On June 28, 2018, California enacted one of the country's most comprehensive laws protecting consumers' personal information online. Inspired by the EU's GDPR, the California Consumer Privacy Act of 2018 (CCPA) came into play and took effect on January 1, 2020. It was updated, amended and expanded by the CPRA, which took effect on January 1, 2023.
This law came about largely because of consumer backlash to the lack of control over how their personal data is used online, lack of transparency on the part of businesses, and multiple data breaches that compromised consumers' personal information.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Who Does the California Consumer Privacy Act (CCPA/CPRA) Affect?
- 2. What Does the Law Change?
- 3. Highlights of the CCPA (CPRA)
- 4. How to Comply with the CCPA (CPRA)
- 4.1. Duty to Disclose
- 4.2. Duty to Allow Access
- 4.3. Duty to Delete
- 4.4. Duty to Allow Opting Out
- 4.5. Duty to Provide Equal Service
- 5. CCPA (CPRA) Enforcement
- 6. Conclusion
Who Does the California Consumer Privacy Act (CCPA/CPRA) Affect?
The CCPA (CPRA) is meant to protect the citizens of California. Specifically, businesses that do more than $25 million in revenue there, make over half their annual revenue from sharing or selling personal information, or that have 100,000 or more unique California visitors per year would be subject to the law - not just businesses that are physically located within the state.
What this means is, any business that either does a decent amount of online business in California or deals in the personal data of a fairly significant number California customers should be concerned with the new law.
What Does the Law Change?
The CCPA (CPRA) strengthens consumer rights when it comes to transparency about how data is being used. It also increases consumer rights when it comes to what a business can use data for and how consumers can opt out of having their data used. Additional protections for minors are included.
If you're familiar with the GDPR, you can surely see the similarities here.
Highlights of the CCPA (CPRA)
Here are some of the highlights of the CCPA (CPRA) and how consumers can benefit:
- The CCPA (CPRA) allows consumers to request what specific personal data is being collected about them when they visit a website. This differs from the type of information that would be disclosed in the first category in that it would be the specific information the company has about the specific consumer rather than a category of information that was shared or collected about them and everyone else.
- The CCPA (CPRA) would allow for consumers to opt-out of having their data shared with third parties.
- The CCPA (CPRA) provides additional protections for minors by providing that websites must allow minors ages 13-16 to only opt-in to having their personal data shared. For children under the age of 13, businesses must obtain parental permission before sharing personal information.
- The CCPA (CPRA) forbids discrimination against those using the law to protect their rights. An example of this would be charging different prices or restricting access to someone who opts out.
- The CCPA (CPRA) allows consumers to sue for damages due to a data breach, such as when their sensitive personal information is compromised.
The basic idea behind the law is to give consumers more control over, and access to, their personal data. The law also allows for increased penalties for businesses that don't follow the consumers' wishes about what happens to their data.
How to Comply with the CCPA (CPRA)
To comply with the law, businesses really need to get a good idea about the rights that it creates for consumers along with the duties it creates for businesses.
There are a number of duties the CCPA (CPRA) imposes on businesses, including the following:
- Duty to disclose
- Duty to allow access
- Duty to delete
- Duty to allow opting-out
- Duty to provide equal service
Duty to Disclose
Here's an excerpt from Section 1798.110 that sets this requirement:
Additionally, consumers are allowed under the CCPA (CPRA) to make individual requests about their data. This means that a business must turn over information about that consumer's individual data from the previous 12 months if asked.
Included in this disclosure are the categories, but not the specific types, of data that are being collected on a consumer and the types of third parties that the data may be getting shared with.
Some examples of categories of data may include IP Address, physical location, browsing history, search history, or other such information that could be used to identify a consumer.
Duty to Allow Access
With the CCPA (CPRA), consumers are able to request from businesses which specific data is being gathered about them.
Not only does this mean that a business would have to turn over this information if asked, it also implies that a business has a duty to preserve this information in case it needs to be disclosed in the future. This does not mean that data needs to be stored indefinitely. It only needs to be stored for the last 12 months, which is what the consumer is entitled to under the law.
This also differs from the disclosure of categories of information about an individual that must be turned over if asked. These types of requests would include the specific data gathered, such as a consumer's specific IP address or name.
Duty to Delete
Except for a limited number of reasons, such as completing a contract between the parties or to maintain data security, a business must delete a consumer's personal data from their servers or service providers if requested.
Note that there are a number of exceptions to this, including things like detecting security threats, complying with legal obligations and completing a transaction for which the information was collected:
Duty to Allow Opting Out
Additionally, for minors ages 13-16, personal data cannot be shared unless the consumer specifically "opts-in," offering them a higher level of protection. For children under the age of 13, a business must obtain parental permission before sharing any personal data.
Businesses must take care to keep personal data of those who opt-out separate from those who do not. Businesses should also take care to keep Californians' data separate from non-Californians.
Duty to Provide Equal Service
The new law specifically forbids discrimination against those who exercise their rights under the law. Included in the definition of of discrimination would be restricting access or charging different prices to those who opt-out.
Not included as a type of discrimination would be providing financial incentives for providing personal data to a website, such as offering a coupon code or other discount.
Additionally, businesses are allowed to charge different amounts to customers who do not provide their data or restrict access if there is some value to be gained by the consumer for providing their personal data.
CCPA (CPRA) Enforcement
The California Attorney General is in charge of civil inforcement of the CCPA.
When a business is given notice of a violation, it is given 30 days to remedy it. If it is not remedied in that 30 days, there is a fine of up to $2,500 for each violation. For intentional violations, there could be an additional $7,500 fine for each violation.
The law also allows consumers to sue for some data breaches, such as when Social Security Numbers, medical information, or credit card numbers are compromised due to a business failing to put in place reasonable security measures.
Consumers affected by a data breach can sue for $100-$700 per violation or for actual damages, whichever is higher.
The CCPA (CPRA) gives consumers greater transparency when it comes to how their data is being handled. It allows them to request disclosure of what data is being collected and who it is being shared with. It also allows consumers to opt out of having their data shared with third parties or request it be deleted altogether. The CCPA (CPRA) also offers increased protections for minors. Finally, the CCPA (CPRA) allows the California Attorney General to enforce the law and allow consumers to sue for damages caused by data breaches.