Category CCPA

What Is The CCPA Effective Date?

The California Consumer Privacy Act (CCPA), a landmark data privacy law that grants the right to California consumers to control their personal information, took effect on January 1, 2020. Since then, businesses that fall under its scope, including national and international companies, have been obliged to comply with CCPA regulations.

Find out how CCPA compliance affects your business and how a consent management system can help by contacting Ketch today. 

What Is The CCPA?

The CCPA is a comprehensive data privacy law that affords California consumers the right to control the personal information that businesses collect from them and use or sell. These include:

  • The right to know about the personal information a business collects, uses, and shares
  • The right to delete the personal information collected by businesses (with some exceptions)
  • The right to opt-out of the sale of their personal information
  • The right to non-discrimination for exercising their rights under the CCPA

What Is Considered Personal Information?

CCPA personal information refers to data “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular” California resident or household.

These include, but are not limited to, identifiers, commercial information, biometrics, online activity, and inferred consumer profiles.

When Did The CCPA Take Effect?

The CCPA took effect in January 2020 after several amendments, since it was signed into law in 2018. Since the CCPA effective date, the California Attorney General's Office has introduced regulations to clarify and interpret the law. 

In July 2020, the CCPA became officially enforceable when the California Department of Justice began to notify businesses of potential non-compliance, giving them 30 days to rectify alleged violations.

What Does The CCPA Effective Date Mean For Businesses?

The CCPA only applies to for-profit businesses that “do business in California” and meet at least one of the following criteria:  

  • Has a gross annual revenue of more than $25 million
  • Buys, receives, or sells (or in any way makes available to another, e.g. renting, disseminating, etc.) the personal information of at least 50,000 California residents, devices, or households
  • Derives at least half of their annual revenue from selling the personal information of California residents

All businesses that fit the bill—even those that aren’t located in California but profit from doing business with its residents—must comply with the law after its effective date.

To do this, the CCPA has regulations that guide businesses to be compliant. Generally, these oblige businesses to make their data practices transparent and to provide consumers the avenues to exercise their rights. Here are some examples:

Update Privacy Policy

Businesses must review and update their privacy policy to describe the rights afforded by the CCPA. It must also detail the categories of personal information that is collected from consumers, as well as how this data is stored, used, or made available to others through sale, exchange, transfer, etc.

Additionally, a compliant privacy policy should also explain how consumers can exercise their CCPA rights.

Obtain Opt-In Or Opt-Out Consent

Businesses must include a “Do Not Sell My Personal Information” link or page on their website under the CCPA’s “right to opt-out.” It should be clearly placed on a conspicuous location on the website or in an application’s settings page and in the privacy policy.

Businesses aren’t allowed to sell the personal information of minors. So they should also add opt-in consent channels for consumers between thirteen to fifteen years old or for the parents of users under thirteen.

Provide Channels To Request Access Or Deletion of Data

Businesses need to create CCPA-compliant practices to process consumer requests to access or delete the personal information collected from them. There should be at least two methods to submit these requests, followed by a procedure that confirms, verifies, and processes such requests promptly.

Train Employees About The CCPA

The CCPA can affect how businesses operate, especially if the products or services are sold or provided online. So businesses must train their employees about the CCPA to ensure its proper implementation.

Review Agreements With Third Parties And Service Providers

Businesses have the responsibility of updating agreements with third parties or service providers that manage the personal information of their consumers to be CCPA-compliant.

Conclusion

The CCPA won’t be the last data privacy law. So even businesses that don’t fall under its scope should review the regulations and apply the changes to their current data practices to get ahead of more markets shifting into better protecting the personal information of consumers.

CCPA Categories Of Personal Information

Under the California Consumer Privacy Act (CCPA), California consumers have secured rights that give them control over their personal information. But what exactly is considered CCPA personal information? 

According to the law, CCPA personal information refers to data “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular” California resident or household. 

These are found to be included in eleven general categories such as identifiers (e.g. name, address, aliases, etc.), biometrics, professional or employment-related information, and more.

What Are The CCPA Categories Of Personal Information?

