Who must comply with CCPA? A Guide for Businesses

Introduction

The California Consumer Privacy Act [CCPA] is a State Law that came into effect on Wed, 01-Jan-2020. The Law is aimed at protecting the privacy of California residents by regulating how businesses handle their Personal Information. The CCPA is considered one of the most comprehensive Privacy Laws in the United States & it has significant implications for businesses operating in California.

The CCPA applies to businesses that collect Personal Information from California residents & meet certain thresholds. These businesses are required to provide California residents with specific rights regarding their Personal Information, such as the right to know what Personal Information is being collected about them & the right to have that information deleted.

The purpose of this Journal is to guide businesses on who needs to comply with the CCPA. We will discuss the criteria that determine whether a business is subject to the law & provide practical guidance on how to comply with its requirements. By the end of this Journal, you should have a better understanding of whether your business needs to comply with the CCPA & what steps you should take to ensure compliance.

CCPA Applicability Criteria

The CCPA applies to businesses that collect Personal Information from California residents & meet certain thresholds. The law defines a “business” as any legal entity that operates for profit & collects Personal Information from California residents. This includes corporations, partnerships, sole proprietorships & other forms of business entities. To determine whether a business needs to comply with the CCPA, there are three main criteria to consider: revenue threshold, data collection threshold & business type.

Revenue & Data collection threshold

The CCPA applies to businesses that meet one or more of the following revenue thresholds:

• Annual gross revenue of $25 million or more.
• Buys, receives or sells the Personal Information of 50,000 or more California residents, households or devices annually.
• Derives 50% or more of its annual revenue from selling the Personal Information of California residents.

If a business meets any of the above criteria, it must comply with the CCPA, regardless of whether it is located in California or another state. It’s worth noting that “Personal Information” is defined broadly under the CCPA & includes any information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Business type

The CCPA applies to a broad range of businesses, such as online retailers, social media companies, data brokers & advertising networks that operate for profit & collect Personal Information from California residents. 

There are also some exceptions to the law, such as businesses that collect Personal Information from California residents while conducting due diligence in connection with a merger, acquisition or other business transaction.

It’s important to note that even if a business is exempt from the CCPA, it may still be subject to other privacy laws & regulations. For example, the General Data Protection Regulation [GDPR] applies to businesses that collect Personal Information from individuals in the European Union, regardless of where the business is located.

Determining whether a business needs to comply with the CCPA requires a careful analysis of its revenue, data collection practices & business type. If your business collects Personal Information from California residents & meets the CCPA’s applicability criteria, it’s important to take steps to ensure compliance with the law’s requirements. This may include updating privacy policies, providing consumers with the right to opt-out of the sale of their Personal Information & implementing processes to handle consumer requests for access or deletion of their Personal Information. Failure to comply with the CCPA can result in significant fines & penalties, so it’s important to take the law’s requirements seriously.

Exceptions to CCPA Compliance

While the CCPA sets forth comprehensive requirements for businesses that collect & process Personal Information of California residents, there are certain exceptions to its compliance requirements. These exceptions may exempt certain businesses from specific CCPA requirements or they may exempt businesses entirely from the scope of the law.

Here are some of the most common exceptions to CCPA Compliance:

1. Employee & Business-to-Business [B2B] Exemption: This exemption, which was added to the CCPA in 2020 & provides a partial exemption for businesses that collect Personal Information from job applicants, employees, owners, directors, officers, medical staff or contractors of a business entity. The exemption applies to the extent that the information is collected & used solely within the context of the person’s role or former role with the business entity.
2. Publicly Available Information: The CCPA does not apply to Personal Information that is lawfully made available from federal, state or local government records.
3. Health Information: Businesses subject to HIPAA, the Confidentiality of Medical Information Act [CMIA] or the Federal Policy for the Protection of Human Subjects (also known as the Common Rule) are exempt from the CCPA’s requirements to the extent that they collect or process Personal Information that is protected by those laws.
4. Financial Information: Businesses that are subject to the Gramm-Leach-Bliley Act [GLBA] or the California Financial Information Privacy Act [FIPA] are exempt from some CCPA requirements to the extent that they collect or process Personal Information that is covered by those laws.
5. Data Collected under Other Laws: The CCPA does not apply to Personal Information collected, processed, sold or disclosed pursuant to certain federal or state laws, including the Driver’s Privacy Protection Act [DPPA] & the Children’s Online Privacy Protection Act [COPPA].

