CCPA & CPRA Explained: California Data Privacy Law Guide + Checklist
If your website serves users from California, you must comply with the California Consumer Privacy Act (CCPA). Let’s explore CCPA and the steps you can take to stay on the right side of the law.
What is CCPA?
The California Consumer Privacy Act is a law designed to give California residents more control over their data. The law refers to any resident of California as a ‘Consumer.’
The legislation affords consumers three key rights. These are
- The right of consumers to access data that a company holds about them.
- The right to prevent the sale of data to third-party organisations.
- The right to request that data be deleted.
As a business, your role is to make sure that these rights are respected. That means having procedures in place to respond to a consumer request.
CCPA vs CPRA
On November 3, 2020, CCPA was amended and expanded by a new California Data Privacy Law. The California Privacy Rights Act (CPRA) granted further rights to California residents after coming into effect on January 1, 2023. Under CPRA, businesses are required to
- Act upon consumer requests to limit the use and disclosure of their sensitive information.
- Have the correct framework to make sure that personal data is securely protected.
Alongside outlining additional rights, CPRA established the California Privacy Protection Agency. The agency was given the power to investigate businesses and hand out appropriate punishments for violations.
CCPA key terms
CCPA uses a variety of key terms. Let’s unpack these
- A service provider – If an organisation processes data on behalf of your business, it is classed as a service provider. CCPA prevents service providers from retaining, using, or disclosing this data.
- A third-party – CCPA defines any entity that collects personal data, other than the business or any service providers outlined in the contract, as a third-party.
- A sale – According to CCPA, a ‘sale’ is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating… a consumer’s personal information.” In a nutshell, if you send data to another organisation, it’s classed as a sale.
What is sensitive information?
How businesses collect, process, and store personally identifiable information (PII) is central to the CCPA. According to the legislation, PII is data that “Identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Identifying PII is crucial, but because the CCPA’s definition is so broad, it encompasses many forms of data. Examples of PII include
- An identifier, such as a consumer’s name, email address, post code, or passport number.
- Information relating to a consumer’s profession.
- Geolocation data, such as an IP address, WiFi network, or movement data.
- Information protected under California or federal law (eg, information relating to disabilities, sexual orientation, race, etc).
What is the penalty for breaching the CCPA?
The California Consumer Privacy Act outlines severe penalties for businesses that fail to comply. Civil penalties for violations of the CCPA range from $2,500 to $7,500 for each violation.
The law also grants consumers a limited private right of action, where claimants can sue for issues such as breaches of personal data. Here, the fine depends upon the violation. For a data breach, a claimant can expect to receive up to $750 per incident. They may also be paid the cost of the actual damages.
CCPA Compliance Checklist
The best way to avoid CCPA fines and other repercussions is through preparation. Below, we’ve provided a compliance checklist to help you stay on the right side of the California data privacy law.
Carry out a data inventory
A data inventory is a record of all the data assets held by an organisation. Keeping an up-to-date inventory is key to CCPA compliance.
Remember, the legislation allows consumers the right to access or delete their data. That’s only possible if you have a clear idea of what data you hold and where it’s stored.
A data inventory should involve the following steps:
- List data sources – List all the different data repositories in your organisation. This might include databases, cloud storage, and data warehouses. In particular, list the different types of personal data held within each source.
- Map out the flow – It’s important to understand how data flows throughout your organisation. Who has access to assets, and what protections are in place to prevent unauthorised use?
- Track data sharing – Under CCPA, you must be transparent about how you sell or share data. List all the partners you work with, and the sorts of data you exchange.
- Maintain your inventory – It’s important to update your inventory regularly to keep track of new assets as they come in. Regularly check for errors and issues that could prevent you from getting a full picture of your data.
Bolster data security
The right security measures can help prevent costly data privacy class actions. Begin with an audit of your existing systems. What security measures do you currently have in place? What are the current gaps within your security, and how can you fill them?
Some basic but important measures include:
- Using password managers to ensure the strongest possible password usage.
- Using two-factor authentication to add an extra layer of defence.
- Implementing proper access controls so that data is only viewable on a ‘need to know basis.’
- Deploying firewalls and encryption to protect sensitive information.
To exercise proper due diligence, your staff also need a full understanding of CCPA and the consequences of security breaches. This will require regular training so that staff know how to handle data safely and securely.
Provide relevant notices
Achieving CCPA compliance isn’t possible without being open and honest about your data collection. That means providing consumers with a full account of how you collect, store, and use their data.
In practice, this means creating two important documents: a privacy policy and a notice at collection.
Privacy policy
A privacy policy provides a total rundown of your organisation’s data collection. According to the CCPA, it should be easy to access and clearly labelled (with a link that contains the word ‘privacy).
Your privacy policy should also contain the following information
- Details about consumer rights – In particular, the three consumer rights we discussed earlier.
- Information about your organisation use of data – Including the categories of data you collect and the sorts of information you sell or disclose.
- The date of the last update – CCPA states that privacy policies should be updated at least once every 12 months.
Note: Complying with global data privacy laws requires different approaches for different regions. A privacy policy designed for CCPA, for instance, will not be enough for compliance with the EU’s GDPR.
Notice at collection
A ‘notice at collection’ acts as a comprehensive list of all the information your organisation collects, how it is used, and the duration for which it is stored. Once again, it also reminds consumers about their rights.
If you sell personal information to other companies, you must include a link with the words “Do not sell or share my personal information”. Your notice should be given either when data collection begins or before it is initiated.
Always respect consumer rights
Having the relevant documents and notices isn’t enough. You need to prove to consumers that, rather than just playing lip service, you’re serious about respecting their rights.
Part of this is maintaining clear communication channels, such as through email or a phone line. Whichever channels you use, make sure that they are accessible with no roadblocks. For instance, if you have a dedicated phone number, make sure that it is toll-free. Make sure that consumers don’t need to create an account to exercise their rights.
When customers do get in touch, the CCPA states that you must respond within 45 days (although you’ll have the option of extending this by a further 45 days).
Review and adjust
As we’ve explored, CCPA isn’t static. We’ve already had a major update through the CPRA. Further adjustments to the legislation will likely arrive, introducing new requirements for businesses. To ensure long-term compliance, your strategies must also adapt.
Keeping up with data privacy legislation can be overwhelming, especially if you operate in multiple jurisdictions. Hiring additional legal help can make the process easier. It also provides access to valuable advice to help stay on top of compliance.
Remaining in line with CCPA requires awareness across your organisation. Everyone, from IT to customer support, should be aware of the importance of data privacy. This requires regular training and easy access to educational materials.
By establishing a privacy-first culture, your team will find it easier to adjust to legislative changes.
Make consumer privacy a priority
The California Consumer Privacy Act has been a game-changer for many businesses, but the emergence of this type of law isn’t isolated. Whether it’s in the EU, Canada, or the UK, data privacy legislation is changing how we can collect, maintain, and use data. That’s why having a compliance checklist is essential.
Here, we’ve provided some tips to help you stay compliant with CCPA. Why not put these tips into practice and begin reviewing your approach to managing data privacy?
Remember, if you operate in other global regions, you may need a different approach. For example, here’s an article to help you create a GDPR compliance checklist.
