What the California Consumer Privacy Act of 2018 Means to Businesses

Written by FreePrivacyPolicy Legal Writing Team and last updated on 06 March 2023.

What the California Consumer Privacy Act of 2018 Means to Businesses

On June 28, 2018, California enacted one of the country's most comprehensive laws protecting consumers' personal information online. Inspired by the EU's GDPR, the California Consumer Privacy Act of 2018 (CCPA) came into play and took effect on January 1, 2020. It was updated, amended and expanded by the CPRA, which took effect on January 1, 2023.

This law came about largely because of consumer backlash to the lack of control over how their personal data is used online, lack of transparency on the part of businesses, and multiple data breaches that compromised consumers' personal information.

The CCPA (CPRA) dictates a lot about how business is done online for nearly all businesses, not just those located within the state of California. This article will take a look at exactly what the CCPA (CPRA) means for your Privacy Policy.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Who Does the California Consumer Privacy Act (CCPA/CPRA) Affect?

Who Does the California Consumer Privacy Act Affect?

The CCPA (CPRA) is meant to protect the citizens of California. Specifically, businesses that do more than $25 million in revenue there, make over half their annual revenue from sharing or selling personal information, or that have 100,000 or more unique California visitors per year would be subject to the law - not just businesses that are physically located within the state.

What this means is, any business that either does a decent amount of online business in California or deals in the personal data of a fairly significant number California customers should be concerned with the new law.

What Does the Law Change?

What Does the New Law Change?

The CCPA (CPRA) strengthens consumer rights when it comes to transparency about how data is being used. It also increases consumer rights when it comes to what a business can use data for and how consumers can opt out of having their data used. Additional protections for minors are included.

If you're familiar with the GDPR, you can surely see the similarities here.

Highlights of the CCPA (CPRA)

Highlights of the CCPA

Here are some of the highlights of the CCPA (CPRA) and how consumers can benefit:

  • The CCPA (CPRA) allows for Californians to access what information is being gathered and shared about them through increased transparency. Websites must disclose clearly, most likely in the Privacy Policy, how consumer data will be used. Additionally, consumers are now allowed to request from a website how their individual data is being used and who it is being disclosed to. This would involve disclosing what categories of data are being gathered on a consumer.
  • The CCPA (CPRA) allows consumers to request what specific personal data is being collected about them when they visit a website. This differs from the type of information that would be disclosed in the first category in that it would be the specific information the company has about the specific consumer rather than a category of information that was shared or collected about them and everyone else.
  • The CCPA (CPRA) would allow for consumers to opt-out of having their data shared with third parties.
  • The CCPA (CPRA) provides additional protections for minors by providing that websites must allow minors ages 13-16 to only opt-in to having their personal data shared. For children under the age of 13, businesses must obtain parental permission before sharing personal information.
  • The CCPA (CPRA) forbids discrimination against those using the law to protect their rights. An example of this would be charging different prices or restricting access to someone who opts out.
  • The CCPA (CPRA) allows consumers to sue for damages due to a data breach, such as when their sensitive personal information is compromised.

The basic idea behind the law is to give consumers more control over, and access to, their personal data. The law also allows for increased penalties for businesses that don't follow the consumers' wishes about what happens to their data.

How to Comply with the CCPA (CPRA)

How to Comply with the CCPA

To comply with the law, businesses really need to get a good idea about the rights that it creates for consumers along with the duties it creates for businesses.

There are a number of duties the CCPA (CPRA) imposes on businesses, including the following:

  • Duty to disclose
  • Duty to allow access
  • Duty to delete
  • Duty to allow opting-out
  • Duty to provide equal service

Duty to Disclose

A business must be transparent when it comes to how customer personal data is being used. This is best done by making sure that the website's Privacy Policy clearly states how a business uses personal data.

Here's an excerpt from Section 1798.110 that sets this requirement:

California Legislative Information: California Consumer Privacy Act CCPA - Section 1798:110 - Disclosure of personal information collection practices

Additionally, consumers are allowed under the CCPA (CPRA) to make individual requests about their data. This means that a business must turn over information about that consumer's individual data from the previous 12 months if asked.

