Ironclad Journal icon IRONCLAD JOURNAL

What Is CCPA and How to Comply

Updated for 2023
hands pointing to contracts

With the rise of big data, there has been increased attention on proper data privacy practices. In addition to the EU’s own General Data Privacy Regulation (GDPR), states in the U.S. have begun to enact their own data privacy laws, including Nevada, Ohio, and Virginia. The California Consumer Privacy Act (CCPA) was enacted into law on January 1, 2020, and despite popular opinion, has different requirements from the GDPR. And it’s not the same as The California Privacy Rights Act (CPRA). 

Below we give you the run-down of the act: who needs to comply, what to expect as a business, and how to ensure that you aren’t facing penalties of non-compliance.

Basic Meaning of CCPA?

CCPA, or California Consumer Privacy Act, is legislation designed to improve the data privacy of California residents. In essence, it gives citizens the right to know when and how their information is being collected and sold, as well as the ability to opt out. It also grants them legal right to the same service and price of service whether or not they exercise their privacy rights.

CCPA comes on the heels of GDPR (General Data Protection Regulation), and a host of other state-enacted privacy laws that reflect the public’s growing concern with data privacy abuse.

Who must comply with CCPA?

The CCPA is specifically geared towards for-profit businesses that collect, share or sell California consumers’ personal information, and meet one or more of the following criteria:

  1. Has annual revenues of more than $25 million;
  2. Collects, sells, or shares the personal information of 50,000 or more consumers, households, or devices;
  3. Earns 50% or more of its annual revenue by selling consumers’ personal information.

That is, whether or not your business is based in California, as long as it does business with Californians, it is subject to the CCPA. Further, any business that controls or is controlled by a company that meets one or more of the above criteria is subject to CCPA.

What are the requirements for CCPA?

The CCPA gives consumers rights to know who is collecting information about them, what information is being collected, and the ability to opt out of their data being collected. Businesses must adhere to these requirements by giving consumers the following rights:

The right to disclosure

Business must disclose when they collect and sell information about a user, to whom they sell it, the specific pieces of information they collect and sell, and the purposes for which they collect and sell it. Businesses will have 45 days to provide specific information about information collected when a consumer makes a request for the information. Businesses have to give users 2 ways of requesting the information the business has/has disclosed within the past 12 months. (e.g., link, email address, phone number to contact).

The right to delete their data

Businesses must notify consumers that they have the right to request that their data be deleted. Business must comply and also require that their third-party data collectors also delete their information and ensure compliance with their data deletion request.

The right to opt-out

Businesses must notify consumers that they have a right to opt-out of data being collected and sold and actually follow through. In addition to a general opt-out link, they must provide a link specifically titled, “Do Not Sell My Information.”

The right to non-discrimination

Consumers who request that their data be deleted or who opt out of having their data collected and/or sold have the right to get the same service at the same cost.

Business must also have a privacy policy

Like the GDPR, CCPA requires businesses to have a privacy policy in which they must include:

  1. The consumers rights
  2. Ways consumers can submit requests
  3. Categories of personal information collected within the last 12 months.

How to comply with the CCPA

To ensure compliance with the CCPA, businesses must provide proper and thorough notice of all the activities they will be undertaking with their data collection practices. In addition, businesses need to:

  1. Have an up-to-date privacy policy that outlines all the disclosures listed above
  2. Be able to track versions of privacy policies and maintain proof of individual user consent
  3. Provide two or more methods by which consumers can request the data that a business has collected or sold
  4. Provide an opt-out link that explicitly states, “Do Not Sell My Information.”
  5. Revise third-party agreements (e.g., Data Processing Agreements), and track acceptance of the updated agreements to ensure third-party compliance.

