top of page

CCPA Guide for small business: Compliance, Consumer Rights, and Penalties Explained

What is CCPA?


The California Consumer Privacy Act (CCPA) is a comprehensive data privacy regulation aimed at enhancing personal information protection for residents of California. Enacted in 2018 and effective since January 1, 2020, the CCPA grants several rights to consumers concerning the collection, use, and disclosure of their personal data by businesses operating within the state. By addressing data privacy concerns, the CCPA has become a benchmark for data protection legislation in the United States.


Under the CCPA, consumers enjoy several rights related to their personal information. They have the right to know what data a business collects, the purposes of data collection, and with whom the data is shared. Consumers also have the right to access their personal information held by businesses and request the deletion of their data under certain conditions. Moreover, the CCPA provides consumers with the ability to opt-out of the sale of their personal information to third parties.


Businesses subject to the CCPA must comply with various data protection requirements. They must provide clear and transparent disclosure about the collection, use, and sharing of personal information.

Additionally, businesses must establish processes to handle consumer requests for data access, deletion, and opt-out from the sale of personal information. Failure to comply with the CCPA may result in enforcement actions and penalties imposed by the California Attorney General's office.


Who does CCPA apply to?


The CCPA applies to for-profit businesses that meet specific criteria and do business in the state of California. According to the law, a "business" is a sole proprietorship, LLC, corporation, association, or other legal entity organized or operated for the profit or financial benefit of its shareholders or other owners.

The CCPA generally applies to a business that:


  • Is for profit and does business in the State of California;

  • Collects California resident personal information (or on behalf of which such information is collected);

  • Alone or jointly with others determines the purposes or means of processing that data.

Additionally, the CCPA essentially applies to any for-profit entity doing business in California that collects, shares, or sells California consumers' personal data, and either:

  1. Has annual gross revenues in excess of $25 million;

  2. Possesses the personal information of 50,000 or more consumers, households, or devices;

  3. Earns 50% or more of its annual revenues from selling consumers' personal information.

Even if a business is located outside of California or the United States, the CCPA still applies if the company has customers or users who reside in or are residents of California.


What are the rights granted to consumers under CCPA?


Under the CCPA, consumers are granted several rights to protect their data privacy and autonomy. These rights can be divided into the following categories:

  1. Right to know: Consumers have the right to request disclosure of personal information collected by the business about them, including the sources of the information, the purposes for collecting it, and any third parties it has been sold to.

  2. Right to access: Consumers have the right to request access to specific categories and sections of personal data collected during their online interactions with businesses.

  3. Right to opt-out: The CCPA grants consumers the right to object to the selling of their data to any third party, for any purpose. Once a consumer objects, businesses cannot ask for their consent again for at least 12 months from the day they give their objection.

  4. Right to request deletion: Consumers have the right to request the deletion of personal information collected from them.

  5. Right to equal services and prices: Consumers are entitled to equal services and prices, regardless of whether they exercise their CCPA rights.

Additionally, starting January 1, 2023, consumers are granted two new rights:

  1. Right to correct inaccurate personal information: Consumers have the right to correct inaccurate personal information that a business has about them.

  2. Right to limit the use and disclosure of sensitive personal information: Consumers have the right to limit the use and disclosure of sensitive personal information collected about them. Sensitive personal information includes data such as Social Security numbers, driver's license numbers, passport numbers, financial account information, and more.

Finally, the CCPA also establishes a narrow private right of action for certain data breaches involving a subset of personal information. Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident.


What are the penalties for non-compliance with CCPA?


Non-compliance with the CCPA can result in various penalties, depending on the nature of the violation. Civil penalties for non-compliance can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation. A business is not liable if it cures any noncompliance within 30 days after being notified of alleged noncompliance, although some types of noncompliance or data breaches may not be capable of "cure" .


In addition to monetary penalties, non-compliant businesses may face reputational harm and loss of clients. The severity of fines and penalties may depend on the party levying accusations and legal action against the business.


Businesses must respond to consumer requests within 45 days; however, they can request an additional 45 days if "reasonably necessary," effectively providing a total of 90 days to respond. They must inform the consumer about this extension within the first 45-day period.


It is important to note that the California Attorney General is responsible for enforcement of the CCPA.


Can a business sell a consumer's personal information under CCPA?


Under the CCPA, businesses can sell a consumer's personal information, but they must adhere to specific regulations and requirements. Consumers have the right to opt-out of the sale of their personal information. After receiving an opt-out request, businesses are generally prohibited from selling or sharing the consumer's personal information unless the consumer later authorizes them to do so again. Businesses must wait at least 12 months before asking a consumer to opt back in to the sale or sharing of their personal information.


