What is the California CCPA
California CCPA Privacy Act
The CCPA is the beginning of “America’s GDPR.” Similar to the GDPR, the CCPA will require organizations to focus on user data and provide transparency in how they’re collecting, sharing and using such data. But to what extent can a company extend its GDPR capabilities into its California operations to prepare for CCPA? Certain CCPA requirements overlap with the existing GDPR individual rights requirements, which may give GDPR-ready organizations a jump start on building a capability around user-data handling practices. Still, several policies, processes and systems will still need updating to address differences between the two laws.
Who Does the CCPA Apply To
Is your business going to be affected by the CCPA?
First and foremost, the CCPA only applies to for-profit companies. These companies must collect and process personal information of Californians, but do not need to maintain a physical location in the state. The business must comply with CCPA requirements if it meets even ONE of the following criteria:
- The business must generate annual gross revenue in excess of $25 million;
- The business must receive or share personal information of more than 50,000 California residents annually; or
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
What is the Scope of the CCPA
1) Assess the CCPA’s applicability to your business
Determine whether your business falls within the scope of the CCPA. The CCPA applies to businesses that:
- Collect California consumers’ personal information and either have annual gross revenues in excess of $25m
- Process the personal information of 50,000 or more California consumers, households, or devices
- Derive 50% or more of their annual revenues from selling California consumers’ personal information
Note that the CCPA has broad applicability and protects the information of California residents (not only when they are present in California). This means that certain “geofencing” strategies that were used to avoid the applicability of the GDPR may not be sufficient in the case of the CCPA.
How Are Data Controllers and Data Processors treated under the CCPA
- For-profit controllers that meet the following thresholds:
- Annual gross revenue over $25M.
- Buys/sells or receives/shares for “commercial purposes” the data of 50,000 California residents.
- Derives 50 percent of revenue from “selling” personal data of California residents.
If a controller qualifies under the thresholds, parent companies and subsidiaries in the same corporate group operating under the same brand also qualify.
A “service provider” is a for profit entity that acts as a processor to a “business” and that receives the data for “business purposes” under a written contract containing certain provisions.
In addition, the CCPA uses the term “third party” to refer to entities that are neither business nor service providers.
Privacy Notice /
Businesses must inform consumers
- The personal information categories
- The intended use purposes for each
Further notice is required to:
- Collect additional personal information categories.
- Use collected personal information or unrelated purposes.
The CCPA requires that businesses
provide specific information to
consumers and establishes delivery
Third parties must also give consumers
explicit notice and an opportunity to
opt out before re-selling personal
information that the third party acquired
from another business
What are the penalties?
The California AG may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional.
However, the CCPA also grants
businesses a 30-day cure period for
Relentless Your CCPA Partner of Choice
Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.
We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.
With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.
CCPA Consumer Data Request Managed Service
CCPA Toll Free Number and Email Request Provisions
The legislation Mandates that businesses must provide a toll-free phone number for consumers to submit CCPA requests.
This is because those behind the CCPA want it to be as easy as possible for consumers to exercise their rights.
The toll-free number will provide one of a minimum of two methods by which the CCPA legislation demands consumers can make requests. For most businesses the second should be a specific website address—although if the business doesn’t have a website then, in addition to the toll-free number, it can offer a mailing address, email address, or “other applicable contact information”—including any new “consumer-friendly” means of contacting a business that might arise in the future. Although the legislation mentions no specifics, this might include a new type of messaging service, as one example.
Of course, there’s nothing stopping a business from providing all of the above.
Relentless CCPA Data Request Managed Service
We have you covered
The Relentless CCPA Data Request Managed Service provides the certainty of compliance for the management of Personal data requests for CCPA.
Managed Service Components
- Published CCPA TOLL Free Number fully managed including voice messages
- Published CCPA data request Email service fully managed
- California identity residence verification
- Manage all communications with requester
- Guaranteed SLA management for request time limitation
- Monthly reporting dashboard
All for one low cost monthly fee
For a detailed quote for this service please complete the enquiry form on the left.
CCPA Consultancy Fully Managed Service
CCPA Consultancy Fully Managed Service
Our Fully Managed CCPA Consultancy Service Includes the Following
- CCPA Assessment
- Dedicated Support Consultant
- Unlimited Support Calls
- Unlimited Email Support
- Data Mapping
- Record of Processing Activities
- Subject Access Request Service
- Data Breach Support