In the digital age, an increasing amount of personal information is used for everyday interactions online. Protecting your personally identifiable information is important, but you can’t control how companies handle your data after you give it to them. That’s why the California legislature created the California Consumer Privacy Act (CCPA).

The CCPA protects California residents and their data when it is provided to companies. The legislation is a set of individual rights and business obligations to protect personal data. Signed into law in 2018, the CCPA went into effect January 1, 2020.

Californians also recently approved a ballot measure that expands the CCPA with the California Privacy Rights Act (CPRA). The CPRA adds additional protections for consumers and will go into effect in 2023.

If you live in California or collect data from California residents for your business, here’s what you need to know about the CCPA and how to comply.

What is CCPA?

Similar to the General Data Protection Regulation (GDPR) in Europe, the CCPA seeks to protect consumers’ personal data while giving businesses a set of standards to follow to ensure they are also working to protect the data they collect.

The CCPA protects individuals by giving them the following rights:

• The right to know about the personal information collected by businesses.
• The right to delete personal information collected.
• The right to opt-out of personal information being sold.
• The right to opt-in to the sale of personal information.
• The right to not be discriminated against for opting out.
• The right to initiate a private cause of action for data breaches.

The CCPA applies to businesses, along with service providers or third parties who interact with the personal data of consumers. The CPRA also adds contractors to those entities who need to comply.

If companies don’t comply with the CCPA, they may be fined civil penalties up to $7,500 per intentional violation or $2,500 per unintentional violation. Companies do have 30 days to fix any alleged violation.

Consumers who directly sue a company for a data breach may receive statutory damages, or damages whose amounts are pre-established by a statute, up to $750 per incident or actual damages, whichever is greater.

What is the California Privacy Rights Act (CPRA)?

California voters passed the CPRA, an amendment to the CCPA intended to further protect consumers, which will go into effect on January 1, 2023.

The CPRA adds two new consumer rights to the CCPA, including:

1. The right to correct inaccurate information.
2. The right to limit the use and disclosure of personal information.

The CPRA also created a new segment of personal data called sensitive personal information (SPI), which includes information such as:

• “Social Security, driver’s license numbers, state identification card, and passport numbers;
• financial account, debit card, or credit card numbers in combination with required security or access codes, passwords, or credentials allowing access to an account;
• account login in combination with required security or access codes, passwords, or credentials allowing access to the account;
• precise geolocation (i.e., information used or intended to be used to locate a consumer within a geographic area equal to or less than approximately 1/8 square mile);
• information about racial or ethnic origin, religious beliefs, philosophical beliefs, or union membership;
• contents of consumers’ mail, emails, or text messages, unless the business is the intended recipient of that information; and
• genetic data.
• the processing of biometric information for the purpose of uniquely identifying a consumer; and
• information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation.”

CPRA and dark patterns

One of the other main objectives of the CPRA is to limit the use of dark patterns to mislead consumers. Dark patterns are a way of using the user interface or design to influence consumer behavior.

According to Business Insider, “California is banning companies from using ‘dark patterns,’ a sneaky website design that makes things like canceling a subscription frustratingly difficult.”[1]

There are several different tactics considered dark patterns that can mislead consumers into opting for unknown things. One of those techniques is called “confirmshaming.” Confirmshaming is when a company offers you a discount or some other incentive in exchange for opting in.

Another common dark pattern is when a company requires you to input personal information to continue to its website. Requiring an email address or other personal information to access the website is called forced continuity. Another example is needing your credit card information for a free trial.

There are many different instances of dark patterns that companies use to gain personal information from customers. The CCPA and CPRA limit the use of these types of data collection to help consumers protect their data even more.

What are CCPA regulations?

The CCPA is based on Californians' six rights regarding their data privacy. Those six rights include

1. The right to know about the personal information collected by businesses.
2. The right to delete personal information collected by corporations.
3. The right to opt-out of personal information being sold.
4. The right to opt in to the sale of personal information.
5. The right to not be discriminated against for opting out.
6. The right to initiate a private cause of action for data breaches.

The new CPRA legislation that goes into effect in 2023 added two more rights to consumer protection.

1. The right to correct inaccurate information.
2. The right to limit the use and disclosure of personal information.

The CCPA is based on protecting consumers’ personal information. It defines personal information as information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

To ensure CPRA and CCPA compliance, businesses must understand the consumer data that is collected. It is also critical for a business to understand its privacy and cookie policies to ensure that both meet the standards necessary.

Once a business understands the data that is collected, it should also delve into how that information is transmitted and stored, along with determining who has access to the data.

Finally, a business should outline processes to respond to consumer demands for information and a plan in case of a data breach.

California consumers who believe their data privacy has been jeopardized can submit a complaint to the California Attorney General’s office.