The CCPA defines personal information vaguely because the term is designed to encompass all data that has been collected since the CCPA effective date, data that is currently being collected through different tracking methods, and other information that businesses may begin to collect in the future, given the dynamic digital landscape.

That said, the eleven categories of personal information help outline the exact data that the CCPA hopes to protect. These are:

Identifiers

Identifiers are basic details about the consumer such as their real name, alias/es, postal address, unique personal identifier, online identifier, internet protocol (I.P.) address, email address, account name, social security number, driver’s license number, passport number, and other similar identifiers.

Customer Records

Customer records refer to the personal information described in subdivision (e) of Section 1798.80 of the California Civil Code. 

These include a customer’s name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, and health insurance information.

Characteristics Of Protected Classifications Under California Or Federal Law

Characteristics of protected classifications under California or federal law refer to consumers’ race, ancestry, national origin, religion, age, mental and physical disability, sex, sexual orientation, gender identity, medical condition, genetic information, marital status, and military status.

Commercial Information

Commercial information relates to the purchasing activities and preferences of a consumer, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Biometrics

Biometrics are body measurements and calculations used to determine an individual’s identity. These include fingerprints, DNA, photos and videos, audio recordings, and the like.

Internet Or Other Electronic Network Activity

A consumer’s online activity includes, but is not limited to, their browsing history, search history, and information about their interaction with an internet website, application, or advertisement.

Geolocation

Geolocation data refers to any information that can identify an electronic device’s (e.g. a laptop or smartphone) physical location, such as that from a GPS.

Information Detected By The Senses

Information detected by the senses includes audio, electronic, visual, thermal, olfactory, or similar information.

Professional Or Employee-Related Information

Professional or employee-related information can include a consumer’s place of employment, position, job history, salary, resume, and other related data.

Education Information

Education information is defined as “information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.”

Inferences

Inferences refer to information drawn from data that is used to create a profile about a consumer reflecting their preferences, characteristics, psychological traits, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

What Is Not Considered Personal Information?

Personal information doesn’t include publicly available data—those that are made legally available through federal, state, or local government records. It also excludes de-identified or aggregated consumer information.

How Does The CCPA Protect Personal Information?

The CCPA protects personal information by obliging for-profit businesses that do business in California or with state residents to comply with its regulations. These generally require businesses to be transparent about their data practices. 

Businesses can achieve this with an updated CCPA privacy policy, including an opt-out option on their website (aka a “Do Not Sell My Personal Information” page), and with training for their employees about the law, among other compliance actions.

To ensure that your business is CCPA-compliant, make sure to be informed about the law and to review your data practices to see if they align with CCPA regulations. For example, are you prepared to respond expediently to the CCPA right to deletion?

Conclusion

Since the CCPA was enacted to help consumers protect their personal information, it’s important to be familiar with the categories of information that are covered by this legislation. 

Following are some of the categories covered by the CCPA: identifiers, customer records, classifications, commercial information, biometrics, internet activity, geo-location, and sensory derived information.

The law requires enterprises doing business with California residents to be very transparent about what information they collect and how they use it. It’s a good idea to get very well acquainted with the CCPA. Either you are one of the businesses that is required to be compliant now or you will be in the future, as similar legislation is enacted.

Understanding The CCPA Right To Deletion

The California Consumer Privacy Act (CCPA) is a data privacy law that affords rights to California consumers, giving them control over their personal information. Among these is the CCPA right to deletion, which allows consumers to request that business and their service providers delete the personal information collected from them.

To learn more about CCPA compliance and consent management platform software, contact the privacy experts at Ketch today. 

What Is “Deletion” Under The CCPA?

According to the CCPA, a business complies with deletion by:

  • Completely and permanently erasing someone’s personal information on its active systems
  • De-identifying personal information
  • Aggregating personal information

Businesses that store personal information on archived or backup systems can delay deletion compliance requests until said systems are either restored or re-accessed or used for a disclosure, sale, or commercial purpose.

What Information Needs To Be Deleted?

With some exceptions, the right to deletion applies to all CCPA personal information, which is defined as “information that identifies, relates to, or could reasonably be linked with” a California resident or household. 