It’s worth noting that these exemptions do not completely exempt a business from complying with the CCPA. Depending on the nature of the exemption, businesses may still be subject to some CCPA requirements, such as providing notice of data collection practices or implementing reasonable security measures to protect Personal Information. Businesses should carefully review the CCPA’s requirements & seek legal guidance to ensure that they are complying with the law.

CCPA Compliance Requirements

Businesses that are subject to the CCPA must comply with a range of requirements to protect the privacy rights of California residents. Here are some of the key CCPA Compliance requirements that businesses should be aware of:

1. Notice Requirement: Businesses must provide notice to California residents at or before the time of collecting their Personal Information. This notice must inform individuals about the categories of Personal Information that will be collected, the purposes for which the information will be used & the categories of third parties that the information may be shared with. Businesses must also provide a link to their privacy policy on their homepage.
2. Right to Know: California residents have the right to know what Personal Information businesses have collected about them, the sources of the information, the purposes for which the information was collected & the categories of third parties with whom the information has been shared. Businesses must provide this information to individuals upon request.
3. Right to Delete: California residents have the right to request that businesses delete their Personal Information. Upon receiving a verified request, businesses must delete the requested information, unless an exception applies.
4. Right to Opt-Out: California residents have the right to opt-out of sharing their Personal Information. Businesses must provide a “Do not share my Personal Information” link on their homepage & honour opt-out requests.
5. Right to Non-Discrimination: California residents have the right to not be discriminated against, for exercising their CCPA rights. Businesses may not deny goods or services, charge different prices or rates or provide a different level or quality of goods or services to individuals who exercise their CCPA rights.
6. Security Requirements: Businesses must implement reasonable security measures to protect Personal Information. This may include physical, technical & administrative safeguards to prevent unauthorised access, disclosure or use of Personal Information.
7. Data Processing Agreements: Businesses that share Personal Information with service providers must have a written agreement that requires the service provider to comply with CCPA requirements.

In addition to these requirements, businesses should also establish & maintain a comprehensive data privacy program that includes policies, procedures & training to ensure that CCPA Compliance is embedded in their operations.

Non-compliance with the CCPA can result in significant financial & reputational harm to businesses. The CCPA provides for statutory damages of up to $750 per consumer per incident for violations & even higher damages for certain types of intentional violations. Additionally, businesses may face negative publicity, loss of customer trust & potential legal action.

Conclusion

In summary, the CCPA is an essential privacy law that businesses operating in California must comply with to protect the privacy rights of California residents. Businesses should carefully review the CCPA’s requirements & seek legal guidance to ensure that they have appropriate policies, procedures & safeguards in place to comply with the law.

However, there are some exceptions to CCPA Compliance, such as information covered by certain federal laws or certain Business-to-Business [B2B] transactions. Businesses that are subject to the CCPA must comply with a range of requirements, including providing notice, honouring requests for access, deletion & opt-out, implementing reasonable security measures & establishing a comprehensive data privacy program.

Non-compliance with the CCPA can result in significant financial & reputational harm to businesses, including statutory damages & potential legal action. Therefore, it is essential for businesses to take steps to ensure they are complying with the CCPA’s requirements.

FAQs: 

Who are consumers under CCPA?

Under the California Consumer Privacy Act [CCPA], a consumer is defined as a natural person who is a California resident. The CCPA applies to any business that collects Personal Information about California residents, regardless of whether the business is physically located in California. The CCPA defines Personal Information broadly to include any information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes, but is not limited to, names, addresses, email addresses, IP addresses, geolocation data, employment information & biometric information.

What is compliance with the CCPA?

Compliance with the California Consumer Privacy Act [CCPA] refers to the measures that businesses must take to ensure they are meeting the requirements of the law & protecting the privacy rights of California residents. This involves meeting specific criteria, including collecting Personal Information or having annual gross revenues of $25 million or more. Businesses subject to the CCPA must comply with a range of requirements, including providing notice, honouring requests for access, deletion & opt-out, implementing reasonable security measures & establishing a comprehensive data privacy program. Non-compliance with the CCPA can result in significant financial & reputational harm to businesses, including statutory damages & legal action.

Who is exempted from CCPA?

Certain businesses & information are exempted from the California Consumer Privacy Act [CCPA], including Personal Information collected, processed or disclosed under specific federal privacy laws, health or medical information covered by HIPAA & Personal Information collected from job applicants, employees & contractors. However, businesses should carefully review the CCPA’s provisions to determine whether they are exempt from compliance with the law or not.

What is CCPA in India?

The California Consumer Privacy Act [CCPA] is a privacy law in the United States that grants California residents certain rights over their Personal Information. There is currently no equivalent law in India with the same provisions as the CCPA.