CCPA Compliance 101: Everything You Need to Know

Anthony Gagliardi, Compliance Manager
May 10, 2022

Illustration of a book with CCPA on the cover.

In 2018, California passed one of the strictest data privacy laws ever enacted—the California Consumer Privacy Act, or CCPA. 

In the ‘90s, internet users may not have given data privacy a second thought. However, 30 years later, consumers have become savvier about the risks associated with sharing personal data such as addresses, credit card information, and even political affiliations and educational history. 

The rise of data leaks hasn’t helped either. In 2018, we saw data leaks from companies like Google, Facebook, T-Mobile, and Marriott. These leaks compromised the privacy of millions of people globally. 

In response to consumer interest, the California legislature proposed a new ballot initiative. CCPA would hold businesses more accountable to how they educate and empower their customers to protect their data. California voters cast a resounding “Yes,” to CCPA, and on January 1, 2020, the law kicked into effect. 

In the following article, we’ll explain CCPA, the rights it gives to consumers, and how businesses need to respond to stay safe and compliant. 

What is CCPA? 

Most notably, CCPA gives consumers a range of rights over their personal information and how it’s shared by businesses. One of these rights is the ability to request that their personal data be deleted. 

CCPA also establishes a set of guidelines for businesses to implement and remain compliant with the law. 

Consumer Rights

The hallmark of CCPA is that it places control of personal data back in the hands of consumers. It’s primarily focused on transparency. While many consumers may give companies permission to share their data, CCPA ensures that they know their data is being shared and have the right to revoke that right. 

CCPA ensures that consumers have the right to:

  • Know about the personal information (PI) that a business collects about them and how, why, and who it’s shared with. 
  • Delete PI that has been collected from them (there are exceptions to this provision). 
  • Opt-out of the sale of their PI.
  • Not experience discrimination in the exercise of CCPA rights. 

To ensure these rights for consumers, businesses must comply with a certain set of regulations.

Business Obligations

As mentioned above, the primary tenet of CCPA is to provide transparency. 

Qualifying businesses must have a framework and a plan for telling consumers before they collect data from them. They must clearly communicate consumer rights and provide a link that immediately gives consumers the right to opt out—a pop-up at the footer at the bottom of a homepage with “Do Not Sell My Personal Information” is typical. 

Businesses must also respond to consumer requests within 45 days and keep a record of those requests for two years. 

Finally, businesses are obligated to be transparent about their financial incentives for sharing consumer data with third parties. 

To understand the obligations in detail, here’s a list of CCPA regulations

Penalties

Businesses may be penalized for up to $2,500 per violation or $7,500 per intentional violation should they fail to respond to consumer requests and have not responded to notifications within 30 days. If there is a data breach, consumers can also take action against companies to recover damages of up to $750 per violation.

Frequently Asked Questions

Becoming CCPA-compliant can feel overwhelming for California-based businesses. Many companies were woefully unprepared for the new law. In 2019, less than 10% of qualifying companies were estimated to be sufficiently prepared for CCPA. 

To become compliant, businesses can start by asking these basic questions about the privacy protection law. 

Does CCPA Apply to My Business? 

CCPA has explicit applicability requirements, so it’s important to determine whether your business qualifies as a candidate. 

If your company does business in California AND you answer “yes,” to any of the following questions, then your business must meet CCPA regulations. 

  • Do you have a gross revenue of more than $25 million annually?
  • Do you buy, sell, receive, or share the PI of 50,000 or more California residents, households, or devices for commercial purposes?
  • Is 50% or more of your revenue from the sale of PI?

If you answered “no” to all of these questions or do not do business in California, then your organization is not required to adhere to CCPA.

Even if CCPA is not explicitly required for your organization, adhering to CCPA may be a good business decision to demonstrate your company’s commitments to privacy.

How is Personal Information Defined Under CCPA?

Personal information, or PI, is information that can be linked to or used to identify you or your household. 

That can range from basic contact information and household addresses to your purchasing and browsing history. PI can range from private information—such as social security numbers—to something as innocuous as age. 

How Does CCPA Differ From GDPR?

Though CCPA has been referred to as the “GDPR of California,” the two laws are different. GDPR, or General Data Protection Regulation, protects the data privacy of citizens in the European Union. 

GDPR is different from CCPA in that:

  • GDPR focuses specifically on individuals; CCPA focuses on the privacy of individuals and households. 
  • GDPR is broader in scope and applies to more businesses. 
  • GDPR follows an opt-in model whereas CCPA follows an opt-out model.

Although companies that are GDPR-compliant may have advantage when it comes to CCPA, their key differences should be noted.

What is a Third Party Under CCPA? 

To be compliant with CCPA, you’ll need to understand how a third party is defined. A third party is any entity (person or organization) that is NOT a business that collects PI from consumers under CCPA or a consumer to which the law applies. 

Broadly speaking, a third party under CCPA is a service provider. Service providers or contractors must understand what they are restricted from doing under CCPA regulations. 

To remain compliant, businesses are responsible for ensuring that their third-party partners also meet CCPA regulations. 

Resources

Here are some helpful resources for continuing to maintain CCPA compliance. 

New data privacy laws like CCPA may be complex, but they don’t have to represent a massive headache. Using a tool to help you monitor compliance on an ongoing basis helps you and your customers to stay safe—and helps you avoid legal fines and reputation damage. To learn more about how Drata can help you remain compliant with various frameworks and regulations, schedule a demo with our team.

Subscribe & receive the latest content.

Subscribe & receive the latest content.

PUT COMPLIANCE ON AUTOPILOT

Get Started Today

Close more sales and build trust faster while eliminating the hundreds of hours of manual work that used to go into maintaining your SOC 2 report and ISO 27001 certification.

JOIN THE 1,000+ COMPANIES THAT TRUST DRATA
Trusted by the best: