Beginner’s Guide to CCPA Compliance

Overview of the California Consumer Privacy Act (CCPA)

The CCPA is currently the most comprehensive personal data protection law in the United States. CCPA compliance requires adherence to certain consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The effective date of this law was January 1, 2020, and the California Attorney General began enforcement action under the CCPA on July 1, 2020.

Below is an overview of who and what is subject to the CCPA’s jurisdiction (scope) and the details the CCPA requirements for companies that are subject to CCPA provisions, which include:

• Honoring consumer privacy rights;
• Providing appropriate notices and disclosures to consumers;
• Maintaining a reasonable level of security of personal information;
• Contract obligations with service providers;
• Notification of data breaches;
• Workforce training; and
• Retaining specific records.

“These giant corporations know absolutely everything about you, and you have no rights. I thought, oh, I’d like to find out about what these companies know about me. Then I thought, well, someone should do something about that. Maybe I’m someone.”

-Alastair Mactaggart

The CCPA started out as a ballot initiative in early 2018 and was signed into law in June of 2018. The ballot initiative was led by Alastair Mactaggart, who focused the initiative on three main principles: transparency, control, and accountability. Mactaggart was initially concerned that, in a world where most people have no option but to have a phone or computer, how can they maintain control over their consumer data to ensure it stays personal?

The ballot initiative was so popular with the public that lawmakers feared the initiative would become effective immediately without going through the usual legislative process. To prevent this, legislators and Mactaggart agreed that the ballot initiative would be withdrawn if the Governor signed the CCPA by June 29th. The CCPA was agreed to be based on the original ballot’s three principles of transparency, control, and accountability.

While the CCPA dominates the privacy space for now, the California Privacy Rights Act (CPRA), (passed in November 2020) as well as data privacy legislation in Colorado (CPA) and Virginia (VCDPA) go into effect in 2023. Further, states continue to propose data privacy legislation and 2022 looks to be just as busy as 2021 as far as new legislation is concerned.

Scope

The CCPA also applies to businesses that control or are controlled by an entity that meets or exceeds one of the criteria below and shares common branding:

• The CCPA applies to any for-profit business, regardless of its location, that collects the personal information of California residents and meets one or more of the following thresholds;
• The business’s annual gross revenue is over $25 million; OR
• The business annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices; OR
• The business derives 50% or more of its annual revenue from the sale of consumers’ personal information.

“Consumer” means a natural person who is a California resident either:

• In California for a reason other than a temporary or transitory purpose; OR
• Domiciled in California but currently outside of the state for a temporary or transitory purpose.

Notably, the term “sell” under the CCPA is broadly defined. Selling data under the CCPA is not limited to the explicit exchange of personal information for monetary gain but can also include those simply sharing data with other entities in return for “valuable consideration.”

The CCPA defines personal information as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a specific consumer or household. This law differs from others by including household information in the scope of the definition of personal information.

“Household” means a person or group of people who:

1. Reside at the same address;
2. Share a common device or the same service provided by a business; AND
3. Are identified by the business as sharing the same group account or unique identifier.

Aside from information made publicly available, personal information may include, but is not limited to:

CCPA Compliance Requirements

Consumer Rights Summary

The tables below serve as a high-level guide to the various CCPA requirements and applicability of each consumer privacy right provided under the CCPA.

Right to Access

Applicability	Personal information collected from California consumers within the past 12 months.
Requirement	Must provide the following information: • Categories of personal information collected; • Categories of sources of personal information; • Purpose for collecting or selling personal information; • Categories of third parties with whom the personal information has been shared; and • Specific pieces of personal information the business has collected.
Exceptions	A business is not required to honor this request more than twice in a 12-month period.

Right to Deletion

Applicability	Applies to all California consumer personal information.
Requirement	Must delete all personal information upon request unless valid exception applies.
Exceptions	When processing is necessary to: • Complete a transaction for which the personal information was collected; • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity; • Debug to identify and repair errors that impair existing functionality; • Exercise free speech, ensure the right of another consumer to exercise the right of free speech, or exercise another lawful right; • Comply with California Electronic Communications Privacy Act; • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when deletion is likely to render impossible or seriously impair the achievement of such research, if consumer has provided informed consent; • Enable internal uses that are reasonably aligned with the expectations of the consumer based on his/her relationship with the business; • Comply with a legal obligation; • Use the personal information, internally, in a lawful manner compatible with the context in which the consumer provided the personal information.