This includes, but is not limited to, names, addresses, financial information, educational background, professional data, geo-location, biometrics, browsing and purchasing history, and profiles inferred from consumer preferences. 

What Are The Exceptions To CCPA Right To Deletion?

Businesses and service providers can forego deletion if the retention of personal information is necessary to:

  • Complete a transaction
  • Detect security incidents or protect against illegal activity; or prosecute those responsible for such acts
  • Debug to identify and repair errors
  • Exercise free speech
  • Comply with the California Electronic Communications Privacy Act (ECPA)
  • Engage in research, given that the consumer has provided informed consent
  • Enable solely internal uses aligned with consumer expectations
  • Comply with legal obligations
  • Use in a way that is compatible with the context in which the consumer provided the data

Can I Deny A Request To Delete?

Apart from the exceptions, businesses and service providers can also deny deletion requests if the identity of the individual requesting deletion can’t be verified or if the personal information in question wasn’t collected from the consumer by the business. 

How To Comply With CCPA Right To Deletion

In their regulation, the CCPA details what businesses must do to comply with consumers’ right to delete. These include updating your privacy policy, providing channels through which consumers can request that their data be deleted, and keeping a record of deletion requests.

Privacy Policy

Businesses must review and update their privacy policies to detail consumers’ data privacy rights, as well as explain how these rights can be exercised. A CCPA privacy policy, then, must disclose the right to deletion and describe the method to submit deletion requests.

Data Deletion Requests

Businesses are required to provide two methods to submit data deletion requests. These should fit the way your business interacts with your consumer. 

For example, a clothing shop that has a website can provide both a toll-free number and an online form their customers can use to submit their requests. These avenues should be separate from other contact points such as helplines or customer service emails.

Data Deletion Process

Upon receiving a data deletion request, a business must confirm receipt within ten days and provide information about how the request will be processed. A business must also inform the consumer within forty-five days, regardless of the time required to verify the request, whether it has complied with the request or not.

If the business complies, it has to inform the consumer that a record of the request will be kept to ensure that the data remains deleted.

If the business denies the request under an exemption, it must inform the consumer that it won’t comply, that it won’t delete any information that is subject to the exemption, and that it won’t use the data for any purpose other than the exemption. 

If the request is denied due to failed verification, a business must direct the consumer to proper processing.

Record-Keeping

Businesses must keep a record of CCPA-pursuant requests for at least twenty-four months. These should be maintained, and they can’t be used for any purpose other than those that comply with the law.

Conclusion: Compliance Is Key

The right to deletion is only one of four main rights afforded by the CCPA. Any business that does business in California or with California residents must comply with all of them. 

So it’s good practice to stay informed and to review your business’s current data practices to see if they are in line with the law. Otherwise, you’re at risk of paying hefty fines or losing business in the state.

CCPA Privacy Policy Language

The California Consumer Privacy Act (CCPA) is a landmark data privacy law that gives consumers more control over the personal information businesses collect from them. But for the law to be effective, it’s imperative for businesses to comply with its regulations. 

One requirement under the CCPA is to update your website’s privacy policy to include details of the rights afforded by the law, a description of the data access and deletion processes, and a list of all categories of personal information collected, used, and sold by the business, among others. These must be written in plain English and formatted in readable text that’s easy to navigate.

What Is A Privacy Policy?

A privacy policy is a written statement that provides information on the online and offline data practices of a business, particularly as they relate to its consumers (i.e. the sources of the data). It describes the collection, use, sale, sharing, or transfer of people’s personal information.

Under the CCPA, personal information refers to any information that identifies, relates to, or in any way links to a California consumer or household. This includes, but is not limited to, basic information, non-commercial data, and insights gathered from user activity and preferences.

What Do I Need To Include In My Privacy Policy? 

A CCPA privacy policy is required to disclose the rights established by the data privacy law and explain how a consumer can exercise their rights under the law. It should be outlined in plain, readable text that is easy to navigate, and it must be linked to visible areas of your website.

