CCPA & CPRA

The California Consumer Privacy Act (CCPA) was passed by the CA State Legislature and became law in June of 2018. CCPA went into effect on January 1, 2020 and was intended to provide CA consumers with rights and protections regarding their personal information and outlines statutory penalties as well as outlines the “private right of action” of consumers to recover for damages. Widely considered as a landmark piece of legislation that is one of the strictest and most comprehensive data and privacy laws in the nation, the CCPA will serve as a foundation for the raft of State Data Protection laws on the horizon as well as a much needed first step in establishing a National Data Privacy Law and achieving adequacy standards with the newly passed GDPR and EU data protection regulations.

The CCPA will be superseded on January 1, 2023, with the recently approved California Privacy Rights Act (CPRA), which adds several new dimensions to the CCPA that must be taken into consideration.

Data Privacy Institute has prepared this guide in order to assist businesses in the areas of compliance and remediation as it relates to CCPA and the newly passed CPRA.

California Consumer Privacy Act (CCPA)

Considered as one of the strictest and most comprehensive data privacy laws in the United States, the California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and took effect on January 1, 2020. The CCPA was in response to the EU’s passage of the GDPR and was considered by many as a precursor to the various state laws that have recently passed and a potential foundation for a new National Privacy Law and International adequacy standard. The CCPA is the first Privacy law of its kind nationwide that defines statutory relief for non-compliance and data breach BUT also provides CA consumers with a Private Right of Action. CCPA has a wide reach and applies to any for-profit business worldwide that does business in CA or holds/processes data on CA residents that meet the following criteria:

• Annual gross revenue in excess of $25 million
• Buying, receiving, or selling personal information of more than 50,000 consumers or households
• Earning more than half of your annual revenue from selling personal information

CA residents have the following rights under CCPA regarding Personal Data:

• The right to know: CA residents have the right to know what personal information has been collected, used, shared or sold and for what purposes
• The right to delete: CA residents have the right to delete any personal information that has been collected (Exceptions for: transactional, legal, security and functionality)
• The right to opt-out: CA residents have the right to opt out of a business selling any personal information though a clear and easily accessible “Do Not Sell My Personal Information” notice and option
• The right to non-discrimination: CA residents have the right to not be discriminated against for exercising CCPA rights

Recent clarifications and exemptions to CCPA:

• Clarifications on the definition of “verifiable consumer request” and putting measures in place for a business to require reasonable
• authentication of a consumer’s identity in order to properly service and respond to Data Subject access requests
• Clarification regarding the definitions of personal information as well as “publicly available” information
• Exemptions on certain HR data that is required for employment and benefits
• Exemptions for warranty or product recall information

Additional modifications include:

• Newly added consumer right of correction of inaccurate data. CPRA expands consumer rights surrounding right to access, right to opt out and the right to delete. The use of geolocation data now has been expanded to include the right to opt out of advertisers using precise geolocation (< 1/3 mile)
• The right to opt-out has been redefined from “Do Not Sell” to “Do Not Sell or Share” personal Information
• New restrictions and definitions on “sensitive” personal information (e.g., ethnicity, biometrics, social security number, log-in id, etc.)
• Downstream responsibility. Service providers, third parties and contractors must also adhere and comply with CPRA. Data controllers that use outside parties to process or collect data are required to ensure that all downstream data controllers/processors are compliant with CPRA and its requirements.
• Data Minimization. New limits on the types and scale of information businesses can collect, creating a mechanism whereby they are not collecting more information than is necessary for a particular business function
  Storage limitations. Businesses now have restrictions on the amount of time that data can be stored and utilized so that businesses maintain personal information for no longer than is needed to perform the defined functions.
• Data portability. Additional restrictions on the transfer of personal information.
• Data breach penalties have been increased for incidents attributable to negligence
• Security protocols. New requirements that include cybersecurity auditing and risk assessment audits for high-risk data processors

Do I need to comply with CCPA/CPRA?

ALL for-profit entities doing business in California that meet any one of the following criteria is subject to CCPA/CPRA:

• Annual gross revenue in excess of $25 million – not just CA based revenue but TOTAL revenue.
• Buying, receiving or selling personal information of more than 50,000 consumers or households (increased to 100,000 under CPRA)
• The entity earns more than 50% of their annual revenue from selling, processing or controlling personal information

If your company is a for-profit entity that collects, processes and utilizes personal information of CA residents and meet any of the criteria listed above you are subject to CCPA/CPRA. Even if your company is located outside of the United States you may be subject. New definitions of sensitive personal information and the requirements of understanding new privacy regulations makes compliance with CCPA/CPRA a mandatory requirement to consider and implement if your company wants to do business in CA.

Some points to consider when understanding if CCPA/CPRA applies to your business:

• Commitment to Fair Information Practices (FIP) and informing consumers of their Privacy rights as well as allowing consumers to exercise those rights is important and necessary
• CA is the world’s 5th largest economy with over 40 million people
• With the advent of E-commerce and online engagement, small businesses of all shapes and sizes will soon need to look at complying with FIP’s and Data Privacy as an ordinary part of doing business in CA.
  Third parties that store, process or collect data on your behalf are required to comply with CCPA/CPRA and it is your responsibility to make sure that they are compliant.
• You may be subject to CCPA/CPRA if you “sell data”. Even if you don’t get paid for data that you provide , transferring information to third-party advertisers via cookies, which is valuable consideration, is considered as a sale and makes you subject to CCPA/CPRA. “Selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.”
• Know your data. Data needs to have an inventory, classification, and map. You need to determine how much and what kind of data you have, how it is used and classified and where it goes to be processed and stored. Only through this process will you truly understand if CCPA/CPRA is applicable to my business.

Risks and penalities for non-compliance

Companies are exposed to various risks for non-compliance with CCPA/CPRA. The CA data laws were the first to establish statutory relief for Data Privacy violations and is considered by many to be the most comprehensive US data privacy legislation in existence. The following are risks associated with non-compliance:

• Reputational Risk
• Legal Risk
• Operational Risk
• Financial/Investment Risk

CCPA/CPRA requires that businesses provide notice to consumers at the time they collect personal data and must give consumers the option to opt out, restrict, delete and correct data. Data subject requests must be tracked and answered within a reasonable timeframe (usually 30 days). Businesses must also disclose the reason for retaining, sharing or selling personal information with record keeping of all requests (2 years). CCPA/CPRA has NO ceiling on the number of violations that can be enforced or brought against non-compliant entities.

The CCPA starts with fines of $2,500 per violation or $7,500 for each intentional violation. You have 30 days to correct the violation once informed of noncompliance with CCPA.

CPRA eliminates the 30-day remedy period and increases the fine for violations in the case of minors to $7,500 per incident, whether intentional or unintentional. The statutory penalty of $2,500 is still valid for accidental violations that involve California residents 16+. Enforcement of the CCPA/CPRA is under the CA Attorney General and CA citizens also have a private right to action.