Unlike the European Union, which has wide-ranging digital privacy legislation in the General Data Protection Regulation (GDPR), the United States lacks a comprehensive data privacy law. But as of January 1, 2020, the country’s most populous state has the California Consumer Privacy Act (CCPA) — a law that’s been called “GDPR Lite.” The landmark law gives Californians the strongest online privacy rights in the country, including the right to sue businesses in the event of a data breach.
Who does the CCPA affect?
The CCPA started as a ballot initiative and morphed into a California Assembly bill. It was signed into law in 2018, amended several times in 2019, and took effect in 2020.
Who is subject to the CCPA? Your for-profit business is, if it does business in the State of California, receives the personal data of California residents, and meets one or more of the following criteria:
Has annual gross revenue of more than $25 million;
Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices, per year; or
Derives at least 50 percent of its annual revenues from selling consumers’ personal information.
According to a statement from the California Attorney General, businesses that include data brokers, marketing companies, media outlets, online retailers, and entities handling children’s information were found to be in violation of the CCPA in 2020. The Attorney General also released a list of enforcement examples in which notices of CCPA noncompliance were sent to businesses. Issues cited in these cases include:
Not providing required notices to consumers
Non-compliant service provider contracts
No “Do Not Sell My Personal Information” link on a website’s homepage
Not providing a Notice of Financial Incentive to consumers
Non-compliant opt-out process
Not providing a toll-free number for consumers making CCPA requests
Sales of minors’ personal information
Who is exempt from the CCPA?
The CCPA only applies to for-profit businesses that meet the criteria listed above. “Business,” as defined by the law, is a sole proprietorship, LLC, corporation, association, or other legal entity organized or operated for the profit or financial benefit of its shareholders or other owners.
Nonprofit organizations and government agencies are typically not required to comply with the CCPA, but there are some exceptions.
When does the CCPA apply to nonprofits?
A closer look at the statute shows that some non-profits might not actually be exempt from the CCPA. Specifically, a non-profit entity that controls or is controlled by a for-profit entity, and that shares common branding with that business (e.g., a shared name, service mark, or trademark), could be subject to CCPA requirements. A non-profit could also fall under the CCPA if it receives personal information from a business through a “sale,” as defined in the statute.
Does the CCPA only apply to California residents?
Yes. Only residents of California have data privacy rights under the CCPA. The language of the law refers to California “consumers.” For CCPA legal purposes, a consumer means a natural person (i.e., an individual, and not a corporation or other business entity) who resides in California.
A person who is temporarily outside the state, but is still legally a California resident, has CCPA rights.
Does CCPA apply to my business and if so, how do I comply?
There is some uncertainty about the exact definition of “doing business” in California. It may not be necessary to be physically headquartered in California. For example, if your business has employees in the state, conducts online transactions with California residents, or has certain other ties to the state, the CCPA may apply to you.
Bloomberg Law provides a breakdown of the term “doing business” in the context of other California laws. But the key point is that, even if your business is not located in California, you may have to comply with the CCPA, which involves adding a “Do Not Sell My Personal Information” link on your digital properties.
A recent survey found that less than 12 percent of businesses know whether their business is subject to the CCPA. Questions about whether the CCPA applies to your business should be discussed with a data privacy lawyer.
Who Benefits from the CCPA?
The CCPA is intended to benefit California consumers by giving them greater control over their personal information online. It enshrines the following consumer data rights:
The right to know what information businesses collect about them and how that data is used and shared.
The right to delete most kinds of personal information that businesses collect from them.
The right to opt-out of the sale of their personal data.
The right to not be discriminated against for exercising their CCPA rights (for example, if a consumer exercises their CCPA rights, a business cannot deny them goods or services, or charge them a higher price as a result).
Consumer rights under the CCPA are explained in greater detail on the California Department of Justice website.
What CCPA regulations apply if a business violates consumer privacy rights?
Generally, CCPA enforcement is the duty of the California Attorney General. When a business receives written notice of noncompliance, it has 30 days (known as the “30-day statutory cure period”) to become compliant. Failure to do so could result in a civil penalty of up to $2,500 for each violation. For intentional violations, the penalty could be up to $7,500.
Consumers may not sue a business for CCPA violations, but they do, under limited circumstances, have a private right of action in the event of a data breach. California consumers can sue for statutory damages of up to $750 per incident, or for the actual amount of monetary damages they suffer from a data breach—whichever is greater. Most likely, after a data breach affecting a large number of consumers, damages would be pursued via class action litigation.
How can Didomi help my business with the CCPA?
A bespoke Didomi Consent Management Platform (CMP) makes complying with the CCPA easy. A CMP ensures that data compliance does not involve guesswork, whether that be on web, in app or via connected TV. Solutions such as Didomi are IAB Europe TCF v2 approved, and CCPA & GDPR compliant, allowing companies to use data privacy to create value with trust.
On the back end, we keep legal proof that users were informed about the right to opt-out of the sale of their personal information. On the front end, you can customize the look and feel of the messaging to remain on-brand.
Giving users control of their personal data is mandatory in California, but, outside of California, going above and beyond legal requirements can generate valuable trust. More than 90 percent of Americans told Axios that they would switch to a company that prioritizes their data privacy.