What is CCPA and What Does It Mean for Your Business?

The California Consumer Privacy Act of 2018 (CCPA) requires U.S. companies who do business with California to implement privacy initiatives to protect the data privacy of California residents. So what is the CCPA and what does it mean for your business? Let’s take a look.

What is the CCPA?

As stated above, the CCPA is a privacy law that went into effect January 1, 2020, meant to protect consumers in California. Its basic premise is to ensure that businesses who have access to the data of California’s citizens implement basic protections to individual privacy. It’s the strictest data privacy law in the U.S., but it looks a lot like the General Data Protection Regulation (GDPR) law that went into effect in the European Union in 2018. Unlike the GDPR, though, the CCPA is an opt-out system as opposed to an opt-in system. Also, the CCPA covers households and devices as well as consumers, whereas the GDPR only covers “natural persons”.  

The CCPA gives California consumers a slew of new rights to privacy, including:

  • Transparency about data collection
  • Right to be forgotten
  • Right to op out of having their data sold
  • Opt-in right to have data sold for minors 

In order to ensure these rights are met, businesses must provide consumers with disclosures regarding how personal information is collected and why. Companies must also comply if a consumer asks them to disclose the categories and exactly what types of personal information the business collects about them. Consumers can also ask that their data not be sold, and that a business can’t discriminate against a consumer for demanding this. And finally, consumers can demand that their personal information be deleted. 

Which businesses need to implement CCPA guidelines?

Any business that collects and sells consumer personal information or discloses personal data for a business purpose with consumers in California must comply with the CCPA. The law applies to any for-profit legal entity that sells goods or services to California residents, even if the business isn’t physically located in the state. This includes businesses that operate outside of the United States. 

However, there are some caveats, and the bar for compliance is actually set pretty high. To be subject to the CCPA, a business must also meet one of the three following criteria:

  • Have $25 million or more in annual revenue
  • Possess the personal data of more than 50,000 consumers (including households and devices)
  • Earn more than half its annual revenue selling consumers’ personal data

This means that the CCPA applies mostly to bigger companies or those that deal in quite a bit of data. Still, even if your organization doesn’t meet at least one of the above criteria, it’s probably a good idea to start looking at implementing CCPA compliance anyway, for a number of reasons.

What’s the benefit of being CCPA compliant?

First of all, if you meet the criteria as listed above, being CCPA compliant keeps you from breaking the law. That’s hugely important. But even if you don’t meet the criteria, it’s a good idea to implement the guidelines anyway, because customers are more and more concerned about data privacy. The CCPA guidelines are straightforward and implementing them gives your customers a reason to trust you. Simply put, it’s the right thing to do.

If you approach CCPA compliance as part of a holistic strategy to privacy protections compliance, you’ll be in a better position to meet regulatory requirements that are certainly going to arise in the future. Creating an overarching privacy policy that encompasses the overlapping requirements of data policies like CCPA, GDPR, and HIPAA will set you up for future compliance. 

Privacy laws are only increasing over time, and customers will definitely ask you what your policies are. It’s better to show leadership by implementing these policies before you technically have to, so that it’s easier to be compliant when you do get to the point where you have to be. Plus, it’s quite likely that future laws will look pretty similar, so getting the hard work out of the way now will make compliance much easier down the line.

Practical Assurance has vast experience with privacy law compliance, and can help your company start or manage a compliance program you can be proud to tell your customers about. Get in touch to discuss your options. 

GDPR and SOC 2

How do they integrate?

What is GDPR and how do the requirements overlap with SOC 2? What do I need to do to comply with GDPR? How do I integrate SOC 2 and GDPR into one audit process?

Topics in this webinar include:

  • The core components of GDPR compliance
  • How SOC 2 compliance supports GDPR
  • How to include GDPR into your SOC 2 audit process
  • Get inside your auditor’s head

Download the webinar:

Continue reading GDPR and SOC 2