Here are the essential parts of a compliant privacy policy:

CCPA Consumer Rights

Your privacy policy must inform consumers of their rights under the CCPA, namely:

  • the right to know about the personal information a business collects from its customers, uses, and shares
  • the right to delete personal information collected by businesses (with some exceptions)
  • the right to opt-out of the sale of personal information
  • the right to non-discrimination for exercising rights under the CCPA

Requesting Data Access And Deletion

Consumers must be given the option to access their data. So your privacy policy should include instructions on how they can perform a CCPA data subject access request. In the same way, under the CCPA right to deletion, it should give consumers the avenue to delete the personal information collected from them.

These usually mean operating a toll-free number or email address that they can use to submit data access and deletion requests.

“Do Not Sell My Personal Information” Page

The CCPA mandates businesses that give access or sell consumer data to third parties to provide a dedicated web page where consumers can opt out of the sale of their personal information. 

This page, called the Do Not Sell My Personal Information page, must be linked to both your privacy policy and website homepage.

Details Of Personal Information Collected, Used, Or Sold

Your privacy policy must make your data practices transparent, from collection to sale. It must list all categories of personal information collected, the sources of these data, and the purpose for collecting them. 

Your privacy policy should also disclose how and to whom personal information is shared, exchanged, transferred, or sold, especially if it’s done for profit.

Does My Privacy Policy Need To Comply With The CCPA?

All businesses that do business in California or with California consumers must comply with the CCPA and, consequently, create or update their privacy policy according to the requirements of the law. 

Although not all businesses fall under the jurisdiction of the CCPA, businesses are encouraged to adopt the law in their data practices. With other data privacy laws such as the General Data Protection Regulation (GDPR) already in place, it won’t be long until more local and international markets work to secure consumers’ rights to their data privacy.

Conclusion

The CCPA requires your website’s privacy policy to include the provisions of this legislation so that consumers are informed of the control they now have over their personal information. Visitors to your website must also be given any necessary instructions on how to avail themselves of those rights.

Understanding The CCPA Data Subject Access Request

The California Consumer Privacy Act (CCPA) gives California consumers some rights to  control their personal information. Among these is the “right to know” (or the “right to access [data]”), which grants people the ability to request details about the data that a business collected from them, used, or sold. Businesses must respond to and process these data subject access requests (DSARs) in compliance with the CCPA.

For more help with CCPA compliance, contact the privacy experts at Ketch to learn more about consent management software and how it can help your business. 

What Is A Data Subject Access Request (DSAR)?

A consumer can exercise their right to know by submitting a DSAR. These requests empower people to access the personal information collected from them, the purpose for which it was collected, and details about third parties to whom a business is sharing or selling consumers’ personal information.

Any person protected under the scope of the CCPA—or any other data privacy law with similar statutes, such as Europe’s General Data Protection Regulation (GDPR)—can submit a DSAR, and businesses catering to these consumers must comply with the regulations to fulfill these requests.

What Personal Information Can A Consumer Request Access To?

The CCPA has a broad definition of “personal information” or “information that identifies, relates to, or could reasonably be linked with” a California consumer or household. Under the right to know, a consumer can request access to:

  • the categories of personal information collected
  • specific pieces of personal information collected
  • the categories of sources from which information is collected
  • the purposes for which personal information is used
  • the categories of third parties with whom personal information is shared
  • the categories of information that is sold, disclosed, or in any way made available to third parties

Do All Businesses Have To Respond To DSARs?

The CCPA requires all for-profit businesses that do business in California and either has a gross annual revenue of over $25 million; buys, sells, or receives the personal information of more than 50,000 California residents, households, or devices; or derives at least half of their annual revenue from the sale of California consumers’ personal information must respond to and process DSARs.

Exceptions To The CCPA

Given its nature, does the CCPA apply to government agencies? The answer is no—with the same being true for non-profit organizations. 

That said, if government entities and non-profits are third parties to whom a business shares information, the business must disclose that and list them in the category of third parties.

How To Manage DSARs

The CCPA provides regulations as to how a business must respond to, process, and keep a record of DSARs in a way that fully enables consumers to exercise their afforded rights. Here are some steps that a business must take to comply:

Provide DSAR Channels

A business is required to designate at least two methods for a consumer to submit a DSAR—one being a toll-free number, the other being an email contact address (except if the business operates exclusively online, in which an email address should suffice). These channels should be fit for the nature of the business, and they should be separate from other customer support channels.

