CCPA & CPRA regulations: How marketers can comply with the Californian laws

Written by Karolina Lubowicka, Małgorzata Poddębniak

Published September 21, 2022

The California Consumer Privacy Act (CCPA) is the original privacy act enforced in California that revolutionized the approach to data privacy in the US. This legislation was altered and expanded with the introduction of the California Privacy Rights Act (CPRA).

Because information about clients is a marketer’s goldmine, many people in the field now fear that the laws will deprive them of valuable customer insights. But is this really the case?

In this post, we will discuss the most important aspects of CCPA and modifications introduced by CPRA regulations, which will become effective on January 1, 2023. We’ll also present some actionable steps marketers should take in order to comply with their provisions.

What is the California Consumer Privacy Act (CCPA)?

The CCPA was signed into law on June 28, 2018. It created an assortment of consumer privacy rights and business obligations concerning the collection and sale of personal information.

The CCPA aims to regulate the flow of personal data between businesses and expand the privacy rights of California consumers. Consumers have the right to be informed and decide on the what, why, and how of the use of their personal information. California residents can also forbid companies from selling their data. The law went into effect on January 1, 2020.

People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.

SECTION 1, point (h) of the California Consumer Privacy Act of 2018 (CCPA)

As the CCPA remains in force until the CPRA becomes effective, we should analyze the current provisions of the CCPA and the way the CPRA will modify them in the future.

Who is affected by the CCPA and CPRA regulations?

The CCPA applies to every company processing personal information of California residents that either:

  • has a gross annual revenue greater than or equal to $25 million
  • obtains information of 50,000 or more California residents/households or devices annually (under the CPRA regulations, it will be 100,000)
  • generates at least 50% of their annual income from selling the information of California residents (the CPRA will refer to both selling and sharing the information of California residents)

Considering that California is now the fifth-largest economy in the world, the CCPA affects virtually every mid- to enterprise-size business with a global presence.

Increasing the threshold from 50,000 California residents in the CCPA to 100,000 in the CPRA will effectively reduce the number of businesses that fall under the law. But including “sharing” in the provision on generating 50% or more revenue from selling personal information can potentially increase the number of organizations that the law applies to.

What is personal information under CCPA and CPRA regulations?

Some marketers may assume that the California law doesn’t affect them because they don’t collect users’ personal data. In many cases, however, they will be wrong. That’s because CCPA establishes a very broad definition of personal information, and this definition will continue to function in the CPRA.

Here’s its precise scope:

  • Identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  • All categories of personal information enumerated in Civil Code 1798.80 et. seq, with specific reference to the category of information that has been collected;
  • All categories of personal information relating to characteristics of protected classifications under California or federal law, with specific reference to the category of information that has been collected, such as race, ethnicity, or gender;
  • Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • Biometric data;
  • Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Psychometric information;
  • Professional or employment-related information;
  • Inferences drawn from any of the information identified above; and
  • Any of the categories of information set forth in this subdivision as they pertain to the minor children of the consumer.

As you can see, the list is really long and covers many different categories of data. Certainly, many of them are the fuel that powers marketing activities. This is particularly evident when we dig deeper into the term unique identifier:

“Unique identifier” means a persistent identifier that can be used to recognize a consumer or a device over time and across different services, including but not limited to, a device identifier; Internet Protocol address(es); cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

It turns out that, just as in the case of GDPR, tracking cookies and other types of online identifiers are also included in the scope of the regulation.

This means that CCPA and CPRA cover not only marketers with an arsenal of dedicated tools (like CRMs, customer data platforms, or email automation software), but also everyone who simply captures non-anonymized analytics data and uses it to improve user experience on their website or app.

What is sensitive personal information?

The CPRA provides an additional category of personal information – namely, sensitive personal information (SPI). Such data requires appropriate security measures, and consumers have the right to request that organizations limit the use of their SPI.

Sensitive personal information can include:

  • Social Security Number
  • Driver’s license
  • State identification card
  • Passport number
  • Financial account information and log-in credentials
  • Debit card or credit card number and access codes
  • Precise geolocation data
  • Religious or philosophical beliefs
  • Ethnic origin
  • Contents of communication
  • Genetic data
  • Biometric information for the purposes of identification
  • Health information
  • Information about sex or sexual orientation

What changes do the CCPA and CPRA regulations bring?

The CCPA is one of the most revolutionary data privacy acts in the United States. Many experts claimed it would open the door for the US to make consumer data privacy rights a priority – and they were right.

Other states, such as Massachusetts, New York, Hawaii and Maryland, have taken a cue from California and drafted their own privacy laws.

Read more about data privacy laws in the United States and the obligations they impose on you.

With that in mind, it’s no wonder that the list of changes that the CCPA and CPRA introduce is long and complex.

Let’s start by analyzing the changes introduced by the CCPA.

The provisions outlined below are mandated by the CCPA. Any modifications made by the CPRA regulations are explicitly referred to and included in informational boxes such as this one.

