CCPA Frequently Asked Questions

After the GDPR, which went into effect on 25 May 2018, starting January 01, 2020, the way you collect, store, and share this data may land you in trouble. Keep reading, if you’re unsure how the California Consumer Privacy Act (CCPA) will impact your company. The California Consumer Privacy Act of 2018 (“the CCPA”) is considered to be one of the most significant legislative privacy developments and there are a lot of questions and confusion around the Act.

This article will explain what the CCPA is, whom the CCPA applies to, what data protection rights the CCPA provides, what a sale is under the CCPA, what businesses need to do, what a service provider is under the CCPA, and how the CCPA differs from the GDPR.

What is the CCPA?
The CCPA is the California Consumer Privacy Act which was passed in 2018. The CCPA was created for the purpose of protecting the privacy and personal data of consumers who live within the state of California.  The CCPA is one of the strongest state privacy laws in the United States that requires businesses that collect and use personal data, to comply with the new regulations, regardless of where they are located. The CCPA is the result of a compromise between consumer privacy seeker advocates and California businesses seeking to avoid privacy regulations.

When does the CCPA go into effect?
The CCPA goes into effect on January 1, 2020.  As of Jan 01, 2020, businesses across the globe will have to comply with additional regulations related to the processing of personal data of California residents.

What is residency based on? 
Anyone who pays taxes to the State of California is a California consumer, whether they currently live in California or not.

Does it apply to my organization? or Whom does the CCPA apply to? or If my business is impacted by the CCPA?
The CCPA applies to any business both inside and outside of California, if it receives, collects, use, share or sell California residents personal data (including employees) solely or jointly with others, and meets one of the following conditions/thresholds:

  • Revenue thresholds – Has annual gross revenues in excess of US$25 million;
  • Revenue thresholds – Earns more than half of its annual revenue from selling consumers’ personal information; or
  • Personal information threshold – Possesses the personal information of 50,000 or more consumers, households, or devices.

As per section 1798.140, “business” definition covers Parent companies and subsidiaries using the same branding, even if they themselves do not exceed the applicable thresholds.

Does the CCPA apply to businesses outside the state of California?
The companies must do business in California and collect and maintain personal data from California residents, to be covered under the CCPA.

If an organization isn’t doing business in California, it isn’t covered by the CCPA – even if it gathers data about Californians.

Does the CCPA apply to non-profits or Government?
Other types of organizations, such as non-profit or government entities, are not covered.

What are the penalties for violating the CCPA?
The court will consider several factors like the seriousness of the misconduct, past violations, the persistence of misconduct, the company’s net worth, etc. when determining the amount of damages. The maximum penalty for violating CCPA laws is $2,500 per violation, or $7,500 for each “intentional violation” (source). 

What rights do consumers have over their personal information under the CCPA?
The CCPA gives California residents the right to:

  • Know what personal information is being collected
  • Access the personal information that is collected, and request it be deleted
  • Know whether their personal information is being shared, and if so, with whom
  • Opt-out of the sale of their personal information
  • Have equal service and price, whether or not they choose to exercise their privacy rights

What must businesses disclose if a consumer makes a verified request?

Businesses must disclose:

  • categories of personal information collected
  • sources from which information was collected
  • purposes for which the information was collected
  • categories of third parties with whom the information is shared

Consumers have the right to request specific pieces of personal information collected about them.  The CCPA used to require businesses to provide this information, but the law was amended to no longer require this.  The right now is just a right to make a request, but not to receive an answer.

What is to be done to comply with the CCPA?

Businesses are responsible for the following in order to comply with the CCPA:

  • Provide two or more ways to request information
  • Train employees how to manage consumer right under the CCPA
  • Businesses must have written an agreement with service providers to restrict the use of personal information except for specified purposes
  • Business must have written an agreement with the third-parties (which are not service providers), to restrict the use of personal information except for specified purposes
  • Can’t discriminate against consumers by charging different prices or denying goods or services to consumers who exercise their CCPA rights.

How does the CCPA define “personal information”?

In general, the CCPA defines personal information as information that can identify, describe, relate to, be linked/associated with, or be reasonably capable of being linked/associated with a particular consumer or household. Here is a list of a few examples mentioned under the CCPA documentation, but is not limited to:

  • Biometric data such as fingerprints and facial recognition data;
  • Professional or employment-related information;
  • Identifiers such as a real name, alias, address, email address, social security number, license number, passport number, or similar identifiers;
  • Commercial information including property records, product purchases, and other consumer histories and tendencies;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement; and
  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA).

“Personal information” does not include publicly available information. Publicly available information refers to data that is lawfully made available by federal, state, or local government records. 

Does the CCPA apply if a consumer is no longer a resident of California?

If a consumer is transferred or moves to a location outside of California, the consumer may no longer be a resident of California and his or her personal information will no longer be protected by the CCPA.

Are the service providers liable for the CCPA?

Under the CCPA, a service provider means a for-profit legal entity that processes the information on behalf of business on the basis of documented instructions from a business pursuant to a written contract. A service provider that receives personal information and uses it in violation of the restrictions under the CCPA can be liable for those violations. A service provider, however, is not liable for failure by a business that shares personal information with them to comply with its CCPA obligations.

Penalties for a service provider’s violations of the CCPA are similar to those of a business that violates the CCPA.

Does the CCPA apply to health information?

The CCPA does not apply to medical information governed by the CMIA – Confidentiality of Medical Information Act or protected health information collected by a covered entity or business associate governed by the privacy, security, and breach notification rules of the HIPAA – Health Insurance Portability and Accountability Act and HITECH – Health Information Technology for Economic and Clinical Health Act of 2009. 

A health care provider might still have CCPA obligations if it processes personal information.

Does the CCPA apply to website cookies?

Yes, Personal information collected by website cookies that identify or could reasonably be linked to a particular consumer, family, or device may be subject to the same disclosure notices and consumer rights, including the right to delete or opt-out of the sale of information to a third party, as other personal information collected through the website.

What is a “sale” of personal information under the CCPA? or What Does It Mean to ‘Collect’ and ‘Sell’ Personal Information?

Any exchange for ‘valuable consideration’ is potentially a sale under CCPA. According to the CCPA,  “Sale” means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration..

Where we can find the full text of the CCPA?

Please check the CCPA bill text here:
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

Also, the proposed text can be found here:
https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf

If Business is GDPR compliant, does that mean it is also CCPA compliant?

No, we must not assume GDPR compliant business to be also CCPA compliant. There are many similarities in terms of how they protect personal information. But, there are several key differences between the two regulations.  The CCPA does include additional requirements that the GDPR does not. The CCPA does include additional requirements that the GDPR does not. These requirements include adding a “Do Not Sell My Personal Information” option on business websites.

References:


Qualitians

Welcome to Qualitians, your premier destination for world-class content on information security, data privacy, cybersecurity, and security operations. Since 2015, we've been committed to delivering high-quality resources to students, professionals, and enthusiasts worldwide. Trusted by a diverse readership, including CISOs, IT executives, government leaders, and service providers, Qualitians offers detailed guides, industry updates, expert insights, case studies, and practical toolkits. Our mission is to empower our community to stay ahead of cybersecurity challenges with balanced, thorough, and practical insights. Stay informed. Stay secure. Trust Qualitians.

You may also like...