The CCPA is a data privacy regulation created to protect the data privacy of California citizens. It requires organizations to inform users how their data is used and provides users more control over how their data is shared. This act is designed to highlight how consumer data is sold or shared and enable consumers to opt out.
CCPA regulations apply to legal, for-profit organizations that collect or sell user’s personal information. For these regulations to be enforced, organizations must meet one of the following criteria:
CCPA regulations do not apply to organizations covered under HIPAA, financial organizations covered by Gramm-Leach-Bliley, or agencies covered by the Fair Credit Reporting Act.
In this article, you will learn:
Making sure your business is CCPA compliant is important to avoid fines and retain consumer trust. You should have your legal team review regulations and consult on which aspects and requirements apply to you. Once you understand how regulations apply, consider taking the following actions:
The creation of the CCPA provided several new rights to citizens that were previously non-existent. These include rights to know how data is collected and used, access to personal data, the option to opt-out of collection, guarantees for equal treatment, and the ability to erase data.
Organizations are required to inform consumers about the data that is collected, including how collection occurs and how data is used. They must also disclose whether information is shared or sold and to whom. These notifications are meant to be provided through publicly accessible privacy notices which are also accessible upon request.
Consumers can request their personal information and information about that information. When responding to requests, organizations must provide the following information:
Consumers can opt-out of their data being sold to third-parties. The ability to opt-out must be provided clearly via a link located on the homepage and labeled “Do Not Sell My Personal Information.”
Organizations are not allowed to punish consumers who choose to opt-out or request their data. This includes not being allowed to deny services, charge alternative prices, or provide different quality services.
The exception is if differences are “reasonably related to the value provided to the consumer by the consumer’s data.” Additionally, organizations are allowed to offer discounts in exchange for use of personal data.
Consumers can request that organizations delete their data. If such a request is made, it is the organization's responsibility to ensure this is done, even if data is stored in third-party services.
CCPA compliance is enforced through a variety of fines, depending on how the regulation was breached. These include:
Organizations have 30 days to remediate violations before fines are enforced. Additionally, consumers have the right to sue organizations for up to $750 dollars per incident in the event of breach. If consumer damages exceed $750, this number increases. To ensure that consumers know their rights, the California Attorney General has issued multiple campaigns to inform the public.
In 2020, increasing awareness of the regulation has resulted in the following lawsuits:
Although CCPA and the European Union’s General Data Protection Regulation (GDPR) are similar, these regulations do not provide the exact same protections. Both laws enable consumers to access or delete their personal data and require transparency about how data is used. However, the CCPA falls short of GDPR in several areas:
Despite these shortcomings, the CCPA exceeds the guidelines enforced by GDPR in other ways, including:
NetApp Cloud Compliance leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Compliance to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with regulations such as the CCPA and GDPR.
Learn more about NetApp Cloud Compliance