcing California's growing set of privacy and data protection laws.
Learn more about the differences between the CPRA and CCPA.
CCPA violators can be fined up to $2,500 for unintentional incidents and up to $7,500 for intentional refusal to comply. These fines can be applied per person or household without limit—while a single fine may seem rather small, at scale they're quite significant.
Tech giants and large enterprise process data in massive quantities, so a per person infraction can add up to millions or even hundreds of millions of dollars.
Take the 2017 Equifax breach, which involved the data of 15 million CA residents. If the breach occurred under the CCPA, it would have resulted in $1.5 billion in fines.
This said, despite multiple violations recorded with the California Attorney General (AG), public records reflect no CCPA fines to date.
30 day cure period
The CCPA mandates that businesses receive a 30-day notice of violation before the Attorney General's office takes action. Until January 1, 2023, this means businessnes will automatically be given time to resolve and rectify the violation before being fined.
However, as the CPRA removed the automatic 30 day cure period, this won't be an option for much longer. The cure period will still be available at the CPPA's discretion; however, a business shouldn't rely on this as a buffer against fines.
7 steps to ensure CCPA compliance
At the start, CCPA compliance may feel like a daunting task, but the checklist below will give you a good idea of what's necessary and where to start.
At it's core, complying with CCPA means respecting consumer rights by promptly responding to data requests, honoring requests for opt-out, and securing all personal and/or senstive data held by your company. But, of course, it's easier said than done.
CCPA compliance requires in-depth knowledge of your data and data systems. You'll also need tools and processes, sometimes called privacy infrastructure, that can scale with new data, legislations, and consumer requests.
Aside from your own compliance, it's also critical you ensure compliance among any third-party data processors with whom you have a contract. If they're processing your customer's personal data, you're on the hook.
1. Identify and map sensitve data across all systems
Understanding what data you collect and hold, as well as how it's being used is a critical part of CCPA (or any privacy law) compliance.
This process, often called data mapping, will help your organization fulfill consumer requests for access or deletion, identify risky data processing, and track down affected data in the event of a breach.
Though data mapping isn't required by the CCPA it's key to fulfilling many of the obligations the CCPA places on businesses.
2. Use an automated privacy tool for responding to consumer data requests
Responding to consumer requests for data access, correction, or deletion sounds relatively simple, at first. But fulfilling privacy requests means first knowing where to find the relevant data (part of why an up-to-date data map is so important), and then collating, packaging, and transmitting the data you find.
Without the right privacy infrastructure, this process quickly starts to eat at your team's time. More than that, manual request fulfillment opens opportunity for human error and security vulnerabilities.
Even if you don't take the path of an automated privacy software, it's best to define the data request fulfillment process before requests start pouring in—smoothing inefficiencies where possible and automating what you can.
3. Implement an identity verification system
One key part of data request fulfillment, one that deserves it's own call-out, is identity verification.
Imagine responding to a data request i.e. sending an enormous data file containing a consumer's personal information (which can include credit card info, a social security number, or even sensitive health data)—only to realize after the fact the data was sent to the wrong person.
Whether a simple accident or the result of a scam, this scenario is a big risk for any privacy program. Implementing an identify verification system like two-factor authentication is critical to ensuring request validity and personal data security (which, if you remember, is an explicit CCPA requirement).
Organizations are both allowed and expected to verify a consumer's identify before fulfilling a request, so setting up a system to support this process is key.
Though an automated identity verification system isn't required, it can ease the burden on both your organization and the consumer—and is baked in to many privacy request fulfillment platforms.
- A description of consumer rights under the CCPA
- The commercial and business reasons for collecting information
- Types of personal information sold or disclosed in the last 12 months
- Types of third parties with whom personal information is shared
- A link that allows the customer to opt out of information sale
- A description of any financial incentives for providing data, such as a discount
- Two or more designated measures for submitting information requests
- Details on how to exercise consumer rights, including the verification process
Privacy policies must be easy to find, read, and understand. So do your best to drop the legalese wherever possible—opting instead for clear, even conversational, language.
5. Add a "Do not sell my information" link on your homepage
The CCPA requires that companies allow consumers to opt-out of the sale of their personal data. This means companies under the CCPA must provide a clear and conspicuous "Do not sell my personal information" link on their homepage. Most companies choose to put this link in the footer menu.
We should note too that, under the CPRA, the law was expanded to include data sharing—meaning that if consumer data changes hands for the purpose of targeted advertising, even if no money is exchanged, the consumer must be given the option to say no.
In practical terms, this means that once the CPRA goes into affect on Jan 1, 2023, these links must be updated to reflect opt-out of data sharing.
6. Obtain consent from minors age 13 to 16
The majority of CCPA requirements follow an opt-out consent regime, meaning organizations can process data without consent but must provide an option to opt-out at any point. However, the rules for minors age 13 to 16 are different.
Minors under the CCPA are protected by an opt-in consent regime, meaning organizations must obatin consent before selling or sharing personal information. Minors between 13 and 16 may opt-in on their own behalf, while for minors under 13 opt-in must come from a parent or legal guardian.
Minors that opt-in must also have the option to opt-out if they change their mind after the fact.
7. Audit and address security vulnerabilities
Although it’s already a best practice, the need for proactive cybersecurity has never been higher. The CPRA requires annual cybersecurity audits and risk assessments, though specific guidelines are still being determined.
Despite this, guidance across all the privacy laws is fairly consistent—companies must make a concerted effort to protect and secure personal data within their possession. In the event of a breach, if there are clear security vulnerabilities that should've been addressed, a company will likely be seen in violation of their CPRA responsbilities.
The CPRA also allows a private right of action (meaning a consumer can press charges on their own behalf) for security breaches involving specific types of sensitive personal information.
No other US state privacy law allows a private right of action under any circumstance, so that alone should reflect the CPRA's serious stance on information security.
Transcend is the privacy platform that makes it easy to encode privacy across your tech stack. Our mission is to make it simple for companies to give their users control of their data.