CCPA-covered businesses must have a clear, comprehensive, and up-to-date Privacy Policy notifying consumers of how they collect, use, and share their personal information. Businesses that sell personal information are required to include specific disclosures about their practices in their Privacy Policy.


The CCPA does not consider it to be "selling" data when a consumer uses or directs the business to intentionally disclose personal information with a third party. Additionally, the law applies to the collection and sale of all personal information collected by a business from consumers, not just information collected electronically or over the Internet.


It is crucial to note that under the CCPA/CPRA, "selling" personal information includes sharing it for any "valuable consideration" (benefit), which may encompass a wide range of routine business activities. However, some exceptions may apply.


Does CCPA apply to offline data?


Yes, the CCPA applies to offline data as well. The law covers the collection and sale of all personal information collected by a business from consumers, not just information collected electronically or over the Internet. In fact, the CCPA applies to paper records . This means that businesses handling the personal information of consumers in offline formats must also comply with the CCPA regulations.



CCPA vs GDPR


The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are two significant data privacy regulations that aim to protect consumers' personal information. However, there are some key differences between the two.

  1. Scope: The CCPA protects California residents, whereas the GDPR focuses on data subjects residing in the European Union.

  2. Applicability: The CCPA applies to businesses that "do business" in California and meet specific thresholds, such as annual gross revenues greater than $25 million or processing the data of 50,000 or more consumers. In contrast, the GDPR applies to any organization processing the personal data of individuals residing in the European Union, regardless of the organization's location.

  3. Consent: The CCPA offers consumers the right to opt-in to data collection, while the GDPR requires businesses to obtain consumers' consent before collecting their data.

  4. Legal Bases for Data Processing: The GDPR sets out six legal bases under Article 6 for organizations to lawfully collect and use personal data. The CCPA, on the other hand, doesn't have a similar provision.

  5. Rights Granted: Both the CCPA and GDPR grant consumers various privacy rights, such as the right to access and the right to deletion. However, the specifics of these rights may differ between the two regulations.

  6. Fines and Penalties: The GDPR imposes stricter penalties for non-compliance, with fines reaching up to €20 million or 4% of the company's global annual turnover, whichever is higher. In contrast, the CCPA's fines are up to $7,500 per intentional violation and $2,500 per unintentional violation.

Overall, while the CCPA and GDPR share some similarities, the GDPR is generally considered to be a stricter and more comprehensive regulation. However, both regulations have a global reach and require businesses to implement robust data privacy and protection measures to comply with their respective provisions.


CCPA compliance checklist


To ensure your website is compliant with the California Consumer Privacy Act (CCPA), you should consider the following steps as part of your CCPA compliance checklist:

  1. Determine if your business needs to comply with the CCPA: Make sure your organization falls within the scope of the CCPA, i.e., it collects personal information from California residents and meets specific thresholds.

  2. Map and inventory customer data: Identify the personal information your organization collects, processes, and stores, and create an inventory of the data and data sources.

  3. Create an opt-out page: Develop a web page that allows California residents to opt-out of the sale of their personal information.

  4. Promote the opt-out page: Make the opt-out page easily accessible and visible to consumers by providing a link on your website's homepage or within your privacy policy.

  5. Update privacy policy & disclosure notifications: Revise your organization's privacy policy to include CCPA-specific disclosures and inform consumers about their rights under the CCPA.

  6. Handle consumer data rights requests: Implement processes to promptly respond to and fulfill consumers' requests to access, delete, or opt-out of the sale of their personal information.

  7. Ensure non-discrimination: Ensure that your organization does not discriminate against consumers for exercising their CCPA rights, such as by denying goods or services or charging different prices.

  8. Address complaints: Establish a system to handle and resolve consumer complaints regarding CCPA compliance.

  9. Define breach thresholds & privacy team workflows for breach response: Develop protocols for identifying, reporting, and addressing data breaches in line with CCPA requirements.

  10. Align your teams and suppliers: Communicate CCPA requirements to your teams and suppliers, ensuring that all parties involved in handling personal information are aware of their obligations under the CCPA.

This list is not exhaustive but provides a good starting point for organizations aiming to achieve CCPA compliance. Additional steps and requirements may be necessary depending on your organization's specific circumstances.



The California Consumer Privacy Act (CCPA) represents a significant step forward in safeguarding personal information and promoting data privacy in the United States. By granting consumers rights over their data and holding businesses accountable for the collection, use, and disclosure of personal information, the CCPA has set a high standard for future data protection legislation.


コメント


bottom of page