Modern businesses, especially those that operate within the tech world, collect, store and use vast amounts of data on a daily basis. Big data translates into big business, and much of this data is personal data collected from users. While this data is essential for many businesses' operations, it also comes with a great responsibility to keep that data private, secure, and used only for specified reasons. 

In 2018, California's data privacy law was passed. Known as the California Consumer Privacy Act (CCPA), it became the first state consumer privacy law in America. The CCPA is a comprehensive approach to data privacy, establishing individual rights about how personal information is collected and used. 

At SVTech, we specialize in providing businesses with the legal counsel and advice they need to successfully navigate the technology world, including how to achieve and maintain compliance with laws like the CCPA. If you've been wondering what the CCPA is and how it applies to your business, you've come to the right place. 

Today, we're going to walk you through what you need to know about the California Consumer Privacy Act, so you can safeguard your operations in the changing landscape of digital privacy.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act was created in 2018 with the goal of giving Californians unprecedented rights and access regarding the personal information that companies collect and use. 

With consumers becoming more aware of the scope of data collection and the inherent danger that data breaches, misuse, and hacks pose, law makers responded by voting the CCPA into existence.

As the first of its kind in the United States, the CCPA gives Californians specific rights regarding how a business collects and uses their personal data. 

Key consumer rights guaranteed to Californians under the CCPA include:

• The right to know what personal information is being collected, how it used, and how it is shared

• The right to delete the personal data collected about them

• The right to opt-out of the sale of their personal information

• The right to non-discrimination for exercising these rights

In 2020, California voters approved Proposition 24, which created the California Privacy Rights Act (CPRA). The CPRA functions as an expansion of the California Consumer Privacy Act, giving new protections to Californians including:

• The right to correct inaccurate information

• The ability to limit the use and disclosure of sensitive personal information

• The ability to opt-out of certain uses of automated decision-making technology

These additional provisions went into effect on January 1, 2023, with enforcement effective July 1, 2023. 

The CCPA is currently one of the most comprehensive data privacy laws in the world. 

Who Does the CCPA Apply To?

The CCPA applies to any for-profit organization “doing business” in the state of California. What does doing business mean? As defined by the CCPA, doing business means that they meet at least one or more of these criteria:

• Annual gross revenue in excess of $25 million in the preceding calendar year

• Actively buys, sells, or shares the personal information of 100,000 or more California consumers or households per year. 

• Earns 50% or more of their annual revenue from selling or sharing California consumer's personal information. 

It's important to note that beyond these criteria, “doing business” in California means that even companies that are not physically located in California, but that collect or process information about California residents, are subject to the requirements of CCPA law. Notable exceptions to the CCPA include non-profit organizations and government agencies.

While the CCPA may only apply to California residents, California has the largest population in the US at over 40 million residents. That makes CCPA laws applicable to virtually every for-profit business that collects the personal data of its customers and users.

What Constitutes Personal Information under the CCPA?

The definition of “personal information” is crucial to the power of CCPA laws, and it is defined quite broadly. 

Under the CCPA laws, personal information can be considered anything that “identifies, relates to, or could reasonably be linked with you or your household”. 

Examples of personal information include:

• Your name or the names of household members

• Email addresses

• Internet browsing history

• Geolocation data

• Fingerprints 

• Records of products purchased

In addition to these forms of personal information, CCPA laws also describe an additional category of personal information, known as sensitive personal information. 

Sensitive personal information includes items that are particularly vulnerable such as:

• Social security numbers

• Financial information and records

• Credit and debit card numbers

• Security codes

• Account login information such as usernames and passwords

• Biometric data

• Genetic data

• Information about a consumer's health, sexual orientation, or sex life

• Race or ethnic origin

• Religious beliefs

• Union membership

It's also worth mentioning what is not considered personal information. 

Publicly available information when made lawfully available from local, state, or federal government records (like real estate and property records, and professional licenses) is not considered protected personal information under the CCPA.

What Are the Penalties for Non-Compliance With the CCPA?

The California Privacy Protection Agency (CPPA) was created with the passing of Proposition 24 in 2020 and is the California agency responsible for enforcing the CCPA. 

The CPPA can bring administrative proceedings against companies believed to be in violation of CCPA laws, as well as file cease and desist orders and seek civil penalties. In addition, the California Attorney General also has the authority to investigate violations and seek penalties. 