1) Consumers have the right to obtain a record of the personal information companies have on them (from the last 12 months). Businesses must also disclose:

  • the categories of sources from which the personal information was collected
  • the business or commercial purpose for collecting or selling personal information
  • the categories of third parties with whom the business shares personal information

Besides that, consumer requests should be processed within a 45-day timeframe.

The CPRA amends this clause, stating that consumers have the right to obtain records of any information collected, regardless of when it was collected. This is unless doing so proves impossible or would involve a disproportionate effort.

2) People can request to have their data deleted or to stop the sale of their information. Businesses will be required to have a “clear and conspicuous link” on their website’s homepage titled “Do Not Sell My Personal Information.” The link would take users to a page where they can opt out of having their data sold or shared.

The CPRA requires you to include “Share” in such notices alongside “Sell”, hence making it “Do Not Sell or Share My Personal Information.” The CPRA also expands on the right to delete in a number of ways. For example, it mandates businesses that receive a consumer deletion request to notify and instruct third parties who have purchased or received the consumer’s personal information to delete it.

3) California residents have the right to sue a company that uses their stolen data or data that was disclosed to them by a data breach. In addition, they can also sue companies that were negligent in the way they handle their data (for instance, data was not encrypted).

4) There is a mandatory opt-in for selling the personal data of minors (under 16 years old).

5) Businesses that fail to comply with these provisions are subject to fines, which include:

  • In the case of a suit filed by consumers: $100-750 (or the cost of actual damages, whichever is higher) per resident and incident in the case of data breaches or data theft if the data was not properly protected
  • In the case of a suit by the State Attorney General: $2,500 per unintentional violation and up to $7,500 per intentional violation of privacy

The fines imposed by the California law are not just theoretical. As part of a recent settlement with the state of California, Sephora agreed to pay $1.2 million and accepted an injunction for selling customers’ data without telling them. To be able to monitor customers as they shopped, Sephora didn’t disclose and process people’s requests to opt out of selling their information to third parties.

The CPRA adds that, when it comes to minors, the maximum fine is $7,500 for both intentional and unintentional violations. With the CPRA, there is also no 30-day period for businesses to remedy the violation once they’re informed of noncompliance, as it is the case under CCPA.

6) A business cannot discriminate against a consumer who exercises any of their rights. As a result, businesses can’t deny consumers access to goods or services, charge different prices or rates for them, or provide a different level or quality.

Here are the new provisions that the CPRA regulations introduce:

1) The CPRA establishes an exclusive agency for interpreting and regulating the law – the California Privacy Protection Agency (CPPA). It will provide guidance on the enforcement of the CPRA and have powers to investigate violations, conduct hearings and assign liability to covered entities for violations. Crucially, the CPPA will be the first US-based regulatory authority exclusively focused towards data privacy issues.

2) Under the CPRA, consumers receive a new right to correct inaccurate personal information. The business is then required to use commercially reasonable efforts to correct that information if it receives a verifiable consumer request.

3) Businesses are required to give people special notice if they plan to collect or use any sensitive personal information, and a person can ask businesses to stop selling, sharing and using it.

4) The CPRA adds a clause mandating businesses to wait at least 12 months before they ask again for the consent to collect personal information of minors or people who opted out from processing of their sensitive personal information.

CCPA and CPRA regulations vs. GDPR: 4 key differences

News about CCPA made the rounds roughly a month after the new European data privacy law – GDPR – came into force. This has inspired people to look for similarities between the laws.

Indeed, both Californian initiatives and the GDPR are designed to increase transparency in the handling of personal information. They also aim to give people more control over how companies use information about them.

However, there are many significant differences between these laws. Below is a list of four key aspects that distinguish the California laws from GDPR:

1. Consumers don’t have a way to opt-out of being tracked

The CCPA and CPRA address a slightly different problem than GDPR – their main focus is to prevent the sale of consumers’ information to third parties without their consent and knowledge. However, unlike the EU law, California regulations don’t give consumers the opportunity to say no to collecting their data.

2. There is no such thing as a right to object to processing

As we’ve mentioned before, although consumers can request the removal of their data from a company’s database and demand it not be sold to other parties, they can’t do anything about the fact that businesses collect their personal information in the first place.

This means that companies will be allowed to continue collecting information about a particular individual even after they remove their data from their databases.

Because of this, the California laws don’t provide people with an equivalent of the GDPR’s “right to object to processing.”

Another major difference is that under GDPR you need to acquire users’ consent before you start processing their data. Neither the CCPA nor CPRA require companies to collect consents – it’s on the user to actively oppose their data being shared or sold. However, as we’ve mentioned before, this rule doesn’t apply to minors (in their case an active opt-in is required).

4. No legitimate interest

Under GDPR, there are several legal bases for lawful data processing. One of them is legitimate interest.

