Suppose your business operates in California or handles the personal information of California residents. In that case, you’ve likely heard of the California Consumer Privacy Act (CCPA) and its more recent counterpart, the California Privacy Rights Act (CPRA).
These laws have reshaped consumer privacy rights in the U.S. and introduced new compliance obligations for organizations of all sizes. But what exactly do these laws require, and how do they differ? Here’s what you need to know.
What Is the CCPA?
The California Consumer Privacy Act, or CCPA, took effect on Jan. 1, 2020. It gives California residents greater transparency and control over how their personal data is collected, used, and shared.
Under the CCPA, consumers have the right to:
- Know what personal information is collected about them,
- Access that data,
- Request deletion,
- Learn whether their data is being sold or shared, and
- Opt out of the sale of their personal data.
Does CCPA Apply to My Business?
The CCPA applies to for-profit entities that do business in California and meet at least one of the following thresholds:
- Annual gross revenue exceeds $25 million,
- Buy, receive, sell, or share personal data from 100,000 or more California residents or households, or
- Derive at least 50% of annual revenue from selling consumers’ personal information.
If your business meets any of these criteria, CCPA compliance is required.
How Does the CCPA Define Personal Information?
The CCPA defines personal information broadly. It includes any data that identifies, relates to, describes, or could reasonably be linked to a specific individual or household. This covers:
- Names, email addresses, and phone numbers,
- IP addresses and geolocation,
- Browsing and search history, and
- Unique identifiers such as cookies or device information.
Because of the expansive definition, most organizations must assess the full scope of the data they collect and store.
What Is the Difference Between CPRA and CCPA?
CPRA, sometimes called “CCPA 2.0,” does not replace the CCPA—it expands it.
Approved by California voters in November 2020 and fully enforceable as of January 1, 2023, the CPRA added several important changes, including:
- A new category of sensitive personal information (such as race, health data, or precise geolocation),
- The creation of a new enforcement agency—the California Privacy Protection Agency (CPPA),
- A new right to correct inaccurate personal information, and
- Expanded responsibilities for businesses regarding data sharing and accountability.
What Are the CCPA Requirements?
To comply with the CCPA (and CPRA), businesses must:
- Disclose the categories and purposes of personal information collected, its sources, and third parties with whom it is shared,
- Provide access to the personal information collected,
- Honor deletion requests, with certain legal exceptions,
- Offer a clear opt-out mechanism for the sale or sharing of personal information, and
- Avoid discrimination against consumers who exercise their privacy rights.
How to Prepare for CCPA and CPRA Compliance
Getting compliant requires more than just updating a privacy policy. Here are five key steps to take:
1. Conduct data mapping. Understand what personal information your business collects, where it’s stored, how it’s used, and who has access to it.
2. Update your privacy policy. Ensure your policy is easy to find, written in clear language, and reflects the rights granted by both CCPA and CPRA.
3. Build processes for consumer rights requests. Set up secure, user-friendly systems to process access, deletion, and opt-out requests. Be ready to handle high volumes.
4. Train your team. Employees, especially those handling customer data or inquiries, should be familiar with the law’s requirements and how to respond to requests.
5. Review third-party contracts. Ensure agreements with vendors and service providers reflect CCPA and CPRA responsibilities, particularly regarding data use, protection, and retention.
Navigating California’s privacy laws can be complex, but it doesn’t have to be overwhelming. Our team can help assess your compliance readiness, implement effective processes, and support your audit and documentation needs.
To learn how your business can meet CCPA and CPRA requirements with confidence, contact us.
