Skip to content

Summit 26 from June 1-4 in San Francisco

Lead your organization in the era of agents and enterprise intelligence.

register now

CCPA Compliance Guide: Requirements & Regulations

Today’s businesses invariably rely on consumer data to better understand who their customers are and to gain a competitive advantage. This data, which can include anything from basic demographical information to online browsing behaviors, is often used to enhance personalization on web properties and apps and to develop relevant products and services. Consumer data is also particularly valuable to marketers who use it for targeted advertising. But as consumers have become more aware of how much of their data is being collected, they have become understandably concerned about how that information is being used, shared and protected.

  • Overview
  • What is CCPA compliance?
  • What personal information does the CCPA regulate?
  • CCPA key consumer rights
  • Who must comply with the California Consumer Privacy Act (CCPA)?
  • How to become CCPA compliant: 6 requirements
  • CCPA noncompliance penalties
  • CCPA vs. GDPR: What’s the difference?
  • Conclusion
  • CCPA compliance FAQs
  • Resources

Overview

Today’s businesses invariably rely on consumer data to better understand who their customers are and to gain a competitive advantage. This data, which can include anything from basic demographical information to online browsing behaviors, is often used to enhance personalization on web properties and apps and to develop relevant products and services. Consumer data is also particularly valuable to marketers who use it for targeted advertising. But as consumers have become more aware of how much of their data is being collected, they have become understandably concerned about how that information is being used, shared and protected.

In 2018, California became the first state in the U.S. to introduce a comprehensive data privacy policy, the California Consumer Privacy Act (CCPA), designed to protect and enforce the rights of California residents regarding the privacy of their personal information. Today, there are 20 states with similar data privacy laws, but CCPA remains the most noteworthy, in part because of the large population of the state.

CCPA’s impact on businesses is growing. Protecting consumer data is not only the law, but as a rule it makes customers feel safer, strengthens their loyalty and safeguards your brand and reputation. In this article we’ll cover the regulations laid out by CCPA in greater detail, who needs to comply with it and why it’s essential for both consumers and businesses.

What is CCPA compliance?

The California Consumer Privacy Act went into effect in January 2020, requiring organizations to comply with a set of regulations that protect the data privacy rights of Californians. Created by the California Legislature, CCPA requires organizations to be transparent about how they collect and use consumer data. It also requires them to put stricter security measures in place to safeguard consumer data and implement processes for handling consumer requests regarding their personal information.

CCPA gives individuals the right to know how their personal information is being used, the right to opt out of the sale of their information, the right to delete any of that information, and the right to not be discriminated against for exercising these rights.

What personal information does the CCPA regulate?

The CCPA protects the personal information of California residents, including individuals, households, job candidates, employees, independent contractors and other business contacts. The policy defines personal information as "any data that identifies, relates to, or could reasonably be linked to you or your household, directly or indirectly." This includes:

  1. Name or nickname
  2. Email address
  3. Purchase history
  4. Browsing history
  5. Location data
  6. Employment data
  7. IP address
  8. Profiles businesses create about you, including pseudonymous profiles (like your user name)
  9. Other sensitive personal information, including:
    • Social Security, passport, driver’s license or state ID number
    • Financial account credentials
    • The consumer’s precise geolocation
    • Racial or ethnic origin, citizen or immigration status, religious or philosophical beliefs, or union membership
    • Contents of messages (e.g., emails, texts, chats) unless directed to the business
    • Genetic data
    • Biometrics (e.g., facial recognition)
    • Information concerning your health, sexual activity or sexual orientation

CCPA key consumer rights

To give California consumers more control over their private information, the CCPA outlined the following privacy rights:

  1. The right to know what data is collected
  2. The right to delete personal information
  3. The right to opt out of the sale of personal data
  4. The right to non-discrimination
  5. The right to data portability

In 2020, California voters approved an amendment to the CCPA that included additional protections, including:

  1. The right to correct inaccurate information
  2. The right to limit the use and disclosure of sensitive personal information collected about them

Who must comply with the California Consumer Privacy Act (CCPA)?

While any organization that collects data on California residents should confirm specific compliance regulations with the state, the CCPA applies to for-profit businesses that do business in California and meet any of the following:

 

  • Have a gross annual revenue of at least $26,625,000
  • Buy, sell or share the personal information of 100,000 or more California residents, households or devices
  • Derive 50% or more of their annual revenue from selling California residents’ personal information

It is important to note that the California Consumer Privacy Act does not apply to government or nonprofit organizations — such as charities and educational institutions — because they are not considered "businesses" under the law. Nonprofits, however, must still comply with CCPA if they are:

 

  • Affiliated with a CCPA-regulated business, sharing personal information and branding
  • In a partnership or joint venture with at least a 40% interest from each business

How to become CCPA compliant: 6 requirements

If your business meets the criteria outlined above, here are some of the key requirements that must be met to become CCPA compliant:

 

1. Update privacy policies

Create an easily accessible privacy policy that clearly outlines what data is collected, the purpose for collecting it, and how customers can exercise their rights regarding their private information.

