CCPA Compliance

Created by Ekaterina Ekaterina, Modified on Thu, 11 Aug 2022 at 05:15 AM by Boris Chekaev

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state law, which aims at enhancing the privacy rights and consumer protection of Californian residents. It is the first comprehensive privacy regulation in the USA. It became effective January 1, 2020, with some exceptions (Cal. Civ. Code §§ 1798.100-1798.199) and enforcement postponed until July 1, 2020.

Why it is important? 

The CCPA grants California residents new rights regarding their personal information and imposes various data protection duties on certain entities conducting business in California. 

How does it apply?

The CCPA only protects natural persons (individuals/consumers) and does not cover legal persons. 

A "consumer" who has rights under the CCPA is "a natural person who is a California resident." The California Code of Regulations defines a resident as "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents."

The CCPA obligations apply to an organization ("business") that:

  1. is for-profit;

  2. collects consumers' personal information, or on behalf of which such information is collected;

  3. determines the purposes and means of the processing of consumers' personal information;

  4. does business in California; and

  5. meets any of the following thresholds:

  • has annual gross revenue in excess of $25 million;

  •  alone or in combination, annually buys, receives for the business's commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or

  • derives 50% or more of its annual revenues from selling consumers' personal information.

Which information is covered?

CCPA defines personal information not only as such which can be associated with, or could reasonably be linked, directly or indirectly, with a particular consumer but also to a household. This extends the scope of personal data compared to GDPR. Except for the common types of personal information, this can then include among others also: Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. 

What are the main terms?

  • Consumer – an individual, Californian resident. Corresponds to “data subject” as per GDPR. 

  • Business - a for-profit entity that determines the purposes and means of the processing of consumer's personal information, doing business in California. Corresponds to “controller” as per GDPR. 

  • Service provider – a for-profit entity that processes information on behalf of a CCPA-covered business. Corresponds to “processor” as per GDPR. 

Note: As with GDPR, a business must disclose consumer's personal information for a business purpose only pursuant to a written contract. The contract should prohibit the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract.

  • Sell/selling – under CCPA the term covers selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
    “Selling” is similar to “processing” under GDPR. The word should not be interpreted in its common definition. It rather specifies any processing associated with monetary or other valuable consideration. 

Note: SIT Alemira does not “sell” personal information in the meaning of CCPA.

What rights do I have under CCPA?

While it incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the CCPA requirements are more specific than those of the GDPR, or where the GDPR goes beyond the CCPA requirements.

Under CCPA Californians, have the following main rights: 

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information, including the right this data to be provided free of charge in a readily usable format that allows for the transmission of this data to third parties (data portability);

  • The right to delete personal information held by businesses and by extension, a business’s service provider;

  • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.

Note:  SIT Alemira does not “sell” personal information in the meaning of CCPA.

  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA

Note: SIT Alemira does not discriminate consumers exercising their privacy rights.

How do I exercise my rights under CCPA?

If you want to exercise some of your rights under CCPA or have any other related concern, you can 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article