If a company has enough evidence to prove that the processing of personal data serves its legitimate interest, they don’t need visitors’ consent to process this kind of information. Also, they don’t have to handle data subjects’ requests for deleting, rectifying, or disclosing data. You can read more about it here.

The CCPA and CPRA regulations, on the other hand, don’t provide businesses with any similar clauses. Companies aren’t required to comply with a consumer’s request to delete personal information if it is reasonably necessary to maintain the consumer’s personal information to:

  • Complete a transaction, provide a requested good or service, etc.
  • Ensure security and integrity
  • Repair errors
  • Exercise rights provided for by law, such as free speech
  • Engage in scientific and statistical research in the public interest
  • Enable solely internal uses reasonably aligned with expectations of consumers
  • Comply with legal obligations

There are, of course, many more differences between these laws. If you want to explore them yourself, we encourage you to read the text of all three pieces of legislation:

How to ensure your business’ compliance with the CCPA and CPRA?

The CCPA has been effective since 2020, but was originally introduced in 2018, which gave businesses some time to prepare for compliance with its provisions. The CPRA clarified numerous aspects that the CCPA referred to and added new obligations.

As you go through the changes brought about by the CPRA, it’s a good idea to analyze how your company follows the privacy rights imposed by the Californian regulation and its amended version, and learn if there is anything you can do better.

Let’s review how you can make sure that your business’ processes are futureproof and aligned with both of the legislations.

1) Map your data and its sources

One of your most important tasks is to diligently examine your data inventories. You’ll have to map every piece of personal information about your customers gathered by your marketing and sales tools.

Then you’ll have to make sure that the data is well prepared for access, deletion, and portability requests from your clients. That may include checking if your marketing software vendors are up to the task and will help you fulfill these obligations. If not, you may want to consider switching to another, more privacy-oriented vendor.

If you’re interested in a privacy-friendly marketing stack, be sure to check out our product: Piwik PRO Analytics Suite helps you comply with the most stringent data regulations around the world, including GDPR, HIPAA, and now CCPA/CPRA.

2) Check your third-party data sources

Companies that buy customer data from third parties should always make sure that it comes from a legitimate source. You should think twice before you decide to use data from unverified vendors. Under CCPA, operating on stolen or breached data is an offense that can result in hefty fines.

A Practical Guide to Acquiring Consent in the Age of GDPR

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

3) Come up with a way for handling consumer requests

Under the CCPA/CPRA, businesses must provide at least two methods by which consumers can make their requests, including a toll-free number and an online form. Websites should display clearly labeled, conspicuous opt-out links with plain and jargon-free language. The link to opt-out request forms should be placed somewhere on your homepage, along with the text: Do Not Sell or Share My Personal Information.

But you also need to allow consumers to submit other requests concerning their information, such as to:

  • Delete their personal information if it is no longer needed to fulfill one of the stated purposes
  • Know how their personal information was collected
  • Transfer specific personal information to another entity
  • Limit the use and disclosure of personal information

This means you’ll have to think through your internal processes for handling consumer requests. To make this task a bit easier, you might want to use some dedicated tool to automate things.

If you want to learn more about the capabilities of consent and user request management tools, read this comparison: Comparison of the 9 leading consent management platforms.

4) Update your data privacy policy

Under the CCPA and CPRA regulations, every business handling the data of California residents should update their privacy policy to include a description of California residents’ rights. You can then review this article on Making Your CCPA Privacy Policy Compliant With the CPRA.

If you need some good examples of what your updated privacy policy should look like, you can seek inspiration on the California Consumer Privacy Act’s official website.

5) Keep your ear to the ground

Since the CCPA isn’t the final version of California’s privacy law, we can’t rule out that some changes will appear in the future. Perhaps the CPRA will continue to evolve, which is why it’s extremely important to stay in the loop and see what the future will bring.

There have been talks about introducing a federal privacy law that would override existing state laws like CCPA and CPRA. The proposed bill is called the American Data Privacy and Protection Act (ADPPA), and it would provide many rights resembling those enforced through the GDPR.

The idea behind it is to establish a single, national foundation for data privacy for consumers with appropriate governmental oversight and enforcement. However, there are some criticisms of the bill. For one, California strongly opposes it, claiming it would reduce privacy protections provided by existing state laws. The federal law would also largely alter the law currently operating in California.

The bill still has a long way to go to be passed, but it’s worth monitoring its status, as it would bring groundbreaking changes to data privacy legislation in the US.

CCPA and CPRA – some conclusions

The objective of both CCPA and CPRA is to “give Californians the strongest online privacy rights in the world, establish an enforcement arm for consumers, and make it harder to weaken privacy laws in the future.”

After the CPRA becomes effective, the privacy law in California will better address consumers’ privacy needs and give them expanded rights. We should definitely observe the situation and monitor whether any further amendments are made to the legislation.

We hope that this blog post has given you a decent overview of the upcoming law and provided some actionable advice on how to prepare for it. However, if you want to learn more about the CCPA or CPRA, we invite you to follow our blog for news and updates.