With the start of 2020 comes the enactment of a new piece of legislation called the California Consumer Privacy Act, or CCPA for short. The law has left many companies confused and unsure how to get started on their CCPA compliance efforts. So, to help make sense of the law, we’re tackling the list of CCPA frequently asked questions.
Just know that the information below is not legal advice and should not be considered as such. It’s always best to consult with your security and legal teams to make sure you are protected.
CCPA Frequently Asked Questions
What is the CCPA?
The CCPA is a law passed in the State of California in 2018 which protects the consumer’s personal information. It does so by placing certain requirements on businesses that collect, share, or sell personal information of California residents.
Further, the CCPA provides specific rights to California residents that include the right to disclosure, deletion, data portability, as well as allowing them to opt-out of having their personal information sold.
FURTHER READING: What Is The California Consumer Privacy Act?
When Does The CCPA Take Effect?
The CCPA officially went into effect on January 1st, 2020. Companies that must become CCPA compliant will have until July 1st, 2020 to become fully compliant before the Attorney General will begin enforcing it.
The CCPA states:
“The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”
–California Consumer Privacy Act
FURTHER READING: When Does The CCPA Take Effect?
Does The CCPA Affect My Business?
It depends. If your company collects personal information from California residents AND meets one or more of the three thresholds listed below, you will need to be CCPA compliant:
- Has over $25M in annual revenue
- Collects data from 50,000 or California residents
- Fifty-percent or more of your annual revenue comes from the sales of California resident’s personal information
Read more about the basic rules on the Jackson|Lewis group website.
If My Company Isn’t Located In California Do I Still Need To Comply?
Yes. The CCPA applies to all businesses, regardless of their location, so long as they fall within the compliance thresholds outlined in the question above.
This article in Forbes warns all businesses to inform themselves of the CCPA requirements.
Does The CCPA Apply To Nonprofits?
Maybe. This one is a bit complicated.
Nate A. Garhart of the law firm, Farella, Braun, & Martel explains it this way: “By its express provisions, the CCPA generally does not apply to nonprofit entities.”
That said, Garhart goes on to explain that even nonprofits the CCPA would still apply and/or be directly relevant should they meet any of the following thresholds:
- Is controlled by or is in control of a for-profit entity that is subject to the CCPA
- Operates and does business using a brand name it shares with a for-profit company (such as a co-branded corporate foundation)
- Is involved in a joint-venture with a CCPA covered for-profit entity
- Is part of a contract or contracts with an entity involving an agreement which requires CCPA compliance
RKD Group also wrote a detailed outline regarding what the CCPA means for nonprofits. You can read their take on it in their blog post, How does CCPA affect nonprofits?
Learn more about California Consumer Privacy Act (CCPA) exemptions.
My Company Is A B2B Company, Not a B2C Company, Do I Still Need To Comply?
Yes, don’t be deceived by the word “consumer” in the title of the CCPA. The law applies to all companies regardless of whether they collect personal information from California consumers or businesses.
According to the Info Law Group, some exceptions may apply thanks in part to an exemption added to the legislation. That being said, this exception is set to auto-expire at the end of 2020.
How Does The CCPA Define “Consumer”?
The answer to this CCPA frequently asked question seems to be a little vague thanks in part to the vague way it’s described in the law. In SEC. 9. Section 1798.140 (g.), the CCPA officially defines a “consumer” as:
“Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.”
Section 17014, which is referenced in the CCPA excerpt above defines a California resident as:
- every individual who is in the State for other than a temporary or transitory purpose
- every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.
LEARN MORE: Arsen Kourinian of McGuireWoods LLP, has a short blog post which further explains how the CCPA determines who and what is considered a “consumer”. You can read his blog post, here
FURTHER READING: Who Must Be CCPA Compliant? Does It Apply To Me?
What Kind Of Personal Information Is Protected Under The CCPA?
The language of the CCPA lists which types of personal data are protected. The law states: “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Some of the most commonly collected types of personal information include:
- Names and aliases
- Physical addresses and email addresses
- Telephone number
- Driver’s license and passport numbers
- Education and employment history
- Internet search and browsing history
However, the list above is far from comprehensive. It is highly recommended that companies read subdivision (e) of Section 1798.80 of the CCPA to educate themselves on what is and what is not considered personal information under the legislation.
SixFifty also published a more digestible read on what the CCPA defines as “Personal Information” in this blog post.
What Are The Biggest CCPA Requirements My Business Must Be In Compliance With?
First, you should ensure you and your company’s partners, employees, and contractors are aware of the CCPA and all that it requires. One slight oversight of a requirement could mean you are not compliant. There simply are no shortcuts around being fully informed.
That being said, there are some requirements that seem to be at the forefront of the conversation. The Business News Daily offers an insightful look at some of the rights and requirements which include, but are not limited to the following:
- The Right To Know: Under the CCPA, businesses are required to disclose the purpose they are collecting personal information for and which category the personal information is part of.
- Privacy Policy: Your privacy policy will almost definitely need to be updated to reflect certain changes brought about by the CCPA. It will need to disclose consumers privacy rights in addition to other items.