Set A Method for Processing DSARs

A business must set a method for processing DSARs and explain it in detail in their CCPA privacy policy.

Upon receipt of a request, a business is required to deliver the information requested within 45 days of receiving a verifiable consumer request (i.e. a request that has been verified to be made by the requester about their own personal information). 

This deadline can be extended another forty-five days when “reasonably necessary”, depending on the complexity and the volume of the DSAR. In this case, the business must inform the consumer about the extension.

A business must provide the requested information through the medium chosen by the consumer, which may differ from the channel used to submit the DSAR.

Train Employees On How To Manage DSARs

Business owners must train employees about the proper management of DSARs to ensure that the handling and processing of consumers’ personal information are managed in a way that is compliant with the CCPA.

Keep Updated On The CCPA

To ensure that your business is always compliant with the CCPA, and thereby reducing the risk of penalties or losing business in California, you must keep informed about the CCPA and other relevant data privacy laws. Furthermore, you should regularly review and update your data practices to comply with the regulations set by these laws.

Does CCPA Apply To Government Agencies?

Businesses all over America and beyond have been scrambling to initiate significant changes to their records and management systems. All this is the result of a relatively new law introduced in California called CCPA.

Individuals and businesses across the country are asking themselves: “do I have to comply with CCPA”? To answer this question, you first need to understand what the law entails. 

CCPA (The California Consumer Privacy Act) is a state law that created new consumer rights associated with access to, removal of, and sharing of personal data collected by organizations that do business in California.  This means that if a customer in California places an order for a particular product or service from a company headquartered in the United Kingdom, the British company has to comply with CCPA rules to do business.

Impact Of CCPA On Government

Currently, government organizations do not have to comply with CCPA. However, such agencies must recognize and accept that their collection and usage of personal information may place them in a challenging position in the future as data privacy rules evolve. 

Quite a few states across the US are already proposing similar bills, and some have even enacted laws regarding the CCPA data subject access request as a way of keeping up with the changing times. 

Essential Items To Note When It Comes To Privacy Laws In The United States

  • Local governments all over the United States are currently collecting and maintaining a database of personally identifiable information or PII and selling it to companies in some cases. 
  • According to various reports, the Los Angeles Department of Transportation obtains geo-data from hundreds or even thousands of dockless scooters available for use all over the city. 
  • The California Department of Motor Vehicles can drum up close to $50 million in revenue selling drivers personal data. 

What Local Governments Need To Learn From CCPA

With the introduction of CCPA, local governments will have no choice but to prepare for the very likely event of having to change their public records management systems. It becomes likely as more and more constituents find out how their personal information is being gathered and shared. Bills in other states are also expected to take their cues from CCPA, which provides Californian consumers with the right to:

  • Ask for all the data a company has collected on them and saved over the last twelve months.
  • Ask for the deletion of any data related to them.
  • Learn how their data is processed.
  • Ask to see a list containing data of all the third parties who may have access to their information. 
  • Refuse the sale of their data to third parties. 
  • Seek legal action against companies or organizations that violate the privacy guidelines. 

One of the significant issues raised with CCPA is that it excludes California’s local and state governments from the collection and use of personal data. However, this doesn’t mean that such agencies are off the hook. 

Currently, discussions are being undertaken on how similar laws can be applied to California’s governments.  The governor of the state also signed five amendments made to the CCPA just after its enforcement date, which is a clear indication that the data privacy laws are constantly evolving and can change at a moment’s notice. 

Conclusion

To understand how your agency can better prepare itself for data privacy laws such as CCPA or even how you, as a consumer, can protect yourself, you can look at several guides to improve your knowledge. You can also seek professional help or advice if you have any trouble understanding how it works.

Do I Have To Comply With CCPA?

Although the California Consumer Privacy Act (CCPA) is a state-level law, it affects businesses outside of the state—even international companies that operate in the United States. The CCPA applies to for-profit businesses that do business in California and fall under one of three main criteria for gross annual income and the use, storage, or sale of personal information. 

