What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a law that aims to safeguard the data privacy of the residents of the state of California (CA). It seeks to inform Californian consumers of what’s being done with their personal data and the extent of control that they have over the sharing of this data. The Act was introduced in January 2018 and signed into law in June 2018.
The CCPA requires many for-profit businesses to reveal to the residents of California:
- How their personal information is being handled
- What data is being collected
- The option to refuse personal information sale; and
- The right to sue in case of a data breach
In light of this, it is crucial for companies to understand what they need to do to adhere to the CCPA, which became effective on January 1, 2020.
Explained below are 3 key questions (surrounding the CCPA) that startup founders, small business owners, and corporate executives absolutely need to know the answers to.
California Consumer Privacy Act (CCPA): 3 Key Questions
Source: Unsplash
#1: What does CCPA cover?
#2: CCPA vs GDPR: What’s the Difference?
#3: What to do to be compliant with CCPA?
#1: What does CCPA cover?
The California Consumer Privacy Act applies to for-profit companies that do business in California, collect Californian consumers’ personal information, and determine the means of processing that data.
Furthermore, it applies to all for-profit entities that do their business in the state, and for whom any of the following is applicable:
- The business entity has a gross annual revenue that exceeds $25M
- The entity shares, sells, or buys the personal information of greater than 50,000 California consumers, residents, or devices for commercial intent; or
- More than 50% of the entity’s annual revenue stems from selling California consumers’ personal information.
The California Consumer Privacy Act also partially applies to businesses that work on behalf of (or work with) CCPA-covered organizations that are on the receiving end of personal information. For instance, CCPA applies to businesses or companies that share their branding with a company that is CCPA-covered, or are service providers that process information on behalf of a CCPA-covered business. The regulation is also applicable to companies and businesses that serve other businesses (as opposed to individuals) - also known as ‘B2B’ companies.
An important thing to note is that a business or an organization doesn’t need to be physically located in the state of California for CCPA to apply — CCPA applies to any company that does its business in the state of California.
A company or organization may “do business” in the state of California if it:
- Has employees working in the state
- Has online transactions with people residing in California; or
- Has other connections to the state
Originally, the law envisioned that employees that are residents of California should be treated like any other consumer with regard to their privacy rights. However, a recent amendment to the California Consumer Privacy Act exempts employee personal information that is collected in the course of employment until January 1, 2021.
For instance, under CCPA, employees cannot make a request that their employers delete their personal information. However, a business that collects employees’ personal information is still required to notify them of the same at the time of doing so.
California’s legislature has hinted that 2021 will usher in new employee-specific privacy laws. This would likely resolve the issue of how employees’ personal information will be handled after January 1, 2021.
In fact, the Federal Trade Commission published a guide where it discusses at length how businesses can protect personal information that relates to not just consumers but employees too.
#2: CCPA vs GDPR: What’s the difference?
One commonly asked question is how the California Consumer Privacy Act differs from the General Data Protection Regulation (GDPR), which is a well-known law in the European Union for regulating data protection and privacy.
The two regulations are indeed different.
But there’s a catch.
You are probably in a better place to become CCPA-compliant if you are already compliant with GDPR.
GDPR focuses more on data ownership, accountability, and rights to amendment or deletion of personal data. This is the key difference between the 2 regulations.
That’s not all…
CCPA does not require a legal basis for companies or organizations to process personal data, whereas GDPR does. This is a major difference between US and EU privacy. The European Union requires you to have a legitimate basis before you use or collect any personal data. In the United States, however, you may process personal information unless it is prohibited by a specific law or regulation.
GDPR also applies to all organizations selling products or services to people in the European Union, as well as those monitoring the behavior of individuals in the EU. On the other hand, CCPA applies exclusively to companies doing business in California. It also omits certain kinds of data and instead sheds more light on limiting personal information sale.
#3: What should you do to be compliant with CCPA?
The enforcement of the California Consumer Privacy Act began on July 1, 2020. Therefore, for companies that this law applies to, it should be high-priority to prepare for it now rather than later. This urgency grows larger in the face of the time it can take to properly understand, comply with, and implement the CCPA’s provisions.
Here are a few of the vital actions that businesses can get cracking on right away:
- Primarily, the CCPA requires covered companies to have an online privacy policy. Therefore, it’s imperative for a covered business to update or create its privacy policy. In the event that the company sells personal information, they must also include a link on their website homepage that allows consumers to request that their information not be sold or used. Here’s a sample CCPA privacy policy template.
- CCPA also requires business vendors that handle personal information for the business to draw up contracts. Vendors have to make certain representations and certifications about how they handle personal information, in order to ensure that their client company stays CCPA-compliant. This post outlines 10 clauses that can improve CCPA compliance in vendor contracts.
- Lastly, employee training is critical. Every employee handling consumer inquiries about a company’s privacy policies and compliance with CCPA has to receive training on CCPA requirements. Employees must know how to direct Californian consumers to exercise their privacy rights under the CCPA.
We can help!
If you have any questions regarding the California Consumer Privacy Act, feel free to drop us a line on hello@abstractops.com.
At AbstractOps, we help early stage founders streamline and automate regulatory and legal ops, HR, and finance so you can focus on what matters most.
Like our content?
Subscribe to our blog to stay updated on new posts. Our blog covers advice, inspiration, and practical guides for founders of early stage startups.