What does CCPA stand for?

The California Consumer Privacy Act (CCPA) is a privacy law, superseding the California Consumer Privacy Act of 2018.

It’s intended to increase the control CA residents have over the collection and processing of their personal information, including details like names, addresses, biometrics, and geolocation data. 

Who does the CCPA apply to?

The CCPA applies to any entity that does business in the State of California and meets certain criteria. 

“Does business” is a broad definition. It could apply to you if you sell there and:

  • Your business has an annual gross revenue of $25 million plus
  • You handle information belonging to more than 50,000 customers
  • 50% or more of your revenue is derived from selling personal information

The CCPA is enforced by the California Attorney General’s office.   

What are the CCPA requirements to consider?

These are additional responsibilities, and you still have to comply with general data protection regulations: 

  1. Your privacy policy must adhere to the California Online Privacy Protection Act, updated for the CCPA.
  2. You must notify users of data collection and allow them to opt-out.
  3. You must have defined procedures for opt-out requests and the deletion of personal information.
  4. You must respond to said requests in a reasonable timeframe.
  5. You must verify the identity of the customers making the requests.
  6. You must maintain records of consumer requests and responses.
  7. You must include a “Do not sell my personal information” link on your website or app.
  8. You need to disclose any for-profit use of the retention or sale of personal information, including how the value of the information was calculated. 

These requirements relate to four consumer rights granted to California residents under the CCPA:

The right to deletion

A customer has the right to request that you delete any of their consumer data. 

Your business has to comply with these requests, but there are certain circumstances where the retention of a consumer’s personal information is permitted.

Such as if the data needs to be used to complete a transaction, fix errors, or comply with other legal responsibilities. This applies to debit or credit card data needed for a purchase. 

There are other exemptions, like limited internal use or the investigation of malicious activity. 

The right to be informed

This right means customers must be informed before data is collected or when it’s collected.

Your business has to tell customers the categories of information being collected and the commercial purposes of collection. 

The right to access data

This means a user has the right to access any of the personal data you’ve collected. It also means you have a responsibility to answer requests for data without delay.

The available information must be provided free of charge.  

The right to opt-out

This gives users the right to opt-out of the sale of their information to a third party.

For businesses, this means you need to put a clear opt-out link on your site or app leading users to a copy of your privacy policy. Check this guide if you need help with how to write a privacy policy.  

Does the CCPA apply to other states?

Yes. If your business collects data from customers in California, the CCPA applies no matter your location

GDPR vs. CCPA requirements: How are they different?

The General Data Protection Regulations (GDPR) govern the rights of EU citizens regarding their personal data. 

There are five key differences between the acts:

1. Location  

GDPR applies to any business that deals with data from a “data subject” in the European Union.

CCPA only applies if you deal with residents of California and operate in California.

2. Data type

GDPR broadly covers all categories of personal information regardless of purpose, even if you’re just collecting data for a petition form.

CCPA makes distinctions on what kind of data is protected and when. 

3. Data use

GDPR outlines the difference between collecting, processing, and selling information.

CCPA considers the broader term “processing” to cover any of these actions. 

4. Data access

CCPA compliance means sending regular reports when a user’s data is collected or sold within a 12-month period.

GDPR is stricter, with rules on data retention, the right to withdraw, and direct notification of data collection on an opt-in basis. 

5. Penalties

Under the GDPR, penalties can be imposed for non-compliance. Up to $24 million (or four percent of the offending company’s annual turnover).

The CCPA is retroactive, and penalties only apply if a data breach occurs. They range from $2,500 to $7,500 for intentional violations.  

What must organizations do to comply with the CCPA?

Assess data security practices

It’s outlined in the CCPA that a business has to “implement and maintain reasonable security procedures.”

There’s no further clarification on what that means. Instead, a business has to rely on data security best practices.

Train employees on information handling

Under the CCPA, your business is responsible for your employee’s handling of personal data.

That means adequate training on the handling and disclosure of personal data is essential for all staff.  

Help customers exercise their rights

Having clearly defined processes for how to handle requests under the CCPA will help both your business and customers.

Take steps to inform your customers upfront about their rights.   

Be prepared for the “look back” requirement

The look-back requirement refers to your business’s responsibility to provide records covering a 12-month retroactive period.

This requires a way to store, categorize, and access customer data

Carry out website updates

If you’re implementing CCPA measures for the first time, you’ll need to update your website homepage. This will require clear links to your opt-outs and privacy policy. 

Keeping your website security regularly updated is also important. This will prevent data breaches ahead of time, as well as help you comply with other data privacy laws and amendments.

Become CCPA-compliant with the right privacy policy template

A big part of CCPA compliance is making sure your privacy policy is updated.

If you need help with a free privacy policy template, PandaDoc is here for you. We have all the templates you need, as well as a help center full of guidance.