An Overview of the California Consumer Privacy Act (CCPA)

With January 2020 fast approaching, meeting California Consumer Privacy Act (CCPA) compliance is becoming a top priority for businesses across the U.S. In a PwC survey, 86 percent of respondents rank CCPA compliance as a top business priority. This law will not only affect companies in California, but also those that have customers that live in California…which encompasses nearly every consumer and B2B company in the U.S.

Despite the widespread impact this legislation will have on businesses, a large amount of businesses are still undereducated and unprepared for CCPA. Of 625 business owners recently polled, 44.2 percent had never heard of CCPA. Furthermore, just 11.8 percent understood whether or not the law was applicable to their business, and 34 percent were unsure as to whether or not they needed to make changes to their processes for collecting, storing and processing data.

Because of the widespread impact of CCPA, we want to offer a brief overview of the law and resources to help your company prepare.

Frequently Asked Questions

What is the CCPA?

The CCPA is intended to grant rights to California residents to help them better understand and control how companies collect and use their personal data.

What does this mean for consumers?

Under this act, consumers can:

  • Request their personal data
  • Know what personal information a company has collected on them
  • Find out where the data came from, how it will be used, and where it’s shared
  • Have their personal data deleted upon request
  • Forbid the sale of their personal data

What does this mean for businesses?

This law applies to businesses that:

  • Have an annual revenue of $25 million or more
  • Buy and sell the information of 50,000 consumers or more
  • Obtain 50 percent or more of annual income from selling personal data

It is also important to reiterate that the CCPA is not limited to California-based businesses. If you do business in California, but you are not located in California, you are still expected to comply. Businesses also cannot discriminate against consumers if they decide to opt-out of sharing their personal information.

What is the penalty for non-compliance?

Once notified of a consumer request, your business will have 45 days to respond. Any damages that result from a breach are fined at a limit of $750 per consumer, per incident.

When will CCPA go into effect?

The CCPA was introduced in November 2018 and will go into effect on January 1, 2020, with enforcement beginning July 1, 2020.

Don’t feel ready for the CCPA? Check out Corodata’s CCPA Compliance Checklist for six essential steps.

How does CCPA differ from GDPR?

The European Union’s General Data Protection Regulation (GDPR) went into effect in May of 2018. While it may seem similar to CCPA, there are some distinct differences. Overall, the two place different weight on certain points of data privacy. Some key differences between the two laws are:

  • GDPR applies to all businesses that process the data of EU citizens, CCPA applies to California and those that do business in California.
  • GDPR penalties can reach up to 4 percent of the company’s annual global turnover, while CCPA fines are applied per violation and have a cap of $750 per incident.
  • GDPR and CCPA define personal data differently:
  • – GDPR’s definition covers all personal data including names, mailing addresses, and IP addresses, etc. as well as special categories of personal data (religious views, sexual orientation, political opinions, etc.).
    – CCPA’s definition applies only to personal data that cannot be obtained from governmental records.

  • CCPA grants consumers the right to opt-out of the sale of their personal data, while GDPR does not include a specific right to opt out.
  • CCPA requires third-party businesses that receive personal information about a California resident to notify California consumers before selling their data.
  • Disclosure methods vary between GDPR and CCPA:
  • – GDPR broadly asks companies to use clear and simple language
    – CCPA mandates that companies include a prominently visible link on their homepage entitled “Do Not Sell My Personal Information” so that consumers can easily identify where to go to opt out.

  • GDPR requires consumers’ consent before gathering any data about them while CCPA allows companies to begin gathering information without consent, but requires that consumers have the ability to opt out if they wish.
  • GDPR requires companies to respond to consumer requests within 30 days and CCPA allows companies 45 days to respond.
  • Gorilla Expert Insights

    While it is incumbent on all business to comply with CCPA, there are many positive aspects of this legislation. First and foremost, CCPA offers businesses the opportunity to increase consumer trust and brand loyalty.

    Over the past several years, data breaches have reached an all-time high, and consumers are more concerned than ever about safeguarding their personal information and data in every transaction they make. By showing your customers that you are not just another data-mining opportunist, you will stand out as a respected business and create a more positive user experience

    “Consumers deserve to have control over their personal information and how it is used. By empowering your customers to control how their data can be used, you are creating a level of trust and positive brand association they will appreciate. CCPA regulations give you the opportunity to establish yourself as a partner in the fight to protect and safeguard your customers’ privacy.” – Chris Rothstein, Gorilla Group’s Manager of Alliances for Data & Analytics.

    Learn More

    Being informed and knowledgeable about CCPA is the best way to ensure that your business is compliant. If you still have questions, we’d be happy to discuss your CCPA compliance strategy in more detail and offer additional resources. Contact us for a more in-depth conversation.