Updates to the CCPA Since Inception

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and since then, there have been several updates and amendments made to the law. Some of the recent updates to CCPA are:

  • The California Privacy Rights Act (CPRA): This is a ballot initiative that was passed in November 2020 and amends the CCPA. The CPRA expands the scope of the CCPA, creates new consumer rights, establishes a new agency to enforce the law, and provides additional protections for sensitive personal information.
  • Employee and Business-to-Business Exemptions: In September 2020, new regulations were adopted that provide exemptions for personal information collected in the employment context or in the context of business-to-business communications. The exemptions are limited in scope and subject to specific requirements.
  • Deidentification and Aggregated Data: In October 2020, new regulations were adopted that provide guidance on how to comply with CCPA requirements related to deidentified or aggregated data. The regulations clarify the requirements for data to be considered deidentified or aggregated, and provide guidance on how to respond to consumer requests related to this type of data.
  • Consumer Request Verification: In March 2021, new regulations were adopted that provide additional guidance on how to verify consumer requests for personal information. The regulations clarify the types of information that can be used to verify a consumer’s identity, and provide examples of methods that can be used to verify requests.

Overall, these recent updates and amendments to the CCPA have expanded the scope of the law, clarified certain requirements, and provided additional guidance on compliance. Companies that are subject to CCPA should stay up-to-date with these updates and ensure that they are in compliance with all applicable requirements.

What are the penalties for non-compliance with the CCPA?

The Attorney General

Non-compliance with CCPA comes with financial penalties. According to the CCPA, the Attorney General can exact a maximum fine for intentional non-compliance (i.e. purposefully ignoring the mandates of CCPA) of $7500 per violation. Meanwhile, unintentional non-compliance (that is, failing to encrypt user data that was accessed during a breach) carries a fine of $2500 per violation. This means that any non-compliance event affecting multiple consumers will carry a fine of up to $7500 or $2500 for each violation.

Consumers’ Private Right of Action

Additionally, consumers themselves can bring a private right of action in the event of data breaches from non-compliance. Consumers can sue the company for statutory damages if they failed to implement reasonable security measures and that failure lead to an unauthorized disclosure of their personal information. The consumers have to notify the company as to what provisions of the CCPA the company violated and give the company 30 days to fix it. But if the company fails to fix it, they are subject to statutory damages between $100-750 per consumer affected. So for a class action lawsuit arising out of a data breach (which is already very expensive without a consumer suit), the company could have to pay out an additional large sum.

Take Anthem, for example, which affected roughly 13.5 million Californians. Under CCPA, they would owe between $1.35 billion and over $10 billion in statutory damages under CCPA in addition to other data breach costs.

Examples of Violations

There have been several reported violations of the CCPA since it went into effect. Here are a few notable examples:

  • In 2020, the California Attorney General filed a lawsuit against Facebook for allegedly violating the CCPA by failing to provide consumers with clear and concise information about how their personal information is collected and used. The lawsuit is still pending at this time.
  • In 2021, a class-action lawsuit was filed against Google for allegedly violating the CCPA by collecting personal information from consumers without their consent. The lawsuit is still pending at this time.
  • In 2021, a class-action lawsuit was filed against Uber for allegedly violating the CCPA by failing to provide consumers with access to their personal information. The lawsuit was settled in 2022, with Uber agreeing to pay $1.1 million to the class members and to make changes to its privacy practices.

These are just a few examples of the lawsuits that have been filed against businesses for violations of the CCPA. The CCPA is a complex law, and businesses need to be careful to comply with its requirements. Failure to do so can result in significant penalties, including fines and lawsuits.

Ironclad Can Help

Ironclad can help businesses track consent to updated privacy policies, terms and conditions, and CCPA-mandated disclosures. Additionally, Ironclad can help businesses track opt-ins and opt-outs of data disclosures, quickly push updated privacy policies, terms of service agreements, and third-party agreements for consumers or vendors to acknowledge or accept with a simple click of a button. Get a consultation with our clickwrap contract experts to see for yourself!

Want more content like this? Sign up for our monthly newsletter.

Book your live demo