 

2. Provide clear opt-out mechanisms

Give customers a way to easily opt out of the sale or sharing of their data.

 

3. Enable data access and deletion requests

Provide customers with a clear and easy way to request access to or deletion of their data.

 

4. Train staff on compliance

Make sure employees are trained on CCPA compliance and know how to handle customer requests regarding their data.

 

5. Maintain detailed data inventories

Conduct regular data inventories and create data maps to know exactly what personal information your business has, where it is stored and how it is used.

 

6. Establish processes for verifying identity

Make sure you have strong security measures in place to protect personal information and prevent unauthorized access.

CCPA noncompliance penalties

Collecting and selling consumer data is big business. Consumers’ online habits generate data that is extremely valuable to companies that want to optimize their marketing efforts and create new business opportunities. California gives individuals more control over their personal data, which includes penalizing companies that violate any provisions of the CCPA.

Enforced by the California Attorney General, some common CCPA penalties include per-violation fees, such as $2,663 for each unintentional violation and $7,988 for every intentional violation as well as violations involving the personal information of minors under the age of 16 (note that these figures are inflation-adjusted and can change annually).

Violations can quickly multiply in size: A single violation could be a data breach involving just one individual. But since data breaches rarely involve one person — usually they involve thousands of customers — the penalties can quickly add up to substantial amounts. In addition to fees, failure to comply with CCPA regulations can result in class-action lawsuits in the event of a data breach and private lawsuits resulting in civil penalties.

CCPA vs. GDPR: What’s the difference?

When it comes to protecting consumer data, the EU started off ahead of the U.S. In 2016, the EU adopted the General Data Protection Regulation (GDPR) law to protect the personal information of EU residents. GDPR and CCPA are similar in that they are both designed to protect and empower individuals when it comes to their personal data. Both laws give consumers the right to opt in or out of data collection, the right to have it corrected if there are errors, and the right to access or delete their information. Both laws also require organizations to personally notify individuals if there has been a security breach.

Despite their similarities, GDPR and CCPA do have a few fundamental differences:

 

Compliance requirements

GDPR applies to any organization collecting personal data from EU residents, whereas CCPA applies only to businesses with gross annual revenue of at least $26,625,000 (note that this figure is inflation-adjusted and may change annually). In addition to meeting the revenue threshold, CCPA applicability can also be triggered by data volume or data sale.

 

Scope of personal data covered

CCPA covers data that is collected by any device connected to the internet, directly or indirectly, or to another device, including those within a household (defined as "a group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common devices or services"), whereas GDPR does not.

 

Geographic jurisdiction

GDPR protects all individuals in the EU, regardless of citizenship, whereas CCPA only protects California residents.

 

Consent requirements

GDPR requires consumers to give clear consent to having their data collected, whereas CCPA allows users to opt out of data collection. Businesses covered by CCPA do not need initial consent to begin collecting consumer data.

 

Fines and penalties

CCPA penalties for noncompliance are typically fines based on a per-instance basis, whereas GDPR has much stiffer penalties that can reach up to 4% of the violator’s annual global revenue or €20 million, whichever is greater.

 

Consumer rights enforcement

In the EU, supervisory authorities in each member country enforce compliance with GDPR. In California, the state Attorney General’s office enforces CCPA.

Conclusion

Reacting to the rise of data brokering, California was the first state in the nation to recognize the importance of giving its residents control over their personal information. Since the enactment of the California Consumer Privacy Act in 2018, other states have followed in their footsteps. Today, California consumers have the right to know how their personal information is being used, the right to opt out of the sale of their information, the right to delete any information, and the right to not be discriminated against for exercising these rights.

Ensuring CCPA compliance in California is not only necessary for legal reasons but is also essential for establishing customer trust. Knowing that their personal information is protected goes a long way toward building loyalty and goodwill with your customers.

CCPA Compliance Guide FAQs

Organizations can ensure CCPA compliance first by updating their privacy policies so that users know exactly what data is collected, the purpose for collecting it and how they can exercise their rights regarding their private information. It’s also important to provide a clear opt-out process so users can choose to prevent the sale or sharing of their data. You also must provide customers with a clear and easy way to request access to or deletion of data that’s already been collected. Training employees on CCPA compliance is critical. They should understand the requirements and penalties as well as how to handle any requests from customers regarding their personal data.

While there is no official, government-issued CCPA certification from the State of California, third-party vendors offer certification to individuals who can demonstrate that they have a foundational understanding of the CCPA.

CCPA compliance software is an essential tool for ensuring compliance, making it easier for businesses to track data requests, generate reports and update policies. Examples of commonly referenced tools include software from Scytale, Ketch, OneTrust and Osano.

Document databases are designed to store and manage semi-structured data, making JSON ideal because it is flexible, schema-less and allows data to be stored in a self-contained “document.” Before JSON, XML was most popular for document databases for the same reasons, but JSON is more simple and readable than XML’s verbosity of opening and closing tags, which additionally leads to smaller file sizes.