The global data regulation landscape underwent another shift when the California Consumer Protection Act (CCPA) entered its enforcement phase. What is there to know about the CCPA for businesses operating in California, and how different is it from the GDPR? We'll start by looking at the CCPA consumer rights, scope, and timeframes.
Who is covered by the CCPA?
This legislation applies to residents of California, as well as businesses that operate within the state. Exemptions to the CCPA include commercial conduct that is determined to be "wholly outside" of California, as well as de-identified and aggregate consumer information. If personal information is already regulated by federal law such as HIPAA or GLBA, or a state law such as California's Confidentiality of Medical Information Act, it also is exempt.
What is personal information under the CCPA?
A wide range of data falls under the definition by the CCPA.
- Identifiers such as name, address, SSN, IP address, driver's license number or email address
- Consumer records such as purchase histories and individual consumer tendencies
- Biometric information such as fingerprints or retinal scans
- Education data
- Internet activities such as browsing history
- Racial, religious, sexual and other protected classifications
What rights does CCPA grant?
As per the name, the CCPA is focused on 'consumers' – which includes users of free services as well as paying customers – and employees. The CCPA imparts California residents, even if they are temporarily outside of the state, with the certain rights involving:
- Knowing what personal information is gathered
- Learning how personal information is used and shared
- Deleting of personal information collected
- Opting out of personal information sales
Exercising these rights without discrimination
What is the scope?
The scope of the CCPA is far narrower than the GDPR, relating to California residents, applying to for-profit businesses, and excluding nonprofit organizations or government agencies. A business is liable under the CCPA if they meet any of the following criteria:
- Experience more than $25 million in gross revenue annually
- Accesses the personal information of 50,000 or more residents
- Produce 50% or more revenue from selling resident's information
The regulation is squarely aimed at medium and large businesses rather than small ones, but most companies specializing in data sales will still fall under its requirements no matter their size.
The CCPA also only applies to Californian residents as defined by tax legislation – meaning anyone who resides there long enough to pay some form of tax. This contrasts with the GDPR which is more accommodating of temporary residents in the EU.
How can businesses comply on an ongoing basis?
Businesses that want to remain in compliance with the CCPA must do the following:
- Utilize reasonable security procedures regarding customers' personal information
- Train staff to help ensure consumer responses are handled accordingly
- Refrain from discriminating against consumers who exercise their rights under the law
- Delete personal information in a timely manner for consumers who request it
- Provide complete records for a 12-month period relating to a consumer's personal information following a verifiable request
What are the time limits?
The CCPA has taken a comparable approach to timescales to the GDPR. The standard CCPA response time for companies is 45 days to respond to a data request and can extend this for a further 45 days if they notify the requester within the initial deadline. This means that businesses will have a longer initial period than the GDPR's single calendar month, but the same overall extended deadline of roughly three months. As the CCPA deals in days rather than months, it also does away with any issues relating to months of different lengths.
Another notable difference in timing is that the CCPA only applies to information from within the past 12 months, whereas the GDPR's lack of limit can have businesses trawling through many years of data when it comes to a long-term customer or employee.
What is the maximum regulatory penalty under the CCPA?
Penalties for companies that do not comply with the CCPA can vary depending on the severity and the number of violations. The California attorney general's office can impose fines of up to $2,500 for each violation, which can increase to up to $7,500 if the violations were found to be intentional.