The penalty for a single violation of CCPA laws is $2,500. For intentional violations, or violations involving the personal information of a minor under 16, the penalty rises to $7,500 per incident. 

Bare in mind, these penalties are charged per incident - meaning that a business in violation of CCPA laws with thousands of users would face substantial fines.
Individuals also have recourse if their personal information is involved in a data breach. 

Individuals may sue a company for statutory damages of up to $750 per incident, or actual damages, whichever is greater. Before individuals can sue a business for a data breach, they must inform the business, which begins a 30-day cure period to resolve the breach before damages can be awarded 

Another important change brought about by the CPRA, is a modification of the 30 day “cure period” that was part of the initial CCPA. For most violations identified by the California Privacy Protection Agency or the Attorney General, the previous mandatory 30-day window for businesses to correct the issue has been eliminated. The agency now can grant a cure period at its discretion, but it is no longer guaranteed. This places significant pressure on businesses to achieve continuous compliance. 

On the other hand, if an individual wishes to sue a business for statutory damages resulting from a data breach or failure to implement reasonable security, they must provide the business with a 30 day written notice. 

If the company can genuinely cure the underlying security issue and provides written assurance within the 30 day window that the issue has been resolved, the individual will not be able to pursue statutory damages for that particular incident. 

All of this makes it more important than ever to have proper legal guidance when it comes to data privacy. 

To avoid violating California data privacy laws, it is imperative you immediately seek the help of an attorney experienced in California privacy law. 

Tips for Achieving Compliance With California Data Privacy Laws

Achieving and maintaining compliance with CCPA and other data privacy laws is not a one-and-done task. It requires an ongoing commitment to safeguarding the personal information and data of your customers. 

To ensure your compliance, we highly recommend working with a lawyer well versed in California and other data privacy laws.

However in the meantime, there are a few things you can do to make sure you're on the right track.

Conduct an Internal Audit of Your Data

What data does your business actually collect, and just as importantly, how are you using it? Take note of where it's stored, who has access to it, and whom it is shared with. This process is called data mapping, and it's absolutely vital to compliance with California data privacy laws. 

Review Your Data Privacy Policies

You need to have a professionally written data privacy policy readily available to all your customers and users. It should be clear, concise, and accurately reflect your data practices. If this hasn't been updated recently, consult with a data privacy lawyer to have them help you draft an updated version that matches your activities. 

Take Data Security Seriously

A comprehensive data security plan is essential in today's digital world. Cyberattacks are becoming more innovative and brazen, making an attack is not just a possibility, but an inevitability. You need a security plan that both defends against attack, and prepares your company to respond to a data breach. 

Establish Procedures for Consumers to Exercise Their Data Rights

According to CCPA and other data privacy laws, customers have the right to know, delete and opt-out of data collection. You must have mechanisms for your customers to exercise these rights to gain and maintain compliance. 

Train Employees on Data Privacy

Data privacy compliance takes a team. Any employees who handle personal information must be aware of their responsibilities in safeguarding that data. Conducting annual data security training is a great way to ensure your team members understand the CCPA and other privacy laws and how to safeguard that data. 

Ensure Your Partners Are Compliant

Many businesses work with third-party vendors and service providers. If any of these partners handle personal information on your behalf, they must also be compliant with the CCPA. Ensure that there are appropriate data processing agreements in place to govern how they handle your customer's data.

Need Help Gaining Compliance with CCPA? Partner with SVTech

The state of data privacy laws is constantly changing. While there is not yet a single comprehensive data privacy law at the federal level in the US, many other states have adopted their own data privacy laws similar to CCPA. 

Businesses that collect data on citizens of other countries must also comply with international regulations, like the European Union's GDPR. 

That means businesses who collect and profit from personal information must keep a keen eye focused on new and evolving data privacy laws.

At SVTech, we offer our expertise in California and other data privacy laws to help your business achieve and maintain compliance with the CCPA. 

Don't dismiss the importance of maintaining the privacy and security of your customer's personal information. The risk is far too great not to take data privacy seriously. 

If you need help gaining and maintaining compliance with the ever changing state of data privacy laws, contact SVTech for a free initial consultation on how we can help you protect your data and keep your customer's personal information private. 

Disclaimer

The information provided in this blog post is for informational purposes only and does not constitute legal advice. Please consult with a qualified attorney to address your specific legal needs.