What is CCPA?

The CCPA, or the California Consumer Privacy Act, is a comprehensive privacy law enacted in California. It grants consumers certain rights regarding the collection, use, and disclosure of their personal information by businesses. It requires businesses to provide clear and transparent disclosures about the personal information they collect, give consumers the option to opt out of the sale of their personal information, and allow them to access, delete, or correct their personal information upon request. Additionally, the CCPA imposes various obligations on businesses, such as implementing reasonable security measures and obtaining consent from minors before collecting their personal information.

Why was CCPA enacted?

The CCPA was enacted to enhance consumer privacy protections in California and give consumers more control over their personal information. It was designed to address concerns about the collection, use, and sharing of personal information by businesses, particularly in the digital realm. The CCPA aims to empower consumers by providing them with rights and choices related to their personal information, such as the right to know what personal information is collected and how it is used, the right to opt out of the sale of personal information, and the right to request the deletion of personal information. The CCPA also aims to hold businesses accountable for protecting consumer privacy and increasing transparency in their data practices. Overall, the CCPA reflects growing concerns about privacy in the digital age and seeks to provide greater privacy rights and protections for consumers in California.

See BigID in Action

What types of data are regulated by CCPA?

The California Consumer Privacy Act (CCPA) regulates several types of personal data to protect the privacy of California residents. Here are the main types of data covered by CCPA:

  • Personal Information: CCPA broadly defines personal information as any information that identifies, relates to, describes, or can be reasonably linked to a particular California consumer or household. This can include name, address, email address, social security number, internet browsing history, geolocation data, biometric information (e.g., fingerprints), and more.
  • Unique Identifiers: CCPA also covers unique identifiers, such as IP addresses, device IDs, and online handles or usernames, if they can be linked to an individual.
  • Commercial Information: Information related to a person’s purchasing or consuming behavior, including records of products or services purchased, obtained, or considered, as well as transaction history and payment data.
  • Internet or Network Activity: This category encompasses data regarding a consumer’s online interactions, including browsing history, search history, and information about a consumer’s interaction with websites, applications, or advertisements.
  • Inferences Drawn from Data: CCPA includes data derived from the above categories to create profiles or predictions about a person’s characteristics, preferences, behavior, and attitudes.

Who is subject to CCPA laws?

The California Consumer Privacy Act (CCPA) applies to a variety of businesses and organizations that meet certain criteria. Here’s an overview of who is subject to CCPA laws and the key business criteria:

  1. Businesses: CCPA primarily applies to businesses. Under CCPA, a “business” is defined as a for-profit entity that does business in California and meets one or more of the following criteria:
    • Has annual gross revenues of $25 million or more.
    • Buys, receives, or sells the personal information of 50,000 or more California consumers, households, or devices annually.
    • Derives 50% or more of its annual revenue from selling California consumers’ personal information.
  2. Service Providers: CCPA also applies to service providers that process personal information on behalf of covered businesses. Service providers are subject to certain contractual obligations but have limited rights to use the data for their own purposes.
  3. Third Parties: Businesses that receive personal information from covered businesses for business purposes must also comply with certain CCPA requirements. These third parties are expected to handle personal information responsibly and not use it for any purposes beyond what is specified in their agreements with the covered businesses.
Achieve CCPA Compliance Today

CCPA enforcement & violations

Enforcement of the CCPA began on July 1, 2020, and there have been reported cases of violations and enforcement actions since then. The California Attorney General’s Office is responsible for enforcing the CCPA, and businesses that fail to comply with the law may face penalties, fines, and other consequences.

Non-compliance with the California Consumer Privacy Act (CCPA) can result in significant penalties and liabilities for businesses. The California Attorney General’s Office is empowered to enforce the CCPA and may impose fines and sanctions for violations of the law. The specific penalties for CCPA non-compliance can vary depending on the nature and severity of the violation, but may include:

  • Civil fines: The CCPA allows for civil fines of up to $2,500 per violation or up to $7,500 per intentional violation. These fines can add up quickly, especially in cases where a business has violated multiple provisions of the CCPA.
  • Private right of action: The CCPA grants consumers a private right of action in cases of certain data breaches resulting from a business’s failure to implement reasonable security measures. This can result in individual or class-action lawsuits, potentially leading to significant financial damages and legal costs for businesses found liable.
  • Injunctive relief: The California Attorney General may seek injunctive relief, which can require a business to stop certain data processing activities or take specific actions to come into compliance with the CCPA.
  • Reputational damage: Non-compliance with the CCPA can result in negative publicity, damage to a business’s reputation, and loss of customer trust, which can have long-term financial and operational impacts.
  • Remediation costs: Businesses may need to invest in additional resources, such as personnel, technology, and infrastructure, to come into compliance with the CCPA, which can result in additional costs.
CCPA Readiness Checklist
Download the CCPA checklist.

CCPA violation examples

CCPA enforcement can result in fines and penalties for non-compliance, and organizations are expected to take data privacy regulations seriously to protect the rights of California residents.

  1. Zoom Video Communications, Inc.: In March 2020, Zoom faced scrutiny for allegedly violating the CCPA. The company was accused of not clearly disclosing how it collects and shares user data. Zoom later settled with the California Attorney General’s office, agreeing to improve its privacy and security practices.
  2. Zynga Inc.: In December 2020, the California Attorney General announced a settlement with Zynga, a mobile game developer. Zynga was alleged to have violated the CCPA by failing to adequately inform users about how their data was collected and shared. The settlement required Zynga to pay a fine and implement data privacy improvements.
  3. Salesforce: In June 2021, the nonprofit organization Californians for Consumer Privacy filed a complaint with the California Attorney General, accusing Salesforce of not complying with the CCPA. The complaint claimed that Salesforce did not honor user requests for data deletion, among other violations. Salesforce denied the allegations.

