Who needs to comply with the CCPA?
The California Consumer Privacy Act applies to any for-profit business that collects personal information from California residents and meets at least one of the following criteria:
- annual gross revenue exceeding USD 25 million
- buys, receives, sells, or shares the personal information of 100,000 or more California consumers or households
- derives 50 percent or more of its annual revenue from selling or sharing California consumers’ personal information
The CCPA covers businesses that process the personal data of California residents, regardless of whether they are physically located in California, as long as they conduct business in the state and meet one of the above thresholds. This includes online businesses that transact with California residents. Some lawsuits filed since the law came into effect will likely provide further clarity about who specifically qualifies as a resident (e.g., if it includes university students only residing in California for part of the year).
The law applies to for-profit entities that collect and process personal information of California residents, including data brokers and other businesses that trade in personal information. However, certain entities, like nonprofits and government agencies, are exempt from complying with CCPA consumer rights.
What privacy rights does the CCPA give California residents?
You can see a more detailed definition of what is the California Consumer Privacy Act (CCPA), but here we’ll focus on the fact that this regulation provides California residents with six core rights to data privacy. Additionally, California is the only US state providing the supplementary private right of action to enable consumers to sue companies and win compensation in case of data breaches or other violations that cause harm.
The CCPA created several specific consumer rights, including:
The California Privacy Rights Act (CPRA), which took effect on January 1, 2023, and expands upon the CCPA, created additional rights:
- right to correction of incomplete or inaccurate personal information
- right to portability to receive a copy of their personal information they can take with them from one business, platform, etc. to another
- right to limit the use and disclosure of sensitive personal information
- right to access information about automated decision-making to request information about automated decision-making (e.g. AI tools) and likely outcomes of using such processes, particularly with regards to profiling
- right to opt out of the use of automated decision-making technology with regard to their personal data
The CCPA defines the personal information of California residents as: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Let’s explore the core rights under the CCPA and delve into their implications for consumers and businesses.
CCPA – the right to access
Pretty much all global data privacy laws provide users with the right to know if their personal data is being collected and processed, and to gain access to that data. From there rights vary regarding what requests they can make about their data, e.g., correction, deletion, and portability.
Businesses can and should require that individuals who make requests and want to access their data verify their identities before providing the information. Otherwise, this could risk a data breach if an unauthorized party got a hold of someone else’s data. Individuals can be required to log in to an existing account to authenticate their identities, or do so by another mechanism. However, they can’t be required to create an account to do so. If sufficient authentication is not provided, a company can deny the access request.
Requests by individuals regarding their privacy rights are generally called data subject access requests, but that typically refers broadly to rights-related requests and not just to requests related to the right to access.
CCPA – the right to opt-out
California residents can request that a business stop selling their personal information to third parties. This was expanded to include sharing of data, profiling, and targeted advertising under the CPRA.
Under the CCPA, the term “sale” includes “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating” the personal information of California residents.
If a business can verify that the request is from the consumer in question, it must cease any further sales of that consumer’s personal information to third parties.
To comply with the right to opt-out, businesses must feature a “Do Not Sell or Share My Personal Information” banner and link on their website. This enables consumers to easily exercise their opt-out right.
Additionally, minors under the age of 13 have additional rights provided by the CCPA. These include a requirement to obtain opt-in consent from parents or legal guardians before collecting or selling the personal information of minors, known as prior consent.
If an individual is between the ages of 13 and 16, they can opt-in themselves, subject to their continued ability to opt-out. Businesses are prohibited from collecting or selling their personal information until they have received consent.
CCPA – the right to notice
Under the right to notice, businesses are required to inform their customers about the categories of personal information they are collecting. This notification must occur at or before the point of collection. Additionally, businesses must explain the purpose of collecting this information. This is typically done on the website or app, often in a privacy policy or notice. This information can also be provided in a consent banner when consent is requested or users are provided with the “do not sell” option.
California residents have the right to know what digital data (such as tracking cookies) a business stores on their computer and the data those CCPA cookies collect. In addition, the company must state how and why they plan to use the personal information collected.
Organizations must also give consumers notice every time they begin collecting new forms of personal information (such as new data categories) or if they start collecting personal information for new purposes. For some kinds of data and data subjects, this means that new consent would need to be collected.
