Tags
Read time
4 min read
Last updated
May 17, 2024
🆕 Are hidden website trackers putting your brand at risk? Find out now! 🔎
To grasp the intricacies of California privacy law, one must familiarize themselves with the California Consumer Privacy Act, known as CCPA. What is the CCPA? It is a state regulation specifically crafted to protect the personal data of California residents. The CCPA came into effect on June 28, 2018, and has had a significant impact on consumer privacy in California, giving consumers more control over how businesses collect and process their personal and sensitive data. Companies must consider the changing requirements of the CCPA to ensure comprehensive compliance with modern privacy and consent management practices.
For a detailed look at the CCPA, visit our Complete Compliance Guide for the California Privacy Regulations.Â
The CCPA applies to for-profit organizations operating in California that collect, store, share, or sell sensitive personal data of consumers and meet one of the following criteria:
It is also important to note that CCPA compliance rules apply to entities that share common branding with a company covered by the regulation. Understanding CCPA requirements helps companies ensure that their practices meet the latest requirements based on their operations and alignment with the data privacy act.
Keep reading: Who does the CCPA apply to?
The CCPA provides businesses with guidelines on improving data governance practices to meet the standards set by the act. The CCPA highlights four rights that organizations must provide to consumers/data subjects:
Consumers have the right to request information about the personal information a company processes. The information disclosed should include the type of data, specific details involved, the purpose of data processing, and details of third parties involved in data sharing.
Consumers have the right to request the deletion of their collected personal data. Some exemptions to this request exist, such as business security practices and medical information. Keep reading: Understanding the CCPA right to deletion.Â
Consumers have the right to instruct companies to stop selling or sharing their personal data. California's Attorney General approved a uniform opt-out button that businesses can display on their websites to promote this right. The image also includes alternative text: "California Consumer Privacy Act (CCPA) Opt-Out Icon," complying with user accessibility standards.
The CCPA provides consumers with the right to protect themselves against any discrimination resulting from invoking their data privacy rights. Businesses cannot deny consumers' decisions to invoke other rights in the regulation unless special circumstances apply.
Companies covered by the CCPA must inform consumers of these rights and provide clear guidance for enforcing them. Specifically, CCPA-covered businesses must prominently display a "Do Not Sell My Personal Information" notice, a privacy policy, and a toll-free hotline for handling consumer requests.
The California Privacy Rights Act (CPRA) superseded the CCPA on January 1, 2023, and expands upon CCPA regulations. It applies to businesses that process personal data for activities like targeted advertising.
The CPRA covers a wide range of revisions that provide consumers with greater control over their personal data. It includes the mandatory use of opt-out preference signals and introduces streamlined consumer request handling. The California state government created the CPRA to ensure comprehensive protection of California residents' privacy rights.
The CPRA extends CCPA laws to cover joint ventures and partnerships (i.e., companies with less than 40% interest in a business) within California. Both CCPA and CPRA include the rights to know, delete, opt-out, and non-discrimination. The CPRA introduces two additional consumer rights:
Consumers have the right to request corrections to inaccuracies within collected personal information.
The CPRA empowers consumers with the right to limit a company's use of sensitive personal information collected from them. CPRA regulations identify data as sensitive personal information if it includes government ID, geolocation, health records, biometric data, private communication, union membership, racial and ethnic background, or sexual orientation. Limiting the use of sensitive personal information requires companies to inform consumers about how they intend to use the data and how long they will retain it.
The CPRA also has different requirements from the CCPA, applying to businesses that:
The state of California established the California Privacy Protection Agency (CPPA) as a separate regulatory body to oversee the enforcement of the CPRA. The CPPA functions through a five-member board and staff to provide optimal support to California citizens in protecting their privacy rights.
CPPA members uphold the standards outlined in the CPRA through practices such as conducting hearings for non-compliance, issuing new rules as situations evolve (e.g., defining precise geolocation and ensuring the user-friendliness of opt-out mechanisms), and imposing fines for violations, ranging from $2,500 to $7,500 per charge.
The CPPA actively fulfills its duty, as seen in high-profile cases like the one with cosmetic giant Sephora. Sephora received a $1.2 million fine for unauthorized sharing of consumers' sensitive personal information, including location details and purchase details, with third-party companies. The ruling also mandated that Sephora needed to disclose its sale of personal information, conduct regular website reviews, and submit reports to the California Attorney General for a few years.
While transitioning from CCPA to CPRA may seem overwhelming, there is still time to make the necessary adjustments for compliance. A Superior Court of California judge has delayed the enforcement of CPRA regulations, providing a one-year enforcement leeway.
Ketch is a Data Permissioning platform that helps companies achieve a state of permissioned data across their data ecosystem, complying with data collection and usage requirements in regulations like CCPA/CPRA and GDPR. With sustainable compliance, a “clicks-not-code” interface, and easy implementation, Ketch helps teams achieve immediate compliance. Request a demo with Ketch to discover how you can get started today.Â
CPRA sensitive personal information
Understanding the CCPA right to deletion
GDPR vs. CCPA/CPRA compliance: what’s the difference?Â
‍
‍
Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.