Included in this disclosure are the categories, but not the specific types, of data that are being collected on a consumer and the types of third parties that the data may be getting shared with.

California Legislative Information: California Consumer Privacy Act CCPA - Section 1798:110 - Right to request disclosure of personal information collected

Some examples of categories of data may include IP Address, physical location, browsing history, search history, or other such information that could be used to identify a consumer.

Duty to Allow Access

With the CCPA (CPRA), consumers are able to request from businesses which specific data is being gathered about them.

Not only does this mean that a business would have to turn over this information if asked, it also implies that a business has a duty to preserve this information in case it needs to be disclosed in the future. This does not mean that data needs to be stored indefinitely. It only needs to be stored for the last 12 months, which is what the consumer is entitled to under the law.

This also differs from the disclosure of categories of information about an individual that must be turned over if asked. These types of requests would include the specific data gathered, such as a consumer's specific IP address or name.

California Legislative Information: California Consumer Privacy Act CCPA - Section 1798:110 - Right to request disclosure of specific personal information collected - highlighted

Duty to Delete

Except for a limited number of reasons, such as completing a contract between the parties or to maintain data security, a business must delete a consumer's personal data from their servers or service providers if requested.

California Legislative Information: California Consumer Privacy Act CCPA - Section 1798:105 - Right to deletion

Note that there are a number of exceptions to this, including things like detecting security threats, complying with legal obligations and completing a transaction for which the information was collected:

California Legislative Information: California Consumer Privacy Act CCPA - Section 1798:105 - Right to deletion exceptions

Duty to Allow Opting Out

The new law creates a duty to allow a consumer to "opt out of their personal data being shared with third parties. You must let consumers know that they have this right by adding a link on the homepage and within the privacy policy that's titled "Do Not Sell My Personal Information."

California Legislative Information: California Consumer Privacy Act CCPA - Section 1798:120 - Right to opt out

Additionally, for minors ages 13-16, personal data cannot be shared unless the consumer specifically "opts-in," offering them a higher level of protection. For children under the age of 13, a business must obtain parental permission before sharing any personal data.

California Legislative Information: California Consumer Privacy Act CCPA - Section 1798:120 - Minors right to opt out

Businesses must take care to keep personal data of those who opt-out separate from those who do not. Businesses should also take care to keep Californians' data separate from non-Californians.

Duty to Provide Equal Service

The new law specifically forbids discrimination against those who exercise their rights under the law. Included in the definition of of discrimination would be restricting access or charging different prices to those who opt-out.

Not included as a type of discrimination would be providing financial incentives for providing personal data to a website, such as offering a coupon code or other discount.

Additionally, businesses are allowed to charge different amounts to customers who do not provide their data or restrict access if there is some value to be gained by the consumer for providing their personal data.

California Legislative Information: California Consumer Privacy Act CCPA - Section 1798:125 - No discrimination clause

CCPA (CPRA) Enforcement

CCPA Enforcement

The California Attorney General is in charge of civil inforcement of the CCPA.

When a business is given notice of a violation, it is given 30 days to remedy it. If it is not remedied in that 30 days, there is a fine of up to $2,500 for each violation. For intentional violations, there could be an additional $7,500 fine for each violation.

The law also allows consumers to sue for some data breaches, such as when Social Security Numbers, medical information, or credit card numbers are compromised due to a business failing to put in place reasonable security measures.

Consumers affected by a data breach can sue for $100-$700 per violation or for actual damages, whichever is higher.

Conclusion

The CCPA (CPRA) gives consumers greater transparency when it comes to how their data is being handled. It allows them to request disclosure of what data is being collected and who it is being shared with. It also allows consumers to opt out of having their data shared with third parties or request it be deleted altogether. The CCPA (CPRA) also offers increased protections for minors. Finally, the CCPA (CPRA) allows the California Attorney General to enforce the law and allow consumers to sue for damages caused by data breaches.