CCPA – the right to disclosure
With this privacy right, California residents can request that a business disclose what personal information they have collected on them in the past twelve months. Upon request, organizations must disclose:
- the categories of personal information collected about the consumer
- the sources from which the personal information was collected
- the business or commercial purposes for collecting, selling, or sharing personal information
- the third parties with whom the business shares personal information
Companies must provide at least two ways to request disclosure about personal information and processing, including a toll-free telephone number or email address on the business’ website.
When a California resident submits a verifiable request, the business must provide this information in writing within a specified timeframe (typically 45 days). The disclosure must cover the 12 months preceding the request date. Businesses can request to extend the response period, e.g., if there is a lot of data, or it has to be collected from disparate sources. But if a company needs an additional 45 days, they must notify the user before the first 45-day period expires.
Furthermore, consumers have the right to request access to the specific pieces of personal information the business has collected about them. This allows individuals to obtain a copy of their actual personal data held by the business, not just categories of information. There are some exceptions to this, e.g., if providing personal information would violate the privacy or rights of another individual.
CCPA – the right to deletion
California residents can request that a business delete any personal information it has collected about them, with some exceptions. Of course, this also means that further data processing cannot take place.
When a consumer submits a verifiable request to have their personal information deleted, the business must delete the information from its records as soon as possible. Additionally, the business must instruct any service providers and third parties to delete the consumer’s personal information from their records as well.
The CCPA requires companies to confirm that they have received a receipt of a deletion request within 10 business days. They must respond to the request within 45 days. This can be further extended by an additional 45 days if the individual is notified ahead of time.
Businesses must disclose the consumer’s right to request deletion in their privacy policy and provide at least two designated methods for consumers to submit deletion requests. For example, as a toll-free number, email address, or online form. Companies can implement a two-step process for requests to delete data, e.g., for an individual to submit a request and for a business to confirm with the individual that they want this data to be deleted.
However, the CCPA consumer right to deletion is not absolute. The CCPA outlines several exceptions where businesses can retain a consumer’s personal information. These exceptions include completing a transaction, detecting security incidents, exercising free speech, and complying with legal obligations. Additionally, businesses can keep the information for internal purposes reasonably aligned with the consumer’s expectations based on their relationship with the business.
CCPA – the right to equal service and price
The CCPA right to equal service and price grants consumers the “right to non-discrimination” in terms of service and pricing. It prohibits companies from discriminating against consumers for exercising their CCPA rights.
Specifically, the CCPA states that a business cannot:
- deny goods or services to a consumer
- charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties
- provide a different level or quality of goods or services to the consumer
However, the CCPA does allow businesses to charge different prices or provide different levels of service if this difference is reasonably related to the value provided to the consumer by their data. For instance, a loyalty program that offers discounts in exchange for allowing data collection would be considered permissible under the law, though the exchange must be reasonable and of comparable value on both sides.
Companies must disclose any financial incentives or price differences in their privacy policies and give consumers the ability to opt-out while still receiving the basic level of service or pricing.
CCPA – the right to sue for data breaches
Individuals have the right to file a lawsuit if their personal information is accessed, stolen, or disclosed without authorization due to a business’s failure to implement and maintain reasonable security procedures and practices.
This means that if a business does not adequately protect sensitive personal information and a breach occurs, consumers can take legal action against the business. To date, California is the only US state to include this right in its privacy law.
To pursue legal action under the CCPA, several conditions must be met:
Firstly, there must be a data breach involving the consumer’s personal information, where it is not encrypted or redacted as defined by the CCPA. This includes sensitive data like names combined with social security numbers, driver’s license numbers, financial account numbers, medical information, or biometric data.
Secondly, the data breach must result from the business’s failure to implement and maintain reasonable security procedures and practices appropriate for protecting such personal information. However, the CCPA does not explicitly define what qualifies as “reasonable” security measures.
If these conditions are met, consumers must first notify the business in writing about the violation and give the business 30 days to fix the problem (“cure period”) before taking legal action. If the business does not resolve the issue within this period, then people can file a lawsuit.
In such lawsuits, California residents can seek to recover statutory damages ranging from USD 100 to USD 750 per consumer per incident. Alternatively, they can claim actual damages resulting from the breach, whichever amount is greater.