Who needs to comply with California data privacy law?

This pair of privacy regulations apply to California residents only. The CCPA defines a California resident as a person, not a business or corporation, that resides in the state of California. Residents who are temporarily out of the state are also protected.

The CCPA regulations apply to any for-profit companies that do business in California and meet any of the following criteria:

• “Have a gross annual revenue of over $25 million;
• Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
• Derive 50% or more of their annual revenue from selling California residents’ personal information.”

How to comply with the CCPA

For businesses to comply with the CCPA, they must protect the consumer’s rights outlined in the CCPA. To do so, businesses need to have a website privacy policy that complies with CCPA standards and is updated at least once a year. It is also important to have a cookie policy to explain how your website uses its consumers' personal data.

Businesses need to notify consumers at or before the time of collection on the types of data that will be collected and how it will be used. Companies also need to be prepared to disclose, at the request of a consumer, the following information:

• Specific types of personal information that have been collected
• Sources where personal data was obtained
• Purpose of collecting the data
• Third parties who may have had access to the data

The CCPA also requires that businesses can provide a history of all of the personal data that has been collected for a given consumer. Along with this, consumers must have the opportunity to remove their personal information from a business's database.

If a consumer does not want their personal information stored or used in a specific way, businesses are not allowed to discriminate against them by providing different services, changing prices, or restricting access to goods or services.

What happens if you don’t comply with CCPA?

The Attorney General of California is tasked with enforcing the CCPA. According to the Attorney General’s website, “Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California.”

Individual consumers can only sue a company under the CCPA if there is some type of data breach.

The Attorney General says, “You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach due to the business’s failure to maintain reasonable security procedures and practices to protect it.”

If an individual does sue based on a data breach, they can sue for actual monetary damages that were suffered or statutory damages of $750 per incident.

If a consumer wants to sue, they must give the company a written statement on what sections of the CCPA were violated and give the company 30 days to fix the problem and respond with a written statement. The statement should also note that no further violations will happen.

To sue a company for a data breach, specific types of information must have been stolen, including your first and last name, as well as any of the following:

• “Your social security number
• Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity
• Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
• Your medical or health insurance information
• Your fingerprint, retina or iris image, or other unique biometric data used to identify a person's identity (but not including photographs unless used or stored for facial recognition purposes)”

To sue for damages from the data breach, the personal information must have been stolen in nonencrypted and nonredacted form.

As part of the CCPA, the California Privacy Protection Agency was created to help maintain the CCPA and have the authority to enforce the regulations.

Data broker regulations

Data brokers are also a part of the CCPA. Data brokers are companies that use personal information they collect and sell that data to other companies.

The CCPA requires these data brokers to register with the Attorney General. The Attorney General publishes a database of brokers to help consumers exercise their rights under the CCPA. Residents can find contact information for the data brokers on the California Data Broker Registry.

CCPA vs. GDPR

The General Data Privacy Regulation and the California Consumer Privacy Act share many commonalities. They both protect consumers' personal data and regulate how businesses use and protect that data.

The GDPR applies to all European Union countries and to any company that provides goods or services to Europeans. The CCPA applies to all residents of California and any company that provides goods or services to California residents.

The GDPR regulates businesses of all sizes as long as they do business with anyone in the European Union. The CCPA only applies to companies of a certain size or revenue metric. It also does not apply to non-profits or government entities.

How both of these regulations are enforced also varies. Until 2021, California's Attorney General was responsible for upholding the state's CCPA regulations. Now, the California Privacy Protection Agency helps implement and enforce the CCPA. Each country in the EU has an individual data authority to investigate GDPR complaints and levy fines against companies.

CCPA and CPRA FAQs

Bottom line

The California Consumer Privacy Act and the California Privacy Rights Act work in tandem to help residents of California protect their private data. The CCPA gives six rights to consumers to help them understand what personal data is being used, requiring consumers to opt-in for any sale of their data, and more.

The CPRA also adds additional protections, allowing consumers to update any incorrect information and limiting the use or disclosure of sensitive personal information.

For businesses, understanding the CCPA and CPRA is critical. It is important to know that consumers must opt-in before giving personal information — that’s why a cookie policy and privacy policy are so important.

If your business is unsure if it complies, you should audit the current data being collected, ensure that customers have all the rights protected by the CCPA, and create a plan for any data breaches.

Citations

[1] California Is Banning Companies From Using ‘Dark Patterns,’ A Sneaky Website Design That Makes Things Like Canceling a Subscription Frustratingly Difficult

Author Details

Andrew Adams

About the Author

Andrew Strom Adams helps businesses with a variety of marketing and communication efforts including content strategy and writing, branding, marketing, and more. He holds an MBA from Westminster College in Salt Lake City and a bachelor's degree in Journalism from Oklahoma Baptist University.