The CCPA California Data Protection LawRelentless can help your organization approach CCPA compliance, including operational and structural impacts. We'll also help you understand future US privacy legislation and regulations if and when they are instituted.
What is the California CCPA
California CCPA Privacy Act
The CCPA is the beginning of “America’s GDPR.” Similar to the GDPR, the CCPA will require organizations to focus on user data and provide transparency in how they’re collecting, sharing and using such data. But to what extent can a company extend its GDPR capabilities into its California operations to prepare for CCPA? Certain CCPA requirements overlap with the existing GDPR individual rights requirements, which may give GDPR-ready organizations a jump start on building a capability around user-data handling practices. Still, several policies, processes and systems will still need updating to address differences between the two laws.
Who Does the CCPA Apply To
Is your business going to be affected by the CCPA?
First and foremost, the CCPA only applies to for-profit companies. These companies must collect and process personal information of Californians, but do not need to maintain a physical location in the state. The business must comply with CCPA requirements if it meets even ONE of the following criteria:
- The business must generate annual gross revenue in excess of $25 million;
- The business must receive or share personal information of more than 50,000 California residents annually; or
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
What is the Scope of the CCPA
1) Assess the CCPA’s applicability to your business
Determine whether your business falls within the scope of the CCPA. The CCPA applies to businesses that:
- Collect California consumers’ personal information and either have annual gross revenues in excess of $25m
- Process the personal information of 50,000 or more California consumers, households, or devices
- Derive 50% or more of their annual revenues from selling California consumers’ personal information
Note that the CCPA has broad applicability and protects the information of California residents (not only when they are present in California). This means that certain “geofencing” strategies that were used to avoid the applicability of the GDPR may not be sufficient in the case of the CCPA.
How Are Data Controllers and Data Processors treated under the CCPA
- For-profit controllers that meet the following thresholds:
- Annual gross revenue over $25M.
- Buys/sells or receives/shares for “commercial purposes” the data of 50,000 California residents.
- Derives 50 percent of revenue from “selling” personal data of California residents.
If a controller qualifies under the thresholds, parent companies and subsidiaries in the same corporate group operating under the same brand also qualify.
A “service provider” is a for profit entity that acts as a processor to a “business” and that receives the data for “business purposes” under a written contract containing certain provisions.
In addition, the CCPA uses the term “third party” to refer to entities that are neither business nor service providers.
Privacy Notice /
Businesses must inform consumers
- The personal information categories
- The intended use purposes for each
Further notice is required to:
- Collect additional personal information categories.
- Use collected personal information or unrelated purposes.
The CCPA requires that businesses
provide specific information to
consumers and establishes delivery
Third parties must also give consumers
explicit notice and an opportunity to
opt out before re-selling personal
information that the third party acquired
from another business
What are the penalties?
The California AG may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional.
However, the CCPA also grants
businesses a 30-day cure period for
Relentless Your CCPA Partner of Choice
Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.
We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.
With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.
Relentless APPI Service What's Included?
Our APPI Service Includes the Following
- CCPA Assessment
- Dedicated Support Consultant
- Unlimited Support Calls
- Unlimited Email Support
- Data Mapping
- Record of Processing Activities
- Subject Access Request Service
- Data Breach Support
The GDPR also introduced new accountability and transparency requirements, meaning that processors must be able to show that they have a lawful basis for each processing operation, and must inform individuals which lawful basis if being relied upon. Furthermore, under GDPR the interpretation of legitimate interests is now broader, encompassing the interests of any third party, including wider societal benefits.