Blog  •  November 09, 2021

Start the Conversation

Honeypot Field to Catch Bots
Honeypot Field to Catch Bots

With the CCPA Now Under Enforcement, What do Businesses Need to Know?

The global data regulation landscape underwent another shift when the California Consumer Protection Act (CCPA) entered its enforcement phase. So, what does this mean for businesses operating in California and how different is it from the GDPR? We’ll start by looking at the CCPA consumer rights, scope, and timeframes.

What rights does CCPA grant?

As per the name, the CCPA is focused on ‘consumers’ – which includes users of free services as well as paying customers – and employees. The CCPA imparts California residents, even if they are temporarily outside of the state, with the certain rights involving:

  • Knowing what personal information is gathered
  • Learning how personal information is used and shared
  • Deleting of personal information collected
  • Opting out of personal information sales
  • Exercising these rights without discrimination

What is the scope?

The scope of the CCPA is far narrower than the GDPR, relating to California residents, applying to for-profit businesses, and excluding non-profit organisations or government agencies. A business is liable under the CCPA if they meet any of the following criteria:

  • Experience more than $25 million in gross revenue annually
  • Accesses the personal information of 50,000 or more residents
  • Produce 50% or more revenue from selling resident’s information

The regulation is squarely aimed at medium and large businesses rather than small ones, but most companies specialising in data sales will still fall under its requirements no matter their size.

The CCPA also only applies to Californian residents as defined by tax legislation – meaning anyone who resides there long enough to pay some form of tax. This contrasts with the GDPR which is more accommodating of temporary residents in the EU.

What are the time limits?

The CCPA has taken a comparable approach to timescales to the GDPR. Companies will be given a standard 45 days to respond to a data request and can extend this for a further 45 days if they notify the requester within the initial deadline. This means that businesses will have a longer initial period than the GDPR’s single calendar month, but the same overall extended deadline of roughly three months. As the CCPA deals in days rather than months, it also does away with any issues relating to months of different lengths.

Another notable difference in timing is that the CCPA only applies to information from within the past 12 months, whereas the GDPR’s lack of limit can have businesses trawling through many years of data when it comes to a long-term customer or employee.

Darren Wray

Founder, Guardum by DFIN