Right to Opt-Out

Applicability	This right applies when a business sells a consumer’s personal information. The “sale” of personal information includes the selling, disclosure, transfer, etc. of a consumer’s personal information to another business or a third party for monetary or other valuable consideration.
Requirement	Must allow consumers to opt-out of the sale of their personal information by providing a link to a “Do Not Sell My Personal Information” web page to make such request. Upon receiving an opt-out request, businesses must not seek reauthorization to sell a consumer’s personal information for at least 12 months.
Exceptions	The business does not sell personal information as defined under the regulation

Right to Non-Discrimination

Applicability	Applies when a California consumer has exercised one of the rights provided under the CCPA (right to access, right to deletion, right to opt-out of the sale of personal information).
Requirement	A business must not discriminate against a consumer because they have exercised one of the rights provided under the CCPA by: • Denying goods or services to the consumer; • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; • Providing a different level or quality of goods or services to the consumer; • Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
Exceptions	A business may offer financial incentives for the collection and sale of personal information: • Business must notify consumers of these offers; and • Consumers must provide their opt-in consent which can be revoked at any time. A business may offer a different price, rate, level, or quality of goods/services if that price is directly related to the value provided to the consumer by the personal information

Notice Requirements

The CCPA and the California Attorney General’s Regulations require businesses to provide four types of notices: (1) Privacy Policy, (2) Notice at Collection (3) Notice of Financial Incentive and (4) a “Just-in-Time” Notice to maintain CCPA compliance.

All notices must be designed in a way that is easy to read and understand by consumers. This includes:

1. Using plain, straightforward language (avoiding technical or legal jargon);
2. Using a format that is clear and conspicuous;
3. Providing it in the same languages in which the business provides contracts, disclaimers, sale announcements, and other information to consumers in California; and
4. Making it reasonably accessible to consumers with disabilities.

Privacy Policy

To maintain CCPA compliance, businesses are required to notify consumers of the categories of personal information they collect, why they collect it, and how they intend to process it through a privacy notice that is reviewed and updated at least once every 12 months. Within the privacy policy, a business must notify consumers of the following information:

• A description of the consumer’s rights (right to access, right to deletion, right to opt-out of the sale of personal information, and right to non-discrimination) and at least two methods for consumers to send their request that must include, at a minimum, a toll-free telephone number and web address;
• A list of the categories of personal information it has collected about consumers within the preceding 12 months;
• A list of the categories of personal information the business has sold about consumers in the preceding 12 months, or, if the business has not sold consumers’ personal information in the preceding 12 months, the fact that this did not occur; and
• A list of the categories of personal information the business has disclosed about consumers for a business purpose in the preceding 12 months, or, if the business has not sold consumers’ personal information in the preceding 12 months, the fact that this did not occur.

The categories of personal information required to be disclosed shall “…follow the definition of personal information in Section 1798.140.” Referring to the definition of personal information within the CCPA, the following categories are listed:

1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
2. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e));
3. Characteristics of protected classifications under California or federal law;
4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
5. Biometric information;
6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement
7. Geolocation data;
8. Audio, electronic, visual, thermal, olfactory, or similar information;
9. Professional or employment-related information;
10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20U.S.C. Sec. 1232g; 34 C.F.R. Part 99); and
11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

When outlining the personal information collected and/or sold, businesses must align them with the categories above.

Further outlined in the regulations, companies that know or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, the personal information of 10,000,000 or more consumers in a calendar year to include the transparency metrics below for the previous calendar year:

1. The number of requests to know that the business received, complied with in whole or in part, and denied;
2. The number of requests to delete that the business received, complied with in whole or in part, and denied;
3. The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
4. The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

The metrics listed above should be disclosed by July 1st of every year in a subsection of a business’s privacy policy or posted on a business’s website and accessible from a link included within the privacy policy.

Notice at Collection

This is the notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer.

The notice must include all of the following information:

1. A list of the categories of personal information about consumers to be collected. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected;
2. The business or commercial purpose(s) for which the categories of personal information will be used;
3. If the business sells personal information, the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info,” or in the case of offline notices, where the webpage can be found online; and
4. A link to the business’s privacy policy, or in the case of offline notices, where the privacy policy can be found online.

It must also be made available where consumers will encounter it at or before the point of collection of any personal information. Examples include:

1. When a business collects consumers’ personal information online, it may post a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected. The link must direct the consumer to the notice or the specific section of the business’s privacy policy with the required information.
2. When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.
3. When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to where the notice can be found online.
4. When a business collects personal information over the telephone or in person, it may provide the notice verbally.

If the business seeks to collect additional categories of personal information and/or use the personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall provide a new notice to the consumer that adheres to the CCPA compliance requirements listed above.

Notice of the Right to Opt-out of Sale of Personal Information

CCPA compliance requires that businesses that sell personal information belonging to consumers must provide a notice of the right to opt-out. The purpose of this notice is to inform consumers of their right to direct a business to stop selling their personal information.

This notice shall include:

1. A description of the consumer’s right to opt-out of the sale of their personal information by the business;
2. The interactive form by which the consumer can submit their request to opt-out online, or if the business does not operate a website, the offline method by which the consumer can submit their request to opt-out; and
3. Instructions for any other method by which the consumer may submit their request to opt-out.

Notice of Financial Incentive

Businesses may choose to offer financial incentives for the collection, sale, or deletion of their personal information. To do so, they must first notify consumers of the financial incentives and receive prior opt-in consent before entering them into the financial incentive program. This prior opt-in consent must include a clear description of all material terms of the program and notice that the consumer may revoke their consent at any time.

Third Party and Service Providers

For CCPA compliance, business must determine whether vendors that process personal information of California consumers on its behalf is considered a “service provider” or a “third party” as defined under the CCPA. Businesses that lack a contract or the specific language required in contracts with vendors may be subject to the sale of personal information requirements based on the relationship.

