How the California Consumer Protection Act (CCPA) Will Affect Your Business in 2020


GDPR – or “General Data Protection Regulation,” which applies to personal data in the European Union and the European Economic Area – went live in May, 2018.

GDPR’s primary goal is protecting the personal information of EU citizens. A similar set of regulations, CCPA – or The California Consumer Protection Act – is aimed at protecting the residents of the state of California and will go live in January, 2020. While both sets of regulations target specific locations, they have global implications given that they also protect data that moves outside of the EU or California, driving how products and websites will need to be designed and developed in the future.

A key difference between GDPR and CCPA is that the former focuses on “Privacy by Design”, which refers to explicit opt-in for storing and sharing of personal data. CCPA emphasizes protecting consumers from the “sale of their personal information”, hinting that users should be “allowed to opt-out”, which is comparatively more business-friendly.

Who does CCPA apply to?

CCPA is applicable to companies that satisfy one or more of these criteria:

  1. Revenue in excess of $25,000,000
  2. Collecting personal information of at least 50,000 consumers
  3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

What counts as personal data and information?

To better understand what’s being protected, here’s a list of items for review: 

  • Personal identifiers such as a consumer’s real name, alias, postal address, unique personal identifier, online identifier, IP address, email, account name, social security number, driver’s license number, and passport number
  • Biometric information 
  • Data (sometimes used for Machine Learning and Artificial Intelligence) related to the senses: audio, electronic, visual, thermal, olfactory
  • Internet or electronic network activity information
  • Geolocation data
  • Professional or employment-related information
  • Educational information
  • A consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

The above list encompasses a huge array of data types, so if your organization is affected by CCPA, hiring a consultant like Integris or Focal Point could be beneficial. Focal Point also has a free, introductory ebook on the regulations.

User Stories for CCPA Compliance

A user story represents a software feature from the perspective of an end-user or stakeholder. They’re typically written in the format “As a [type of user], I [some goal] so that [some reason].” The verbiage and structure of the user story isn’t excessively strict, however. The goal is to put yourself in the shoes of your users and customers so that you can design relevant features that allow them to accomplish their goals – and in the case of CCPA and other related regulations, so that your organization can ensure it’s compliant.

For Businesses:

As a Business Owner, I have the right to refuse to comply with a consumer’s request to delete their personal information IF it is necessary for my business to maintain the information for compliance reasons (Section 1798.105 a)

As a Business Owner, I need to provide Consumers with 2 or more designated methods to submit requests for information. (Section 1798.130 a) [modified by pending legislative amendment]

As a Business Owner, I need to deliver the required information to a Consumer free of charge within 45 days of receiving a verifiable request. (Section 1798.130 a)

As a Business Owner, I need not comply with a request from the same Consumer more than twice in a 12-month period. (Section 1798.130 a)

As a Business Owner, I have the right to extend turn around time by 45 days when reasonably necessary, with a prior notice of extension to the Consumer. (Section 1798.130 a)

As a Business Owner, I need to disclose the personal information collected in my online privacy policy and update it at least once in 12 months so that I can remain compliant. (Section 1798.130 b)

As a Business Owner, I need to have an explicit link to the “Do Not Sell My Personal Information” on my homepage which enables Consumers to opt out of the sale of personal information. (Section 1798.135)

As a Business Owner, I need to be compliant with CCPA if I fall into one of the following criteria. (Section 1798.140)

As a Business Owner, I have 30 days to clear any alleged violations after being notified of alleged noncompliance. (Section 1798.155)

As a Business Owner, I need to receive express authorization from the Minor Consumer to sell his/her personal information. (Section 1798.120 a)

As a Buyer and Seller of Personal Data, I need to send an explicit notice to the Consumer and provide a way to opt out before I sell the Consumer’s information. (Section 1798.115 d)

For Consumers:

As a Consumer, I need to request a Business selling or disclosing my information to third parties so that I can stay informed of how the Business is using my information (Section 1798.115 a)

As a Consumer, I need to request a Business to stop selling my information so that I can protect my personal privacy. (Section 1798.120 a)

As a Consumer, I can exercise all of the rights on behalf of my child (minor) so that I can protect my child’s personal information. (Section 1798.120 a)

As a Consumer, I need to be able to authorize another person to exercise my rights so that I can have my family/friends help me protect my personal information. (Section 1798.120 a)

As a Consumer, I need to request a Business to enumerate the categories of personal information collected in the preceding 12 months. (Section 1798.130 b)

As a Minor Consumer (13-16), I need to provide consent to a Business to sell my personal information. (Section 1798.120 a)

As a Parent of a Minor Consumer (Under 13), I need to provide consent to a Business to sell my personal information. (Section 1798.120 a)

How do these regulations affect our clients?

Clients need to:

  • Determine if their organization is in scope
  • Maintain a toll free telephone number (amended by pending legislation)
  • Train staff to receive and respond within 45 days to requests via two different methods (telephone must be one)
  • Know if you sell information and to whom
  • Update their privacy policy

We can help you understand more about the above guidelines, if needed.

Next Steps to Prepare for CCPA

While we’re not a data protection consultancy, our designers, developers, and engineers are well-briefed in the regulations. We’re committed to ensuring that the products and sites we build for affected clients are compliant.

We are committed to:

  1. Compliant design
  2. Compliant development
  3. Comprehensive internal security standards
  4. Knowledge of emerging data protection responsibilities outside of CCPA and GDPR that affect our clients and users

Contact us today if you’re interested in learning more.