Back to Legal and Ethical Considerations

What is CCPA?

6 min to read

The CCPA, short for the California Consumer Privacy Act, is a state law designed to give California residents greater control over the personal data collected by websites and businesses.

Issued in 2018, the CCPA is intended to strengthen consumer rights and protection.

CCPA grants consumers the right to know which data is being collected, request deletion, or even opt-out from having their personal information sold off by companies or websites.

Key Takeaways:
  • Data, Rights, and Control
    • Under the CCPA, Californians have rights to access and manage their personal data.
  • Websites Should Comply
    • Keep your website aligned with CCPA to avoid legal disputes and build consumer trust.
Hocoos small logo Answers Legal and Ethical Considerations

What is CCPA?

What is considered personal information and sensitive personal information under the CCPA?

The CCPA broadly defines “personal information” as any data that identifies, describes, or could reasonably be linked to a consumer or household. This expansive definition encompasses various pieces of information – from names and email addresses, browsing histories, and geolocation data, all the way up to geospatial data.

At its core, data protection aims to safeguard any information that can potentially be used to identify or track an individual.

Examples:

Standard forms of personal data collected include names, electronic mail addresses, VAT numbers, numbers of the driver’s license, bank account, and biometric information.

Pro Tip:
In case you reside in California, it’s important to become knowledgeable of your rights under the CCPA as well as exercise them proactively to safeguard your privacy.

What are the requirements for CCPA?

For-profit businesses operating within California fall under the preview of the CCPA if they meet at least one of these criteria:

  • Companies with annual revenues surpassing $25 million.

  • Operate ( e.g. purchase, receive, sell, or share) personal data of over 50,000 consumers, households, or devices.

  • Earn  50% or more of annual revenue by selling consumers’ personal information.

These measures apply to businesses that collect and use significant amounts of sensitive data, particularly those that profit by selling it.

  • Exemptions: There are certain exceptions to the California Consumer Privacy Act (CCPA), such as for data protected under other laws (such as health information covered by HIPAA) or specific business activities ( e.g. research).

  • Non-profits: Non-profit organizations typically are exempt from the CCPA.

What are the benefits of CCPA for consumers?

Consumers in California are covered in several ways by the CCPA, including:

  • Right to Know: Individuals have the right to ask what personal data a business has collected about them.

  • Right to Delete: Consumers can exercise their right to request that any personal data they possess be deleted.

  • Right to Opt-Out: Consumers can exercise their right to opt-out by not selling any personal information to businesses.

  • Non-Discrimination: Businesses cannot discriminate against consumers who exercise their CCPA rights.

These rights enable customers to have control over their personal information and its usage by businesses.

Deep Dive:
Financial incentives: Websites may offer financial incentives (like discounts) in exchange for collecting personal data but must disclose these offers clearly to their clients and obtain consent before undertaking this endeavor.

Minors: The California Consumer Privacy Act provides extra safeguards for children under 13, mandating websites to obtain parental approval before selling personal information of those aged 13 or younger.

What can I do if I think a business violated the CCPA?

CCPA protects consumers’ rights when businesses violate them. In case you believe a business has infringed upon yours, you have the necessary law protection to file a formal complaint with the help of the California Attorney General’s Office.

The Attorney General’s office is charged with upholding the California Consumer Privacy Act and can investigate complaints and take legal action against businesses that break its terms.

  • Private right of action: In certain instances, you may also be eligible to file a civil suit against a company for violations of the Consumer Credit Protection Act, such as data breaches resulting from inadequate security practices.

  • 30-day cure period: Businesses have 30 days from receiving notice of potential violations before legal action can be taken against them.
Pro Tip:
Keep records of your interactions with businesses concerning your personal information in case it becomes necessary to file a formal complaint.

Are there any limitations to CCPA?

The California Consumer Privacy Act, although an impressive advancement for consumer rights, still has weaknesses:

  • Business Size: Because this only applies to businesses meeting specific criteria (annual revenue, amount of data handled, or revenue from data sales), excluding smaller enterprises.

  • Data types: Not all personal data is equally protected; therefore, the CCPA offers stronger measures to safeguard “sensitive personal information”.

  • Exceptions: There are exceptions to CCPA requirements, such as data collected for fraud prevention or legal reasons.

  • State-specific: California residents are the only ones who are protected by CCPA. 

Even with its limitations, the CCPA enables customers to have more control over their data.

How does CCPA compare to other privacy laws like GDPR?

Both the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are widely known privacy laws; however, there are key distinctions between them.

  • Protection Scope: GDPR protects all EU residents while the CCPA only offers protections to California residents.  

  • Consent: Consent collection is explicitly required by GDPR before data collection while CCPA emphasizes the right to opt-out from data sales agreements.  

  • Data types: GDPR contains more stringent provisions when it comes to handling sensitive personal data such as health records than what is set forth under CCPA.

  • Enforcement: GDPR  applies higher fines and more strict execution mechanisms than the CCPA which depends on the California Attorney General’s office. 

  • Global reach: Though both laws may apply to businesses outside their respective jurisdictions, GDPR is widely seen as having greater global implications due to Europe’s economic power.

The GDPR generally offers stronger and broader protections than the CCPA as the last one is mostly US oriented.

Pro Tip: 
If your business operates internationally, be mindful of both CCPA and GDPR requirements to stay compliant and avoid legal complications.

How can businesses ensure CCPA compliance?

Businesses can ensure CCPA compliance by taking several steps:

  • Data mapping: It’s important to track and conduct an inventory of all personal information that is requested, collected, utilized, and shared.

  • Privacy policy updates: Update privacy policies to meet California Consumer Privacy Act requirements.

  • Consumer request mechanisms: Establish strategies for responding to consumer requests for information, deletion, and opt-outs.

  • Vendor contracts: Check if the contracts made with third-party vendors cover CCPA compliance clauses.

  • Employee training: Ensure your employees are knowledgeable about CCPA requirements and their responsibilities.

These are fundamental steps for any websites to meet their legal obligations under the CCPA and stay away from potential consequences, like fines, or lawsuits. 

Pro Tip:
Consult legal representation to ensure your business complies fully with the CCPA and other relevant privacy laws.

Conclusion

The CCPA represents an ambitious evolution in privacy regulation for California residents that could have far-reaching ramifications across the US and possibly even internationally. By giving individuals more control of their own information online, services could promote greater transparency and accountability between consumer-business relationships; however, its long-term effectiveness and wider implications, both domestically and abroad, remain unknown at present.

Other articles that can help

READY TO KICK-START YOUR SMALL BUSINESS JOURNEY?

Important Consideration: The information provided by our expert team is designed to give you a general understanding of the website creation process and the features available to you. It's important to note that this information is not a substitute for professional advice tailored to your specific needs and goals.
Read our editorial standards for Answers content.
Our goal is to empower you to create an amazing website. If you have questions or need guidance during the building process, don’t hesitate to Contact us. We're happy to provide assistance and point you in the right direction.