• The definitions are as follows: “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity…that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.
• “Third party” means a person or business entity who is NOT:
  • The business that collects the PI from consumers; or
  • The recipient of PI from a business for a business purpose pursuant to a written contract (contract must prohibit the sale of the PI or other use outside of the written contract).

Contracts must be updated or put in place and include specific requirements regarding personal information processing activities. Contractual provisions must outline that the service provider is prohibited from:

• Selling the personal information;
• Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract; and
• Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.

Contracts must also include a statement confirming that the service provider understands the restrictions outlined above.

For a detailed list of 108 of the most common vendors and their designations under the CCPA, download our CCPA Vendor White Paper.

Incident and Breach Response

Under the CCPA, consumers are provided a private right of action if their non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

The California Data Breach Notification Law further defines breach to mean:

“…the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.”

It is important to note that the breach requirements listed above apply to the definition of “personal information” under the California Data Breach Notification Law which is the following:

1. An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
   • Social security number;
   • Driver’s license number or California identification card number;
   • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
   • Medical information; or
   • Health insurance information.

OR

2. A username or email address in combination with a password or security question and answer that would permit access to an online account.

Additionally, an amendment to the California Breach Notification Law added unique biometric data, tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document.

Training, Record Keeping & Reporting Requirements

All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’ CCPA compliance shall be informed of how to direct consumers to exercise their rights under the CCPA and these regulations. Documentation must also be retained concerning policies related to such training to demonstrate that all individuals responsible for ensuring compliance are informed of all the CCPA compliance requirements.

The business must retain records of consumer privacy requests and any action taken to respond for a minimum of 24 months after the request is made. The business shall implement and maintain reasonable security procedures and practices in maintaining these records. These records may be retained in ticket or log format, provided that the ticket or log includes:

1. The date of request;
2. Nature of request;
3. Manner in which the request was made;
4. Date of the business’s response;
5. Nature of the response; and
6. Basis for denial, if applicable.

A business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 10,000,000 or more consumers in a calendar year, shall:

1. Compile the following metrics for the previous calendar year:
   • The number of requests to know that the business received, complied with in whole or in part, and denied;
   • The number of requests to delete that the business received, complied with in whole or in part, and denied;
   • The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
   • The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
2. Disclose, by July 1st of every calendar year, the information above within their privacy policy or posted on their website and accessible from a link included in their privacy policy.
3. In its disclosures above, a business may choose to identify the number of requests that it denied in whole or in part because the request was not verifiable, was not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.
4. A business may choose to compile and disclose the information required for requests received from all individuals, rather than requests received from consumers. The business shall state whether it has done so in its disclosure and shall, upon request, compile and provide to the Attorney General the information for requests received from consumers.

Other than as required above for CCPA compliance, a business is not required to retain personal information solely for the purpose of fulfilling a consumer request made under the CCPA.

Businesses are prohibited from utilizing records of consumer privacy requests for any other purpose aside from record-keeping. Information maintained for record-keeping purposes shall not be shared with any third party except as necessary to comply with a legal obligation.

Penalties for Non-Compliance

The CCPA and Section 17206 of the Business and Professions Code empowers the California attorney general to bring action against any individual or entity for violating the CCPA. Notably, businesses must be notified about alleged violations first. Following receipt of the non-compliance notice from the California state attorney general, businesses have 30 days to fix, or “cure,” alleged violations in order to maintain CCPA compliance. If the issues are not cured during that 30-day window, the attorney general is empowered to bring action against the entity for up to $2,500 for each violation and up to $7,500 for each intentional violation.

Note: It’s clear the CCPA allows for a private right of action as it concerns data breaches, however, many insightful interpretations of the CCPA conclude that the Attorney General has the authority to bring action against a business for any violation.

Keep in mind, each user whose profile is illegally processed, sold, etc. will represent an independent violation. For example, if a business intentionally sells the personal information of 150 consumers who have opted-out of having their information sold, they could receive a penalty of up to $1,125,000, not just $7,500.

Businesses also face the potential for class-action lawsuits in the event of a data breach with costs ranging between $100 and $750 per incident, or greater if actual damages exceed $750. The definition of “personal information” under this section is far more specific than the one used throughout the CCPA as this refers to the definition of personal information under California’s Data Breach Notification Law.

According to a report from IBM and the Ponemon Institute titled “Cost of a Data Breach,” the average cost of a data breach in the United States costs a company around $8.19 million. The report aggregated costs reported by over 500 organizations in various industries around the globe and considered the number of customer records lost or stolen in breaches, how the company responded to the breach, and how their business fared after the breach.

Other, less obvious consequences for violating the CCPA include potential harm to a company’s brand, loss of consumer trust, legal defense fees, and time spent recovering from damages. Businesses should consider all these factors in addition to the penalties laid out in the CCPA when determining the level of risk in not maintaining CCPA compliance.

For more information on how to achieve CCPA compliance and build an effective privacy program, download our comprehensive CCPA Playbook.

If you have any questions about CCPA compliance or any other data privacy requirements, please reach out to connect@compliancepoint.com.