You’ve probably heard of it, but just what is CCPA compliance? The California Consumer Protection Act, or CCPA, was passed in the state of California in 2018. Per the state’s Department of Justice, the CCPA “gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.”
The law primarily does these things by putting the burden of compliance on businesses, marketers, and other entities that are customer-facing.
What is CCPA Compliance?
“CCPA compliance means adhering to guidelines that give California consumers greater control over their personal data,” explains Loris Petro, marketing strategy lead and digital marketing manager at Kratom Earth. Essentially, it requires businesses to be transparent about the information that they collect, how it’s used, and who it’s shared with.
Does the CCPA Apply to Your Business?
If you do business in California, whether in person or via the internet, then yes, the CCPA likely applies to you — and yes, that can be a burden. “This regulation can hinder businesses who want to rely on, or are heavily relying on data-driven marketing,” says Matthew Franzyshen, business development manager at Ascendant Technologies Inc. “It can limit how targeted and personalized marketing strategies can be, which can reduce how effective they are. Also, micro and small businesses might feel the burden of complying with this regulation, since they may lack the resources necessary to navigate its complexities.”
For all for-profit entities with operations in California, there are a few thresholds below which the CCPA may not apply, though. You may be CCPA-exempt if your business:
- Has annual revenues below $25 million.
- Buys, sells, or shares the personal data of fewer than 100,000 California residents per year.
- Does not derive more than 50% of its profits from selling personal information.
Who and What Does the CCPA Protect?
The CCPA protects the personal information of California residents, giving them the right to know what information businesses collect about them, the right to access their data, to request its deletion, and to opt out of the sale of their personal information, essentially safeguarding their privacy rights when they interact with companies doing business in California.
More specifically, the CCPA can help keep data such as names, email addresses, purchase and browsing history, location, and address information private and unavailable to businesses or marketers.
What Are the Penalties for Violating CCPA?
It’s important to know not just what CCPA compliance is, but what the penalties for CCPA violation are. These can vary based on many circumstances, but here are several to watch out for:
$2,500 Fine for Unintentional Breach
Businesses found to have unwittingly breached the CCPA may be subject to fines of up to $2,500 per each infraction, though fines may be waived if the entity can undo its action within 30 days.
$7,500 Fine for Intentional Breach
Any company that knowingly breaches the CCPA can be fined $7,500 per breach, and there is no cap as to how many separate breaches can be met with fines.
Court Injunctions
A court finding a company in violation of the CCPA may issue injunctions targeting and limiting specific practices.
What Rights Do Consumers Have?
“This is a set of regulations that allow Californians to access their data, know how it’s used, and opt out of it being sold to third parties,” summarizes Franzyshen. The CCPA grants consumers many rights, including but not limited to:
Right to Know
California residents have the right to know if and when their data is being collected, why it’s being collected, and by whom.
Right to Delete
California consumers have the right to request their personal information be deleted from databases, removed from company archives, and generally discarded.
Right to Opt Out
People living in California have the right to opt out from their personal data being
collected in the first place.
Right to Correct
Not everyone demands that companies delete their data, but all people want their personal information noted correctly. The CCPA requires companies to amend personal information as requested by its subject. Companies must maintain this information with care, says Petro, adding that, “Maintaining accurate records is a substantial requirement under the CCPA.”
CCPA Cookie Consent Requirements
This is another important facet of understanding what CCPA compliance is. Under the CCPA, cookie consent primarily operates on an “opt-out” system, meaning businesses do not need explicit consent for most cookie usage, but must provide a clear mechanism for users to opt out of the sale or sharing of their personal information collected through cookies. This includes disclosing what data is collected and how it’s used, and providing a “Do Not Sell or Share My Personal Information” link on their website to facilitate opt-out requests.
The Marketers CCPA Checklist
The “Marketers CCPA Checklist” is a comprehensive list of actions a marketer needs to take to ensure their company is compliant with the CCPA, which essentially means they must clearly inform California residents about how their personal data is collected, used, and shared, and provide them with the ability to access, delete, or opt out of its sale. The checklist includes points like:
Privacy Policy Updates
Companies and marketers must be sure to outline their data collection practices, how data is used, and the consumer’s privacy rights within the privacy policy.
Opt-Out Mechanisms
Organizations must offer a clear and accessible method for consumers to opt out of having their personal information sold to third parties.
Data Inventory
Marketers must clearly identify all personal information collected by the marketing team, including names, email addresses, browsing history, purchase data, and geolocation.
Key Takeaways
Remember the following when asked, “What is CCPA compliance?”
The California Consumer Protection Act was passed to help protect the personal information of California residents and to help reduce the constant barrage of invasive advertising, political messaging, and other content that clutters mailboxes, inboxes, and videos in peoples’ lives.
This Act helps keep personal information private, limits who can see your past browsing history, and is generally a safeguard against corporate overreach.
The law restricts what companies can do and how they can do it, greatly changing how companies are allowed to store and leverage data. That can be a burden to companies, but it’s in the best interest of the people.
The CCPA need not be only a burden to marketers, though, says Petro. “It forces businesses to rethink their marketing strategies. Marketers need to prioritize collecting and using first-party data, which is gathered directly from their audience, such as through email sign-ups, loyalty programs, or purchase histories. First-party data is often more reliable.”
Frequently Asked Questions (FAQs)
What are the CCPA standards?
The CCPA standards, or California Consumer Privacy Act standards, are a set of regulations that mandate businesses operating in California to provide transparency about how they collect, use, and share consumer personal information, allowing California residents the right to access, delete, and opt out of the sale of their data upon request, essentially giving consumers more control over their personal information. They include the right to opt out, the right to know, the right to delete, and more.
How do you get CCPA-compliant?
Steps companies can take range from:
- Updating privacy policies.
- Adding “do not sell” links to granting correction or deletion of data requests.
- Adding clear information about any data collection you’re doing.
What was the story before the CCPA?
It was the Wild West of personal information harvesting. Before the CCPA, the United States lacked comprehensive data privacy laws at the federal level, with piecemeal regulations like COPPA — protecting children’s online data — and state-specific breach notification laws as the only safeguards. Growing concerns about data collection and usage led to a push for stronger consumer privacy protections, paving the way for the CCPA as California’s first major attempt to address these issues on a statewide scale. Its passage has had national ramifications, given the state’s outsized influence.
What is the difference between CCPA and GDPR?
The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are both privacy laws that give individuals more control over their personal data. However, they differ in several ways, such as scope, as the GDPR applies to any entity that processes the personal data of EU residents, while the CCPA applies to businesses that collect data from California residents. They differ also in jurisdiction, as the GDPR is a European regulation, as well as in data definition. The GDPR defines personal data as any information that can be linked to an identifiable person, while the CCPA defines personal data as any information that can be linked to a consumer, household, or device.
