California Consumer Privacy Act (CCPA), is a bill passed by the California State Legislature on June 28, 2018, which was amended and signed into law on September 23, 2018. It broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use and disclose personal information. The CCPA is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020.
What is CCPA?
CCPA stands for California Consumers Protection Act 2018. It is the most recent personal data protection law passed by the State of California, aimed to protect the right to privacy of its residents and as a response to the increased role of personal data in contemporary business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.
The CCPA will apply to for-profit businesses that collect and control California residents' personal information, do business in the state of California, and meet at least one of the following thresholds:
- Annual gross revenues larger than $25 million
- Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year
- Make 50 percent or greater annual revenue from selling California resident information
Companies already following GDPR guidelines will have a bit of a leg up becoming CCPA-compliant with the two privacy measures overlapping in certain areas. But meeting all the requirements for the new CCPA standards will still take diligence even for those already compliant in other areas—and face new consequences for any gaps.
APPROACH TO CCPA
What are CCPA Requirements?
For businesses that must adhere to CCPA law, compliance breaks down into 5 main requirements:
- Data inventory and mapping of in-scope personal data and instances of “selling” data
- New individual rights to data access and erasure
- New individual right to opt-out of data selling
- Updating service-level agreements with third-party data processors
- Remediation of information security gaps and system vulnerabilities
How it Works?
Does Your Business Have to Comply with CCPA?
Any for-profit organization doing business in California that collects consumers’ personal data and meets the following qualifiers must comply with CCPA:
- Has annual gross revenues in excess of $25 million
- Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ personal information
While the current compliance requirements are limited to California, this new privacy law could signal the beginning of a nationwide change, similar to GDPR regulations in Europe.