If your business fits the description, you’ll have to comply with the regulations set by the CCPA. If you’re wondering: “does CCPA apply to government agencies?”, follow the link to see the answer.

What Is The CCPA?

The CCPA is a data privacy law that gives California consumers more control over their personal information or “information that identifies, relates to, or could reasonably be linked with” a California resident or their household. 

The law protects personal information beyond basic details such as names and addresses; it also includes other non-commercial or private data, as well as any insights on the behavior or preferences of a consumer based on their online activity.

The CCPA Secures Four Basic Rights For California Consumers:

  • The right to know what personal information a business collects, uses, and shares
  • The right to delete their personal information collected by businesses (with some exceptions)
  • The right to opt-out of the sale of their personal information
  • The right to non-discrimination for exercising their rights under the CCPA

Businesses Under The CCPA

Not all businesses have to comply with the CCPA. The law makes the scope clear; it only applies to for-profit businesses that do business in California and meet at least one of the following:

  • Has a gross annual revenue of over $25 million
  • Buys, receives, or sells (or in any way makes available to another, e.g. renting, disseminating, etc.) the personal information of at least 50,000 California residents, devices, or households
  • Derives at least half of its annual revenue from the sale of California residents’ personal information

This means that even businesses that aren’t located in California but do business in the state, e.g. online shops, marketing agencies, etc., must comply with the CCPA. And while it isn’t generally strict with small businesses that don’t need or have the resources to collect, store, or sell personal information through third-party means, businesses are encouraged to adhere to the law’s regulations just to be safe.

How To Comply With The CCPA

The CCPA sets regulations that guide businesses to comply with the law. Here are some examples:

Add An Opt-Out Option

To afford consumers their “right to opt-out,” businesses must provide a clear and conspicuous “Do Not Sell Personal Information” button or link on their website homepages or their mobile application’s settings menu. Businesses are not required, however, to get opt-in cookie consent.

Update Privacy Policy

Businesses must review and update their privacy policies to include the details of the CCPA, describing the rights established by the law. It must also make the data practices of the business transparent so consumers know how their personal information is collected and used.

Provide Channels For Data Access Requests

Businesses must provide channels for consumers to request access and/or deletion of personal information collected from them. To this end, businesses have to create a procedure that confirms, verifies, and processes such requests promptly, on top of making sure that there is proper storage of copies of such requests.

Obtain Consent

Businesses aren’t allowed to sell the personal information of minors without affirmative consent to opt-in. So businesses must obtain opt-in consent through forms or links on their sites from consumers between the ages of thirteen and fifteen or from the parent or guardian of a consumer under thirteen years old before using their personal data.

Train Employees About CCPA

To ensure that the CCPA is followed, businesses must train their employees about the law and how its implementation may affect the operations of the business.

Review Agreements With Third Parties And Service Providers

Many businesses manage personal information through third-party sites and service providers. So business owners must take responsibility for making sure that agreements made in these partnerships are compliant with the CCPA.

Conclusion

Although not all businesses have to comply with the CCPA, all companies, especially those that deal with consumers in California, are encouraged to follow the law to avoid any hefty fines or lost business with the state. 

Being transparent about your company’s data practices is also a good way to future-proof operations, especially since international markets are putting value on data privacy. It won’t be long until other states or countries adopt data privacy laws like the CCPA; it’s best to stay ahead.

How Is CCPA Different Than GDPR?

The CCPA (California Consumer Privacy Act) and the GDPR (General Data Protection Regulation) are both laws that emerged to provide individuals with greater power and control over their personal information. 

Both laws are responsible for regulating organizations that gather and use such data in a variety of ways.

A Brief Overview Of The CPPA

The CCPA offers California residents increased control and transparency over how companies collect and use their data. It predominantly applies to those businesses operating in California or those that handle or share the personal data of California residents.

A Brief Overview Of The GDPR

The GDPR was formulated to give European Union residents increased control and transparency over how firms collect and utilize their data. It also applies to organizations operating in and out of the EU that process the personal information of EU residents.