CPRA vs CCPA

CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act) are two data privacy laws enacted in California. Here’s a simple comparison:

  1. Scope: CCPA applies to businesses that meet certain criteria and handle personal information of California residents, while CPRA expands the scope to apply to businesses that exceed certain thresholds and process personal information of California residents on a larger scale.
  2. Definitions: CPRA introduces new definitions such as “sensitive personal information” and “sharing” that are not explicitly defined in CCPA.
  3. Consumer Rights: Both CCPA and CPRA grant similar consumer rights, such as the right to know, the right to delete, and the right to opt-out of the sale of personal information. However, CPRA enhances some of these rights and introduces new ones, such as the right to correct inaccurate personal information and the right to limit the use of sensitive personal information.
  4. Businesses’ Obligations: CPRA introduces additional obligations for businesses, such as the requirement to implement reasonable security measures and conduct regular cybersecurity audits. It also introduces a new category of “service providers” with specific obligations.
  5. Enforcement: Both CCPA and CPRA grant enforcement powers to the California Attorney General’s Office, but CPRA also establishes a new California Privacy Protection Agency (CPPA) to enforce the law.
  6. Penalties: CCPA imposes fines for certain violations, while CPRA introduces higher fines for violations involving the personal information of minors and increases the potential fines for certain other violations.
  7. Private Right of Action: CCPA allows consumers to bring private lawsuits for certain data breaches, while CPRA expands the private right of action to cover additional types of data breaches and introduces a new opt-in requirement for businesses to share personal information.

GDPR vs CCPA

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two prominent privacy laws that have been enacted to protect consumer privacy rights. While they share some similarities, they also have key differences in their scope, requirements, and applicability.

  1. Scope: The GDPR is a comprehensive privacy law that applies to all businesses that process the personal data of individuals in the European Union (EU), regardless of their location. In contrast, the CCPA applies to businesses that collect personal information from California consumers and meet certain revenue or data collection thresholds, irrespective of their physical location.
  2. Consumer Rights: Both the GDPR and the CCPA grant certain rights to consumers regarding their personal information. These rights include the right to know what personal information is collected, the right to access, correct, and delete personal information, and the right to opt out of the sale of personal information. However, the CCPA also includes a private right of action for certain data breaches, allowing consumers to bring lawsuits against businesses for damages, while the GDPR does not explicitly provide for a private right of action.
  3. Consent Requirements: The GDPR requires that businesses obtain explicit consent from individuals before processing their personal data, with some exceptions. The CCPA, on the other hand, focuses on the right to opt out of the sale of personal information, rather than obtaining explicit consent for data processing.
  4. Data Transfer: The GDPR imposes strict requirements on the transfer of personal data to countries outside the EU, unless certain safeguards are in place. The CCPA does not have explicit provisions related to international data transfers.
  5. Enforcement and Penalties: The GDPR provides for substantial fines for non-compliance, with penalties of up to €20 million or 4% of the global annual revenue of the previous financial year, whichever is higher. The CCPA, on the other hand, provides for civil fines of up to $2,500 per violation or up to $7,500 per intentional violation, and grants a private right of action to consumers for certain data breaches.
  6. Business Obligations: Both the GDPR and the CCPA impose various obligations on businesses, such as maintaining proper security measures, providing clear privacy disclosures, and responding to consumer requests in a timely manner. However, the GDPR has more comprehensive requirements for data controllers and processors, including mandatory data protection impact assessments, appointment of data protection officers in certain cases, and adherence to specific legal bases for data processing.

CCPA employee rights

The California Consumer Privacy Act (CCPA) grants certain rights to employees in California with regard to their personal information. Here’s a simple explanation of CCPA employee rights:

  1. Right to Notice: Employees have the right to be informed about the categories of personal information that their employer collects and the purposes for which it is used at or before the point of collection.
  2. Right to Access: Employees have the right to request access to their personal information that is collected, used, disclosed, or sold by their employer. This includes the right to know the specific pieces of personal information collected and the categories of third parties with whom the information is shared.
  3. Right to Deletion: Employees have the right to request the deletion of their personal information that is collected or maintained by their employer, subject to certain exceptions, such as legal obligations or legitimate business purposes.
  4. Right to Opt-Out of Sale: Employees have the right to opt-out of the sale of their personal information by their employer to third parties, if applicable.
  5. Right to Non-Discrimination: Employees have the right not to be discriminated against for exercising their rights under the CCPA. This means that employers cannot deny or restrict employment-related benefits, opportunities, or services to employees who exercise their CCPA rights.
  6. Right to Notice of Data Collection: Employees have the right to be notified about the categories of personal information that their employer collects, as well as the purposes for which the information is used, before or at the time of collection.
  7. Right to Correct Personal Information: Employees have the right to request the correction of inaccurate personal information collected by their employer, if applicable.

CCPA Checklist

Download the CCPA readiness checklist to break down 5 areas you need to cover in order to be CCPA compliant, including:

  1. Map and inventory customer data
  2. Automatically fulfill consumer data rights
  3. Update privacy policy & disclosure notifications
  4. Define breach thresholds & privacy team workflows for breach response
  5. Validate and test everything from access requests to data sharing to security policies
See BigID in Action

Achieve CCPA Compliance with BigID

BigID enables organizations to meet and manage CCPA requirements with an automated, scalable approach to discover, map, and manage personal information that falls under the CCPA. With BigID, organizations can:

Get a demo to see how BigID helps organizations get ahead of the CCPA – from DSARs fulfillment to third-party data sharing.