Data privacy laws can have many nuances but it’s crucial that your business adheres to California Consumer Privacy Act (CCPA) compliance. In this article, we break down CCPA requirements and how they affect your business.
California Consumer Privacy Act
CCPA was approved by the state of California in 2018 and affects organizations that collect, retain, or share personal data of U.S. citizens residing in the state of California. California residents have the right to sue organizations that violate any privacy guidelines. The CCPA is legislation derived from privacy laws that allow all California consumers the right to see all personal data collected by a company including all third-party data sharing. Under CCPA compliance requirements, organizations must provide consumers the option to opt out of third-party sharing of personal data.
The CCPA identifies personal data including but not limited to the following:
- Biometric information
- Geolocation data
- Personal identifiers (i.e. real name, social security number, email address, etc.)
- Internet histories such as browsing history or advertisement interactions
- Commercial information (i.e. consumer tendencies, purchase history)
GDPR and CCPA
All U.S.-based and international organizations working with California residents and reporting at least $25 million in annual revenue or collecting more than half of their revenue through selling personal data are required to comply with CCPA.
Insurance companies and insurance support companies are regulated by California’s Insurance Information and Privacy Protection Act (IIPPA) and are therefore excluded from the CCPA.
CCPA Compliance Requirements
The CCPA requirements are not as stringent as the EU’s General Data Protection Regulation (GDPR). For example, in the event of a data breach, the CCPA does not require companies to notify consumers. Consumers must first file complaints before penalties are applied. If companies comply with the GDPR then minimal policy updates are required for data breaches in order to meet the CCPA requirements, however, there are key differences to be considered.
The CCPA allows California consumers to have a greater range of access to their personal data within an organization. This includes data that may be located on different platforms under various aliases; therefore, the structure and organization of retaining personal data is critical. In addition, while the CCPA requires equal service for consumers, organizations are still able to provide incentives to opt-in into personal data sharing to third parties.
Case Example: Sephora USA, Inc.
Applicable organizations that do not comply with the CCPA are at risk of consumer complaints leading to penalties and costly fines. For example, the California Attorney General announced a $1.2 million settlement with Sephora USA, Inc. (Sephora) in 2022 as a result of failing to comply with the CCPA. Sephora allegedly failed to honor opt-out privacy requests and did not disclose the utilization of third-party tracking technology which collected personal data that was later sold to third parties. In addition to the settlement costs and mandatory data collection updates, Sephora must now provide a biennial report of data privacy compliance.