hamburger icon close icon
CCPA Compliance

California Consumer Privacy Act: The Basics and a 6-Step Compliance Checklist

November 15, 2020

Topics: Cloud Data Sense Advanced5 minute read

The CCPA is a data privacy regulation created to protect the data privacy of California citizens. It requires organizations to inform users how their data is used and provides users more control over how their data is shared. This act is designed to highlight how consumer data is sold or shared and enable consumers to opt out.

CCPA regulations apply to legal, for-profit organizations that collect or sell user’s personal information. For these regulations to be enforced, organizations must meet one of the following criteria:

  • An annual revenue of $25 million or more
  • Possession of over 50,000 entities personal data
  • Over half of annual revenue comes from the sale of personal data

CCPA regulations do not apply to organizations covered under HIPAA, financial organizations covered by Gramm-Leach-Bliley, or agencies covered by the Fair Credit Reporting Act.

In this article, you will learn:

6 Step CCPA Compliance Checklist

Making sure your business is CCPA compliant is important to avoid fines and retain consumer trust. You should have your legal team review regulations and consult on which aspects and requirements apply to you. Once you understand how regulations apply, consider taking the following actions:

  1. Evaluate your data related processes to ensure that you can track data events. This includes collection, processing, storage, and use.
  2. Evaluate your data security policies to ensure that breaches or theft are prevented.
  3. Make sure your privacy policies are updated to include CCPA rights.
  4. Inform customers if their data is being sold and provide opt-out processes.
  5. Establish methods for consumers to make data requests. These must include at minimum a toll free number and a digital method, such as online form or email.
  6. Develop policies and procedures for responding to requests. Responses must be within 45 days.

New Rights Under CCPA

The creation of the CCPA provided several new rights to citizens that were previously non-existent. These include rights to know how data is collected and used, access to personal data, the option to opt-out of collection, guarantees for equal treatment, and the ability to erase data.

Right to Know Personal Information

Organizations are required to inform consumers about the data that is collected, including how collection occurs and how data is used. They must also disclose whether information is shared or sold and to whom. These notifications are meant to be provided through publicly accessible privacy notices which are also accessible upon request.

Right to Access

Consumers can request their personal information and information about that information. When responding to requests, organizations must provide the following information:

  • What categories of data is collected (i.e., name, date of birth, address, phone number)
  • What specific information is collected
  • What sources data is collected from
  • Why data is being collected for commercial purposes
  • What categories of third-parties data is being shared with

Right to Opt-Out of Sale

Consumers can opt-out of their data being sold to third-parties. The ability to opt-out must be provided clearly via a link located on the homepage and labeled “Do Not Sell My Personal Information.”

Right to Non-Discrimination

Organizations are not allowed to punish consumers who choose to opt-out or request their data. This includes not being allowed to deny services, charge alternative prices, or provide different quality services.

The exception is if differences are “reasonably related to the value provided to the consumer by the consumer’s data.” Additionally, organizations are allowed to offer discounts in exchange for use of personal data.

Right to Erasure of Data

Consumers can request that organizations delete their data. If such a request is made, it is the organization's responsibility to ensure this is done, even if data is stored in third-party services.

How CCPA Compliance is Enforced

CCPA compliance is enforced through a variety of fines, depending on how the regulation was breached. These include:

  • $2,500 for each unintentional violation
  • $7,500 for each intentional violation

Organizations have 30 days to remediate violations before fines are enforced. Additionally, consumers have the right to sue organizations for up to $750 dollars per incident in the event of breach. If consumer damages exceed $750, this number increases. To ensure that consumers know their rights, the California Attorney General has issued multiple campaigns to inform the public.

In 2020, increasing awareness of the regulation has resulted in the following lawsuits:

  • Burke v. ClearviewAI, Inc. (3:20-cv-00370)
  • Sheth v. Ring LLC (2:20-cv-01538)
  • Cullen v. Zoom Video Communications, Inc. (5:20-cv-02155)
  • Barnes v. Hanna Andersson LLC and Salesforce.com Inc. (4:20-cv-00812)

CCPA vs GDPR

Although CCPA and the European Union’s General Data Protection Regulation (GDPR) are similar, these regulations do not provide the exact same protections. Both laws enable consumers to access or delete their personal data and require transparency about how data is used. However, the CCPA falls short of GDPR in several areas:

  • It doesn’t require organizations to prove a “legal basis” for data use or collection
  • It doesn’t restrict data from being transferred outside the US
  • It doesn’t require organizations to conduct impact assessments or appoint data protection officers
  • It is limited to the last 12 months of data

Despite these shortcomings, the CCPA exceeds the guidelines enforced by GDPR in other ways, including:

  • CCPA provides protections for “household information”
  • Privacy policy notices must be more detailed
  • All organizations must provide options to opt-out
  • Organizations must obtain parental consent (opt-in) to collect the data of children under 13
  • Individuals age 13-15 must provide opt-in consent

CCPA Compliance with NetApp Cloud Compliance

NetApp Cloud Compliance leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Compliance to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with regulations such as the CCPA and GDPR.

Learn more about NetApp Cloud Compliance

New call-to-action

Senior Marketing and Strategy Manager