How to comply with CCPA rights using a consent management platform (CMP)
A consent management platform (CMP) is a software solution that helps businesses manage user consent preferences for data processing activities related to privacy laws like the CCPA. There are multiple ways a CMP can help you comply with CCPA rights requests and other functions.
The CCPA requires businesses to inform consumers about the personal information collected and its intended use or sharing. A CMP facilitates compliance by using customizable cookie banners and consent notices. These disclose data types processed, reasons for processing, and involved parties, meeting the CCPA’s “notice at collection” requirement.
Cookiebot CMP by Usercentrics scans your website for the cookies and trackers in use, providing a list that can be used to notify users about data processing activities. Regular subsequent scans help you ensure that the information is kept up to date.
Under the CCPA, consumers have the right to stop their personal information from being sold to third parties. A CMP helps with this by offering a simple way to opt-out, usually through a “Do Not Sell or Share My Personal Information” link. For cases where consent is needed beforehand, like with sensitive data or information about children, a CMP helps collect that consent before using the data or allows consumers to limit how their sensitive data is used.
Consumers also have the right to access the specific personal information collected by a business. A CMP documents consent preferences and processing activities, enabling businesses to provide this information upon request, or to authorities in the event of an audit.
Therefore, a CMP helps simplify CCPA compliance by enabling transparency, managing consent and opt-out processes, handling data securely, and maintaining detailed consent records. It also demonstrates to consumers that you respect data privacy and their rights.
How Cookiebot can help you comply with CCPA rights
Cookiebot CMP’s scans reveal all cookies and similar tracking technologies in use — both first- and third-party — so you can know exactly what personal information you collect and “sell” (i.e., make available, disclose, or transfer) to third parties. Use this information to generate compliant and on-brand cookie banners and privacy policy content to notify users and enable them to make informed consent choices.
Cookiebot CMP also generates audit trails and records of user consent choices over time, helping you demonstrate CCPA compliance during audits, investigations, or for data subject access requests. Based on user consent preferences, the CMP can automatically block cookies and trackers unless consent is given for their use.
Using Cookiebot™, your company can comply with the CCPA in addition to other US and global privacy regulations.
Discover how easy it is to streamline privacy compliance
Sign up for your free 14-day trial now and see how easily Cookiebot™ can help you with CCPA compliance.
FAQ
The CCPA empowers California residents with the right to opt out of third-party data sales; the right to be informed of data collection, processing, and their rights regarding it; the right to have collected data disclosed; the right to have collected data deleted, and the right to equal services and prices.
The CCPA right to access, also known as the “right to know,” allows California residents to request and obtain details about the personal information businesses have collected, used, and shared about them.
Personal information under the CCPA is any kind of information that can directly or indirectly identify an individual. This includes anything from names, postal addresses, social security numbers, health data, location data, IP addresses, cookies, search, and browser history.
According to the CCPA, a business is defined as a company or for-profit organization that meets one of the following criteria: having an annual gross revenue exceeding USD 25 million; deriving 50 percent or more of its annual revenue from selling consumer’s personal information; or buying, receiving, selling, or sharing the personal information of more than 100,000 California residents, households, or devices per year.
Your website must enable users to exercise their CCPA rights. For example, you need to inform users about your personal information collection and processing practices. You must also provide instructions on how users can request disclosure and deletion of their information. Additionally, your website should prominently feature a clear “Do Not Sell or Share My Personal Information” link that users can use to opt out of having their data sold to or shared with third parties.
The CCPA grants California consumers rights to know what personal information businesses collect and how it’s used, to opt out of its sale, to request its deletion, and to avoid discrimination in service and pricing for exercising these rights. It also allows consumers to sue businesses for data breaches involving their unencrypted personal information, where reasonable security practices were not upheld.
The CCPA grants six key rights to California consumers. The California Privacy Rights Act (CPRA) later added two additional rights: the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information.
Not in most cases. Personal information can be collected and processed, including sold, without user consent, unless the data is categorized as sensitive or belongs to a child. Then it needs prior consent. Users must have the right to opt out of sale, sharing, profile, or targeted advertising under the CCPA and CPRA, however.
Resources
Official law text of the California Consumer Privacy Act (CCPA)
How does my business achieve CCPA compliance?
What is CCPA personal information?
What are the differences between the CCPA and the EU’s GDPR?