United States California Consumer Privacy Act (CCPA)
Although there’s no single federal-level legislation for data privacy in the United States, nor data collection, processing, or transfer in the U.S., CCPA is a widely recognized compliance standard that safeguards customer privacy. Similar to the European Union’s GDPR, CCPA gives consumers control over their personal information. There are hundreds of laws at both the federal and state level designed to protect data privacy in the United States. The Federal Trade Commission Act protects U.S. citizens from unfair or deceptive practices and enforces federal data protection regulations and data privacy in the United States as applicable.
Key Facts About Data Privacy in the United States
- Forty-seven U.S. states have no consumer data privacy laws, however, bills are pending in 16 states and six states have study committees or task forces.
- Only four states have enacted comprehensive consumer laws for data privacy in the United States—California, Colorado, Utah, and Virginia.
- There are many industry-specific laws, such as HIPAA for healthcare, PCI for credit cards, and the Gramm-Leach-Bliley Act for banking.
- Since its enactment in 2018, companies that are close to or have reached compliance with GDPR have fewer data breaches and lower overall costs per breach than companies that aren’t. (Source: Cisco)
About CCPA and CPRA
CCPA, which went into effect June 2018, was the first major legislation that focused on consumer privacy rights and data protection. It’s one of the most stringent privacy laws of any state. The framework provides a set of regulatory standards for the collection and sale of personal data. CCPA gives consumers the power to either consent to data collection or not, as well as request deletion of information. It also introduced new obligations for businesses to disclose information about data collection and protections, and gives consumers the right to opt out of having their information sold.
Proposition 24, more commonly known as California Privacy Rights Act (CPRA), went into effect December 2020. CPRA is also referred to as CCPA 2.0, since it’s a significant upgrade. CPRA doesn’t completely replace CCPA, it amends existing CCPA provisions and adds new provisions to better safeguard the privacy of data subjects. CCPA and CPRA do not apply to non-profit organizations or government agencies.
Key Rights Under CCPA and CPRA
- Data subjects must have adequate knowledge of what personal information is being collected and how the organizations intend to use it.
- Individuals have the right to know who is collecting their personal data and why. At any point, individuals can request the disclosure of data
- The framework gives the right to delete personal data collected from consumers.
- Consumers have the right to opt-out as well as opt-in of the sale of personal data.
- Individuals have the right to initiate a private course of action for data breaches.
- CPRA gives individuals the right to rectify inaccurate personal information.
- CPRA gives individuals the right to limit the use and disclosure of sensitive personal data.
CCPA Regulations
CCPA regulations consist of eight articles. Listed below is a brief summary.
Article 1: General Provisions/Key Definitions
Categories of Sources
Types or groupings of persons or entities from which a business collects personal information about consumers. They may include the consumer directly, advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.
Request to Know
A consumer request that a business disclose personal information it has collected about the consumer, including any or all of the following:
- Specific pieces of personal information a business has collected about the consumer
- Categories of personal information it has collected about the consumer
- Categories of sources from which the personal information is collected
- Categories of personal information the business sold or disclosed for a business purpose about the consumer
- Categories of third parties to whom the personal information was sold or disclosed for a business purpose
- The business or commercial purpose for collecting or selling personal information
Notice at Collection: The notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer.
Article 2: Notice to Customers
This article states that:
- Every business must comply with the CCPA and these regulations shall provide a privacy policy in accordance with the CCPA and section 7011.
- A business that collects personal information must provide a notice at collection in accordance with the CCPA and section 7012.
- A business that sells personal information must provide a notice of right to opt-out in accordance with the CCPA and section 701.
- Details on how a privacy policy must be framed and formulated and what information needs to be included in the policy.
- A business must also include Notice at Collection of Personal Information, Notice of Right to Opt-Out of Sale of Personal Information and Notice of Financial Incentive.
Article 3: Business Practices for Handling Consumer Requests
This article provides:
- A detailed description and complete steps and methods for submitting requests to know or delete personal information, opt-out, and opt-in.
- The timeline for responding to requests to know, delete personal data, and delete household information.
Article 4: Service Providers
This article states that a service provider should not retain, use, or disclose personal information obtained in the course of providing services except:
- To process or maintain personal information on behalf of the business that provided the personal information or directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA
- To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and these regulations
- For internal use by the service provider to build or improve the quality of its services, provided the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source
- For the purposes enumerated in Civil Code section 1798.145, subdivisions (a)(1) through (a)(4)
This article also states that:
- A service provider shall not sell data on behalf of a business when a consumer has opted-out of the sale of their personal information with the business.
- If a service provider receives a consumer request to know or delete their data, the service provider shall either act on behalf of the business in responding to the request or inform the consumer the request can’t be acted upon because the request has been sent to a service provider.
- A service provider that is a business shall comply with the CCPA and these regulations with regard to any personal information that it collects, maintains, or sells outside of its role as a service provider.
Article 5: Verification of Requests
This article covers general information about the verification of requests, verification of password-protected accounts, as well as verification for non-account holders. It also lays down rules and basic framework if a consumer chooses to communicate with an organization via an authorized agent.
Article 6: Special Rules Regarding Consumers Under 16 Years of Age
For consumers below the age of 13
- A business that has knowledge that it sells the personal information of a consumer under the age of 13 shall establish, document, and comply using a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child. This affirmative authorization is in addition to any verifiable parental consent required under COPPA.
- Organizations also require a consent form from a parent or legal guardian.
- Businesses must also ascertain and verify that the person providing consent is the child’s parent or guardian.
- In case of opt-out, a business shall establish, document, and comply using a reasonable method that a person submitting a request to know or delete the personal information of a child under the age of 13 is the parent or guardian of that child.
For consumers ages 13 – 15
- A business that has actual knowledge that it sells the personal information of consumers at least 13 years of age and less than 16 years of age shall establish, document, and comply using a reasonable process for allowing such consumers to opt-in to the sale of their personal information.
- When a business receives a request to opt into the sale of personal information from a consumer at least 13 years of age and less than 16 years of age, the business shall inform the consumer of the right to opt out at a later date and of the process for doing so.
Article 7: Non Discrimination
- A financial incentive or a price or service difference is discriminatory, and therefore prohibited by Civil Code section 1798.125 if the business treats a consumer differently because the consumer exercised a right conferred by the CCPA or these regulations.
- A business may offer a financial incentive or price or service difference if it is reasonably related to the value of the consumer’s data.
- If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or can’t show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference.
- A business’s denial of a consumer’s request to know, delete, or opt-out for reasons permitted by the CCPA or these regulations shall not be considered discriminatory.
Article 8: Training and Record-keeping
- All individuals responsible for handling consumer inquiries about the business’s privacy practices or compliance with the CCPA shall be trained and informed of all of the requirements in the CCPA and these regulations, and how to direct consumers to exercise their rights under the CCPA and these regulations.
- All businesses that alone or in combination buy or receive for the business commercial purposes, sell, or share for commercial purposes the personal information of 10,000,000 or more consumers in a year should be duly informed and trained about these regulations.
The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.