It is essential to say that there is a lot more to the story than the briefs provided above. As a result, it’s a good idea to know how both these regulations work so as to help keep your organization legally compliant and boost customer trust. 

It is also a good idea to familiarize yourself with some GDPR cookie consent examples, to see how various businesses are adhering to the recent privacy policy regulations. 

CCPA vs. GDPR

The CCPA increases data transparency for Californians about how their personal information is collected and transferred. On the other hand, the GDPR is responsible for the regulation of data privacy across the EU. It was formed to replace some of the previous data protection laws across Europe that had a single framework. 

It is important to note that even though GDPR is primarily intended for the EU, it still has implications on businesses operating in the United States. This is why some businesses who were asking if GDPR applies to non-EU citizens have gone to the trouble of finding out. 

The following information shows how the two sets of laws compare:

  • The CCPA is designed to provide date rights to consumers who live in California, whereas the GDPR offers such protections to EU residents.
  • The CCPA tends to deal with information that relates to, identifies, links to, or describes a consumer or household, with a few exceptions. On the other hand, the GDPR deals with any personal data associated with an individual. It does not include households, and only anonymous data is exempt.
  • The CCPA applies to profit-making businesses that operate in California, meet several monetary conditions, and have several service providers. In the case of GDPR, data controllers and processors who deal with the personal information of EU individuals are regulated.

Both of these regulations came about to protect people living in a world where there is increased global interconnectivity and where the international transfer of data has become more elaborate and frequent. 

Furthermore, forward strides made in the technology sector have also resulted in the misuse of data, causing many scandals and sophisticated cyber attacks. All this has led to the need for better privacy protection laws.

Conclusion

Both the CCPA and GDPR apply to individual organizations in various ways, and even though there may be some nuances in terms of scope that distinguish these two sets of legislation, their goals remain similar. 

By looking at how they complement each other, you will be able to create scalable data privacy and security regulations that will comply with both of them.

Who Does The CCPA Apply To?

The California Consumer Privacy Act (CCPA) was established to protect the data privacy rights of California consumers. But while it benefits residents of the state, it applies to businesses outside of the state as well. 

This legislation is applicable to for-profit businesses that do business in California, collect consumer information, and fall under certain criteria (more than $25 million of annual gross revenue). 

It also applies to those enterprises that deal with the personal information of at least 50,000 Californians or derive half or more of their revenue from selling Californians’ personal information.

Given these applications, there is likely a connection between CCPA and advertisers, wherever they may be located. 

What Is The CCPA?

The CCPA is a comprehensive data privacy law that establishes rights for California consumers to give them more control over their personal information such as:

  • The right to know about the personal information a business collects, uses, and shares
  • The right to delete personal information collected (with some exceptions)
  • The right to opt-out of the sale of personal information
  • The right to non-discrimination for exercising rights under the CCPA

The privacy management tool, including basic information such as names, addresses, and location, as well as financial and government information. It also covers commercial information such as purchasing history, personal history (e.g. education, resume, etc.), and even profiles on consumer behavior and preferences derived from how they interact with websites and platforms.

What Businesses Does The CCPA Apply To?

Although the CCPA is a state-wide law, it doesn’t apply to all businesses that operate in or with the state. The CCPA only considers for-profit businesses that do business in California and meet any of the three criteria defined by the law:

  • has a gross annual revenue of more than $25 million
  • has a practice of buying, receiving, or selling (or in any way making available to another, e.g. renting, disseminating, etc.) the personal information of 50,000 or more California residents, devices, or households
  • derives at least 50% of their annual revenue from selling the personal information of California residents

The law is lenient toward small businesses that don’t have the need for or have the resources to collect, store, or use personal information. Though it is unknown how long that will last. 

The future of data privacy legislation appears to be that it will spread across the country and gradually become stricter—giving consumers even more control over their personal information. All businesses in California are encouraged to play it safe by complying with the law sooner rather than later.

Additionally, even businesses that aren’t headquartered in California but do business with residents of the state or implement marketing campaigns that target California consumers must adhere to the guidelines of the CCPA. 