- Provide Certain Rights: Companies must provide consumers the rights listed in the CCPA. These include the right to access, deletion, data portability, as well as the right to opt-in and opt-out.
FURTHER READING: How To Prepare To Be CCPA Compliant
Are There Exceptions From CCPA?
Yes, but they don’t apply to all companies and in most cases, the company will still need to be CCPA compliant in other ways.
There are also certain exceptions for certain consumer privacy rights in the CCPA. For example, companies are not required to delete data if that data is necessary to perform certain tasks such as:
- Completing a transaction or contract with said consumer
- Protect the consumer against illegal or deceptive activities
- Scientific research
- …and so on
If My Company Is GDPR Compliant, Are We Also CCPA Compliant?
No. This is another of those CCPA frequently asked questions that can be confusing given the similarities between the two. While the two are similar in goals, they are also different in some ways. Do not assume that because your company is already GDPR compliant, you are off the hook for CCPA compliance updates.
Visit The International Association of Privacy Professionals (IAPP) to get their expert take on the differences between the GDPR and CCPA.
Lydia de la Torre, CIPP/US writes on the IAPP blog that:
“Although the CCPA incorporates some concepts that data protection professionals are familiar with, it is not modeled after the GDPR. Thus, compliance with the GDPR does not equate compliance with the CCPA. This article compares the scope and main features of both laws.“
–GDPR matchup: The California Consumer Privacy Act 2018; IAPP
You can also listen to web conferences produced by the IAPP on this very topic:
- U.S. Privacy: The California Consumer Privacy Act and the GDPR – Overlaps and Gaps to Consider in Your Harmonized Privacy Program
- How to Modify Your GDPR SAR Practices for CCPA Requests
What Are The Security Requirements Named In The CCPA?
Unfortunately, they are a bit ambiguous. We suggest working with security experts and attorneys to make sure the personal information you are collecting is secure as possible.
Shahryar Shaghaghi, MSc, Principal, Cybersecurity and Privacy National Leader, for Cohn Reznick offers his insight in a blog post titled: The CCPA requires ‘reasonable security.’ What exactly does that mean?
In his article, Shaghaghi references the Center for Internet Security’s 20 CIS Controls as a baseline standard, stating that the state attorney general endorsed it as reasonable security measures back in 2016.
How Do I Begin Becoming CCPA Compliant?
The Tech Beacon outlines this CCPA frequently asked question with some steps you can begin taking to begin your CCPA compliance project. They suggest:
- First, perform a readiness assessment
- Run an evaluation of your data inventory as well as your record-keeping workflow
- Ensure you have a CCPA compliant subject access request procedure
- Train your employees on CCPA privacy requirements
- Make improvements to your online presence to showcase your dedication to becoming CCPA compliant
Additionally, you should also read the bill yourself. You can find it here on the California Legislative Information website. We recommend writing down any questions you may think of as you read through the bill then consult with your legal counsel for answers. They will also be able to assist you in implementing the correct changes to become CCPA compliant.
You should also set up a plan for continuous education as the law will likely be amended and changes made to it.
What Are The Consequences Of Violating This Law?
Companies can incur fines if they are found to be in violation of the CCPA which ranges from $2500 to $7500 dollars, plus additional fines ranging from $100 to $750 per affected consumer.
There are some stipulations however. As the IAPP explains: “enterprises have 30 days after receiving notice of noncompliance from the California Attorney General’s office to cure it, and only thereafter are they subject to an enforcement action for violating the law.” You can read their more comprehensive explanation here.
My Company Is Not Required To Be CCPA, Is There Anything I Should Know Anyways?
Yes and no. While you may not technically be required to become CCPA compliant, in some instances you may want to consider doing so anyway.
As law firm, Fox Rothchild explains it, even small businesses who are not directly covered under CCPA should be aware. Especially if you are growing and have reason to believe you’ll need to be compliant later on down the road. It will be much easier (and likely less expensive) to become compliant now than later.
Another thing to consider is for companies that provide services to people or other companies which do business in California. Fox Rothchild makes the point that in order for them to do business with your company, “you will need to show that YOU can process data in a way that allows them to comply with THEIR obligations under the CCPA.”
CCPA Compliance Best Practices
As we’ve mentioned, the information above should be supplemented with your own independent research and verified with your legal counsel before taking action. We’ve provided it as a baseline to get you started in your search for answers to all your CCPA frequently asked questions. It should not be considered legal advice.
And, speaking of legal advice, we recommend you read the CCPA for yourself on the California Legislative Information website. There you will be able to find the most updated version of the bill. As you’re reading the bill, keep a notepad handy to write down any questions you have then present those questions in a consultation with your legal and security teams.
Remember, the CCPA is subject to changes and amendments as time goes by. Build in a continuing education aspect into your plan. Check for amendments regularly or appoint someone within your organization the responsibility to do so.
Lastly, if a web redesign is part of your CCPA compliance mission, reach out to 3 Media Web to learn how we can help.