Legal disclaimer: This blog post discusses the California Consumer Privacy Act (CCPA) in general terms and does not provide legal advice. We encourage you to consult your own legal counsel to familiarize yourself with the requirements that govern your situation.
A right to privacy is not explicitly included in the U.S. Constitution, but in a 1965 case called Griswold v. Connecticut, the U.S. Supreme Court recognized an implied constitutional right to privacy. The U.S. Congress further developed the right to privacy when it passed the Privacy Act of 1974, which restricts federal agencies in their collection, use, and disclosure of personal information of U.S. citizens.
With the Privacy Act, the United States became one of the first countries in the world to adopt a major privacy law. Since then, a more comprehensive federal privacy law has been discussed in U.S. Congress for many years, but so far it hasn’t materialized. Many companies (including Salesforce) have advocated for one.
While we wait to see what happens at the federal level, California has emerged as a leader in privacy regulation at the state level. A right to privacy is enshrined in the California State Constitution, and in June 2018, the California legislature passed the California Consumer Privacy Act (CCPA). Arguably the first comprehensive state privacy law, the CCPA has garnered a lot of support. The CCPA went into effect on January 1, 2020, less than two years after being passed, and was amended in November of 2020 with a California ballot initiative.
Getting up to speed with new regulations can be challenging for some companies. Is your company still confused about the CCPA? We provide a few questions on your CCPA readiness to get you started.
Does the CCPA apply to your company?
The CCPA applies to your company if all of your answers to the below are “yes”:
- Your company operates “for profit” (it’s not a non-profit)
- Your company has customers in California or some part of your company is located in California (like a retail shop)
- Your company collects information about California residents
- Your company generates more than $25 million in revenue annually, buys data of more than 50,000 consumers annually, or makes at least 50% of its revenue by selling personal information
We paraphrased this list, so check out Cal. Civ. Code § 1798.140(c)(1) if you want to read the statute’s actual wording.
If you answered “no” to some of the checklist items, then the CCPA may not apply to your company. You’ll want to check with your legal counsel to be certain.
What’s the differences between the CCPA and the General Data Protection Regulation (GDPR)?
You may have already updated your company’s internal processes and policies for compliance with the European Union’s GDPR. If so, your company’s privacy program is in a great spot, but it’s important to consider the differences between the GDPR and CCPA. We’ve outlined two main differences:
- The GDPR defines and uses the terms “controllers,” “processors,” “personal data,” and “data subjects,” while the CCPA defines and uses “businesses,” “service providers,” “personal information,” and “consumers.” The definitions are not completely analogous (the CCPA’s definition of personal information includes households, for example).
- The CCPA introduces a new concept: the ability for consumers to opt out of the “sale” of their personal information. (We explain why “sale” is in quotations below). Companies that “sell” data are required to place a “Do Not Sell My Personal Information” link on their homepage, and honor such requests.
Consider updating your privacy statement or other privacy policies to reflect the new definitions. Review the new “sale” concept and evaluate your own use cases to determine whether you are “selling” data under the CCPA.
What does a “sale” of personal information mean under the CCPA?
The CCPA does not require businesses to obtain consent to use adults’ personal information (unlike the GDPR, which does require consent in certain scenarios). The CCPA instead grants consumers the right to opt out of the “sale” of their personal information. Even if a consumer opts out of sales, a business can still collect and use information from that consumer – as long as the business doesn’t give that information to a third party in return for something of value.
The CPRA is a comprehensive amendment to the CCPA. It goes into effect January 1, 2023, with different provisions taking effect in 2022 or 2023.
The CCPA defines “sale” to include many activities, including renting, disclosing, transferring, or otherwise making available a consumer’s personal information to a third party for money or other valuable consideration. Certain transfers are excluded from the definition of “sale” under the CCPA, such as transfers to service providers. In other words, a “sale” under the CCPA may be almost any exchange of data for something of value, unless an exception applies — such as transfers to service providers like Salesforce, or disclosures directed by the consumer.
Want to read more? See Cal. Civ. Code § 1798.140(t)(1) and Cal. Civ. Code § 1798.140(t)(2).
What are a consumer’s rights to personal data information?
The CCPA provides individuals with rights to their personal information, which are similar to the GDPR’s data subject rights. They are meant to give individuals more control over their personal information and how it’s used by companies.
We’ve outlined the five rights to personal information below:
- The right to opt out of third-party data sales (what we talked about above)
- The right to be informed of data collection and rights (check out our privacy statement to see how Salesforce informs California residents of these rights)
- The right to have collected data disclosed to the individual
- The right to have collected data deleted
- The right not to be discriminated against for exercising privacy rights
You may want to think about how you’ll collect these requests from your customers and respond to them. For instance, which team or person will be responsible for drafting the responses? You also need a plan to internally find and manage the personal information the individual requests.
Want to read more? See Cal. Civ. Code §1798.100; §1798.105; §1798.110; §1798.115; §1798.120.
How can your company prepare for the new California Privacy Rights Act (CPRA)?
We’ve outlined four steps to help prepare your company for the CCPA, but here’s something else to consider. On November 3, 2020 California voters passed Proposition 24, an amendment to the CCPA called the California Privacy Rights Act.
The CPRA is a comprehensive amendment to the CCPA. It goes into effect January 1, 2023, with different provisions taking effect in 2022 or 2023. The CPRA expands on consumer rights. It also creates a new enforcement agency, the California Privacy Protection Agency. And, it introduces new concepts like expanded consent rules, sensitive personal information, and data minimization.
With the effective date for most CPRA provisions in 2023, and the agency members not yet appointed, nothing changes immediately. We are still learning about the new law and we’re waiting to see how these new concepts will be addressed.
If you want to learn even more about the CCPA, take the CCPA and U.S. Privacy Basics Trailheads on MyTrailhead, our online learning tool. We also have an EU Privacy Basics Trailhead for more detailed information about the GDPR. Additionally, our privacy website includes many resources about our products, privacy laws around the globe, and our new Privacy Center.