California Consumer Privacy Act (CCPA): All You Need To Know!

Data privacy has become a prime concern in the modern IT world.

In recent years, data privacy has gained huge prominence owing to the increasing number of cyberattacks that led to massive personal data breaches.

In 2019, the total number of data breaches in the US amounted to 1,473 with over 164.68 million sensitive records exposed.

In response, governments across the world have started developing regulations to strengthen consumer privacy protection.

The introduction of the EU’s General Data Protection Regulation (GDPR) in 2018 marked the beginning of a new era of data privacy. It served as a stepping stone for other governments to create cohesive data privacy regulations.

Inspired by the GDPR, the State of California has come up with its own data privacy law for its citizens, i.e., California Consumer Privacy Act (CCPA).

CCPA, which came into effect on January 1, 2020, is the first of its kind in the US.

The CCPA gives the residents of California the right to know how businesses are handling their personal information.

The new law mandates companies to inform consumers about the data collected or shared while giving them the right to access, control, delete, and opt out.

Which Businesses are Affected by CCPA?

Which Businesses are Affected by CCPA?

Any business that processes or handles the personal information of California residents is held accountable to CCPA if they fall under any one of the following criteria

  • Annual gross revenue of at least USD 25 million
  • Handles more than 50,000 consumers’ data
  • Generate more than 50% of revenue from selling data

However, the following businesses are exempted from CCPA.

  • Businesses already under HIPAA
  • BFIs covered by Gramm-Leach-Bailey
  • Credit reporting agencies covered by the Fair Credit Reporting Act

The companies that are accountable to CCPA should prepare privacy notices to send to all their customers that reside in California.

The notice should contain the following information

  • How consumers’ information is collected
  • How the collected data will be used
  • The list of third-party email addresses with whom the data is shared
  • Details about the consumers’ rights under CCPA

Consumer Rights Under CCPA

Consumer Rights Under CCPA

The CCPA facilitates a few benefits to Californian consumers. They include

  • Right to ask the company to delete personal information
  • Right to opt-out of personal information shared/sold by the company
  • Right to request disclosure of data collected by the company
  • Right to equal services and price even if they exercise any of the privacy rights under CCPA

What Personal Data is Covered by CCPA?

What Personal Data is Covered by CCPA?

CCPA defines personal information as the “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The following is considered personal information

  • Direct Identifiers: Real name, alias, postal address, social security numbers, driver’s license number, passport number
  • Unique Identifiers: Cookies, IP address, email address, account names
  • Biometric Data: Face and voice recordings
  • Geolocation Data: Location history
  • Internet Activity: Browsing history, search history, information regarding consumer’s interaction with a webpage or app
  • Sensitive Information: Health data, personal characteristics, behavior, religious or political convictions, sexual preferences
  • Professional or employment-related information
  • Education Information

The businesses will be liable for penalties if they share or process any of the information mentioned above without the consumer’s consent.

CCPA Penalties

The CCPR proposed hefty penalties if companies fail to comply with the new regulations. The unintentional violators face a USD 2,500 fine, while intentional violators will have to pay USD 7,500.

How Companies Can Meet CCPA Compliance Standards?

How Companies Can Meet CCPA Compliance Standards?

Businesses that are already compliant with the GDPR will find it easier to comply with the CCPA law. Here, we bring some tips that help companies to meet the CCPA’s security and privacy requirements and prevent possible penalties and civil lawsuits.

1) Preparation

The first step in complying with CCPA is that the organizations should identify and classify consumers’ data to find whether it falls under CCPA guidelines.

Check whether the data requires access permission from the consumers. Identify the rarely accessed folders and old personal data as they may bring unnecessary security risks.

2) Implementation

After the personal data is identified and classified, implement the right access permissions. Try to implement role-based access controls.

Archive or delete any consumer information older than 12 months. Implement security protocols to monitor personal data against outside threats and unauthorized access.

3) Maintenance

Continually review the privacy and security protocols and adjust them on par with the ever-changing cybersecurity landscape. Regularly evaluate old and new data to ensure it is properly organized and protected.

CCPA Vs. GDPR: What’s the Difference?

CCPA Vs. GDPR: What's the Difference?

Both the CCPA and the GDPR aim to empower their individuals with certain rights regarding how their personal information is collected and used.

However, both laws differ in some significant ways, particularly regarding the application scope, the nature and extent of data collection limitations, and rules concerning accountability.

GDPR mandates businesses to have a legal basis for processing personal data, whereas CCPA does not have any such regulations.



Relates to personal data of EU citizens Relates to personal data of Californians
Applies for all for-profit firms that have USD 25 million in gross revenue, acts on personal data of > 50,000 users and earns 50% of its revenues by selling data Applies for all businesses with >250 employees
Extends to information traced back to households or devices Mostly similar to CCPA protocols in data protection
Allows users to express their consent to the sale of their data Doesn’t explicitly let consumers deny the sale of their data
Consumers can’t restrict but can only opt-out Consumers can restrict data processing
Depends on the offense, penalties can go up to USD 7500 per affected individual Fines can go up to 4% of a company’s revenues

What Does CCPA Mean to Third-party Associates?

What CCPA Means to Third-party Associates?

The organizations that share/collect the personal information of Californians are not the only businesses affected by the CCPA. All third-party associates also have obligations to comply with CCPA.

“In terms of compliance, working with third parties is important because the organization is responsible for what those third parties do with its data—not to mention fourth and fifth parties,” says Richard Vestuto at Deloitte Transactions and Business.

The businesses should ensure that all their third-party associates are compliant with CCPA standards.

They also should review all third-party associates with access to personal information and place the security protocols on par with the CCPA.

The Future of Data Privacy:

The CCPA, the first of its kind in the US, has fueled the other US states to draft their privacy laws for their citizens. There are already several CCPA copycat laws in the US such as Nevada’s privacy law, Washington State’s Privacy Bill, and New York’s Privacy Bill.

Following the path of the GDPR and the CCPA, over 60 jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws.

According to Gartner, 65% of the global population will have their personal information covered under modern privacy regulations by 2023, up from 10% today.

So, now is the best time for companies to align their data security and privacy practices with the regulations deployed by the state or by the federal government.

In Conclusion
Privacy is becoming a reason for customers to a product. So, businesses must build a holistic and adaptive privacy program to increase consumer trust. The executive leaders should be proactive in standardizing operations in accordance with the privacy laws.

Businesses should be aware of the current privacy laws, future regulations, and different standards to sustain compliance. Are You CCPA Compliant? Contact Stealthlabs!

How Does Stealthlabs Help With the CCPA?

Stealthlabs is a US-based Information Security Service and Solutions provider with strong domain expertise in helping companies comply with various data security laws and compliance standards. Over offerings cover a plethora of information security compliance frameworks including GDPR, CCPA, PCI DSS, HITECH, and NERC CIP.

Contact Us

More Information Security Articles: