California Consumer Privacy Act
Requirements
Who is subject to CCPA?
The California Consumer Privacy Act (CCPA) applies to businesses that collect consumers' personal data, do business in the state of California, and meet at least one of the following thresholds:
- Has annual gross revenues exceeding $25 million.
- Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes.
- Derives 50% or more of its annual revenues from selling consumers' personal information.
Additionally, these businesses need not be physically located in California or even in the United States. If they are collecting and selling data from California residents, they must comply with the CCPA.
It's also important to note that the CCPA applies to consumers, who are defined as California residents for these purposes, regardless of where they are located at the time the data is collected.
California lawmakers included language to exempt businesses that are already subject to robust federal data protection regulations. These types of companies include:
- Health providers and insurers already subject to HIPAA
- Banks and financial companies covered by Gramm-Leach-Bliley
- Credit reporting agencies that are under the Fair Credit Reporting Act
Does CCPA have data residency requirements?
The California Consumer Privacy Act (CCPA) does not explicitly contain data residency or data sovereignty requirements. This means that the law does not require businesses to store data about California residents within the borders of California or the United States.
What data is covered by CCPA?
The California Consumer Privacy Act (CCPA) covers "personal information" which is defined very broadly. According to the law, personal information is any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This can include but is not limited to:
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
Characteristics of protected classifications under California or federal law.
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Biometric information.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.
Geolocation data.
Audio, electronic, visual, thermal, olfactory, or similar information.
Professional or employment-related information.
Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
Inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
However, there are exceptions to this rule, such as information that is publicly available, data that is deidentified or aggregate consumer information, and some kinds of medical or health information.
Also, bear in mind that CCPA regulations are subject to change and can be interpreted in different ways, so always seek advice from a qualified legal professional to understand the specifics as they apply to your situation.
What rights does the user (data subject) have under CCPA?
Under the California Consumer Privacy Act (CCPA), the data subject, who is referred to as a "consumer" in the law (defined as California residents), has several rights:
Right to Know: Consumers have the right to request that a business disclose the categories and specific pieces of personal information it has collected about them. This includes the sources from which the information was collected, the business purpose for collecting the information, and categories of third parties with which the information was shared.
Right to Delete: Consumers have the right to request the deletion of personal information a business has collected from them, with certain exceptions.
Right to Opt-Out: Consumers have the right to opt-out of the sale of their personal information by a business. For consumers who are under 16 years old, businesses are required to obtain opt-in consent (parental consent for consumers under 13).
Right to Non-Discrimination: Businesses may not discriminate against consumers for exercising their CCPA rights. This means a business may not deny goods or services, charge different prices or rates, provide a different level or quality of goods or services, or suggest that the consumer will receive a different price or rate or different level or quality of goods or services.
Right to Know about Third-Party Sales: Businesses that sell personal information to third parties must provide notice to consumers prior to selling their personal information.
Right to Data Portability: When a consumer makes a request to know the specific pieces of personal information a business has about them, the business must provide the information in a portable and readily usable format that allows the consumer to transmit this information to another entity without hindrance.
How should data be stored according to CCPA?
The California Consumer Privacy Act (CCPA) does not explicitly dictate how businesses should store data. However, the CCPA does require businesses to implement and maintain reasonable security procedures and practices to protect consumers' personal information.
While the CCPA doesn't spell out what these "reasonable security procedures and practices" should be, it suggests that businesses should be guided by their industry standards and the nature of the personal data they handle. Some recommended best practices might include:
Data Encryption: Encrypting data at rest and in transit can help protect it from unauthorized access or disclosure.
Access Controls: Implementing strong access controls to ensure that only authorized individuals can access personal information.
Data Minimization: Collecting and storing only the data that is necessary for your business operations can help minimize the potential harm of a data breach.
Regular Security Audits: Conducting regular audits can help identify potential vulnerabilities and ensure that your security measures are up to date.
Incident Response Plans: Having a plan in place for responding to data breaches can help mitigate harm in the event of an incident.
Training: Providing regular training to employees on data security best practices and policies can help prevent breaches caused by human error.
Note that even though the CCPA doesn't explicitly dictate how businesses should store data, other laws or regulations (e.g., sector-specific laws like HIPAA for healthcare data) may have more specific requirements.
How does SlashID help with CCPA?
SlashID's data residency and encryption posture help companies comply with:
- The Right to Delete
- Data Encryption requirements