What to know about the CCPA

California Attorney General

California Privacy Protection Agency

Any individual who has their permanent address in California

Customers of household goods and services, employees, business-to-business transactions

45 Days

January 1, 2023

Yes, if you have consumer who resides in California

LINK TO COMPARISON PAGE

Consumers may only make most information requests twice a year and only for a 12-month look-back

An individual whose data is collected and processed.

An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form.

The process of matching fields from one database to another.

A person who determines the purposes and means of the processing of personal data.

A third-party who processes personal data on behalf of the controller.

A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.

The California Consumer Privacy Act (CCPA) is a law that provides California consumers that engage with businesses with specific rights, including the ability to request how private data is used. CCPA helps ensure companies protect personal information from misuse. The CCPA was signed into law in June 2018, setting the stage for additional regulation introduced by subsequent California law, called the California Privacy Rights Act (CPRA). CCPA went into effect in January 2020, with enforcement starting on July 1st, 2020. CPRA will go into effect on January 1st, 2023. CCPA and CPRA have meaningful enforcement mechanisms in place, including significant fines and penalties for non-compliance.

CCPA compliance is substantial because it requires companies (irrespective of where they are domiciled) to be transparent about how they collect, use, process and share personal information (PI) and implement specific data privacy controls to secure and protect consumer privacy. Personal information subject to CCPA compliance is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples include their name, telephone number, mailing address, social security number, driver’s license number, email address, financial accounts, and more. CCPA gives consumers control over their personal information. These data requests are called Data Subject Access Requests (DSAR) or Data Subject Requests (DSR). Consumer rights under CCPA (and CPRA) include:

• Right to Access (obtain a copy of personal information)
• Right to Delete (delete personal information collected by the business)
• Right to Do not Sell my information
• Right to Correct (under CPRA)

CCPA mandates companies to make it easy for consumers to submit a data request and comes with specific response SLAs. For example, a Right to Access request must be completed within 45-days from request submission, with a 45-day extension for legitimate business reason. When responding to data request, CCPA requires a company that receives a data request to search through all data to identify personal information that belongs to the requestor and respond to the request in timely manner. It is important for companies under the scrutiny of CCPA consider a CCPA compliance software solution, like CYTRIO.

CCPA compliance impacts any business (irrespective of where they are domiciled) that collects, uses, process, sells, or shares California citizen personal information. Every company that meets one of the three following criteria must comply with CCPA:

• Has annual revenue of at least $25 million; or
• Collects, uses, process, sells, or shares personal data of at least 50,000 California citizens; or
• Generates more than 50% of their revenues from the sale of personal data.

Impact of CCPA compliance include:

• Consumer personal information cannot be collected, used, processed, shared, or sold without consent. Businesses must provide consumers with details on how they will use what they collect from you beforehand. They also must provide consumers with an option to opt-out of future sharing of personal information.
• Businesses must provide a mechanism for consumers to get a copy or to delete their personal information—for free! They must disclose categories of personal information they collect, business purpose, and who they shared it with. The mechanism must be clearly stated in a Privacy Policy.
• One of the more notable aspects of CCPA is its expansive data discovery requirements. Under CCPA, businesses must provide a customer with a record of all the personal data that they have collected upon request, with a 12-month look back. Companies will also need to disclose how personal information is currently being used and who has seen it.

The law allows for two separate enforcement mechanisms:

1. Civil action by California Attorney General, where fines range from $2,500 to $7,500 per violation
2. Private right of action under section 1798.150 of the statute that gives California consumers the right to sue businesses in certain circumstances. These claims can range between $100 to $750 per individual per violation

CYTRIO CCPA solutions are helping all businesses comply with the California Consumer Privacy Act (CCPA) swiftly and cost-effectively. Using CYTRIO, organizations can eliminate 80%+ of manual tasks, resulting in significant time and cost-saving, meet CCPA compliance response SLAs and minimization risk of regulatory fines, all the while building consumer trust. Using CYTRIO CCPA compliance SaaS platform, organizations can operationalize and automate Privacy Right Management, enabling organizations to meet a complex set of CCPA compliance requirements through a secure data request intake portal, identity verification, AI-driven PI data discovery, classification, identity correlation, CCPA DSAR response orchestration, and detailed audit records. Learn more on CYTRIO’s NextGen Privacy Rights Management Solution.