Therefore, this far-reaching legislation applies to many international and national businesses who will want to be compliant, especially since the alternative is losing the right to do business in the state with the largest population and the highest gross domestic product (GDP) in the United States.

How Do Businesses Comply With The CCPA?

The CCPA lists regulations that guide the implementation of the law. These include, but are not limited to:

  • adding a conspicuous “Do Not Sell My Personal Information” opt-out option
  • updating privacy policies to outline the consumer rights secured by the CCPA
  • providing consumers the channels and support to retrieve and/or delete personal information promptly
  • obtaining consent from minors (or their parents, if under thirteen) before using their personal information
  • training employees on CCPA’s prescribed rights
  • reviewing and/or revising agreements with third parties or service providers to compliant with the CCPA

Conclusion

Whether or not the CCPA applies to your business, it’s good practice for you to be transparent about your data practices and provide consumers with the avenues to enact the rights given to them by the law. 

While the CCPA is a state-wide law, many companies are seeing themselves being affected—and it’s not far until similar regulations are enacted not just in the US, but in the international market, as well. Consider looking into a privacy management tool; it might be just what you need to ensure your company’s compliance fairly quickly and easily.

What CCPA Means for Advertisers

Since the enactment of the California Consumer Privacy Act (CCPA), many advertisers have had to be more transparent about how they collect and use information about their consumers. Because the law limits the data that digital marketers can collect and use in their campaigns, advertisers are being driven to use legally collected data (e.g. first-party data) and alternative target marketing strategies.

The Basics of CCPA 

CCPA is a data privacy law that mandates that businesses be transparent about how consumer information is used, especially if it is for for-profit purposes. It gives California consumers more control over how their personal information is collected, stored, shared or sold by providing:

    • the right to know what personal information is collected, used, and shared;
    • the right to delete personal information collected (with some exceptions);
    • the right to opt-out of the sale of personal information; and
  • the right to non-discrimination for exercising rights under CCPA.

CCPA was created to protect the personal information of consumers. The scope of the law is vague because it was designed to be broad enough to cover all types of information that businesses already collected or may collect in the future given the ever-evolving digital landscape.

 

Personal information includes any data that identifies, describes, links, or relates (directly or indirectly) to a consumer. Examples of personal information include names and aliases; addresses; financial information (credit card numbers, bank details, etc.), government information (social security numbers, etc.); geographic location; biometric data (fingerprints, medical data, etc.); and browsing data (search history, IP address, etc.).

How CCPA Affects Advertising

Advertising heavily relies on data collected from a business and/or a product’s target market. The digital landscape made it easy for advertisers to gather insights about consumers through the use of tracking technology such as cookies, plug-ins, and other devices. But CCPA makes consumer information obtained through these means less accessible, forcing advertisers to change their marketing strategies and practices.

 

To comply with CCPA, businesses must obtain data-sharing consent (particularly from parents or guardians of minors). They must also provide consumers a means to access and review their data as well as give consumers the option to opt-out of the sale of their personal information through a “Do Not Sell My Personal Information” link on their homepage. Under CCPA, businesses are also obligated to review and update their privacy policies with a description of the rights afforded by the law.

 

Going forward, advertisers will have to gain consumer insights through legally obtained first-party data. Advertisers must also adapt and approach audiences from different angles, such as through social channels, email lists, and de-identified web engagement. 

 

Since advertisers will have to rely on first-party data and consumer research, digital marketing campaigns will shift from a targeted to a more contextual approach. The industry will put more value on securing contextually relevant information and behavioral data, with advertisers constructing strategies and campaigns using these.

Why everyone needs to comply with CCPA

Although CCPA is focused on California residents, it does have national—and even international—implications. California has the largest population and the highest gross domestic product of any state in the United States. Losing this market translates to significant losses for any business. For a more detailed answer to the question “who does the CCPA apply to?” you can follow the link. 


The smarter approach is to comply with the law and set-up solid practices to obtain consumer data to create effective marketing campaigns, especially since other markets worldwide are leaning toward enacting similar data privacy regulations. If you’re looking at doing business in the EU, you may also be interested in learning more about the 7 GDPR principles, so you can have a better understanding of the rules and regulations around data privacy in Europe.