There are four fundamental rights that every California consumer can exercise if needed:

1. The right to know about the personal information businesses in California collect about them and how it’s used.
2. The right to delete personal information collected from them (with some exceptions);
3. The right to opt-out of the sale of their personal information; and
4. The right to non-discrimination for exercising their CCPA rights.

Moreover, businesses must provide transparent information about these issues and offer them the possibility to opt out. But there’s more. Any California resident can ask a given company to disclose personal information about them, inform what they do with it, and even delete it if they feel necessary. Each consumer also has the right to know what kinds of personal data a specific company gathers and processes.

In general, it’s everything that can identify you (or your household) as a specific person. We deal with personal data even when a given piece of information can be related or linked to a specific customer. So in practice, personal data, as CCPA understands it, involves the following:

• Full name
• SSN (social security number)
• Email address
• Fingerprints
• Geo-location data

It’s also personal information if it could be used to create a detailed profile about your preferences and characteristics. On the other hand, everything that’s publicly available from federal or local records does not constitute personal information under CCPA.

CCPA is very specific about what kinds of companies and organizations need to stick to it. It applies to all the businesses operating in California that:

• Have a gross annual revenue of over 25 million USD
• Buy, process, or sell any personal data of at least 50,000 California residents, households, or devices
• Derive 50% or more of their annual revenue from selling California residents’ personal data

If your company meets at least one of these conditions, you need to operate under CCPA.

Unlike many other data privacy and security statutes, the CCPA also carves out from
most or all of its provisions:

• Non-profits that do not operate for “profit or financial benefit.”
• Financial institutions that are regulated under the Gramm-Leach-Bliley Act.
• Consumer reporting agencies that are regulated under the Fair Credit Reporting Act.
• Health care providers that are regulated by the Health Insurance Portability and Accountability Act

Of course, a data breach can happen at any time. However, consumers cannot use any data breach to sue a company. There is a whole list of conditions that need to be met. Consumers can file a lawsuit only if their full name was stolen in combination with their (at least one):

• Unique identification number (e.g., SSN number, driver’s license number, passport number)
• Financial account number/credit card data
• Medical/health/insurance information
• Biometric data

Furthermore, all of that information must have been stolen in a non-encrypted and non-redacted form. All in all, it’s rather unlikely for such a massive and uncontrolled data breach to happen.

We understand the request to stop selling your personal information by this short term. There are some exceptions, but once a company receives such a request from you, they need to stop selling it immediately (of course, unless you authorize them to do so again in the future). With regard to this law, businesses operating in California need to provide a transparent “Do not sell my personal information” link directly on their website. It has to contain a form enabling any person to submit (unconditionally) an opt-out request.

If you want to know more about CCPA, take a look at this government website. Lastly, let’s take a closer look at the difference between CCPA and GDPR. There are some important points that need to be discussed.

If you’ve never heard of GDPR, that means you live and work outside the European Union. The General Data Protection Regulation was introduced back in 2016, and it is a legal framework that sets guidelines and regulations concerning processing personal data coming from individuals living and working in the European Union.

When compared to CCPA, GDPR is a much more complex and broader privacy protection law. In short, the main rule in GDPR is called “privacy by default,” and it means that for a company to process personal data, it needs to have prior consent from a specific person. Under GDPR, Europeans have a whole range of rights, including the right to access, erase, and modify their personal information. Furthermore, they almost always have the right to withdraw their consent to process personal data. CCPA is, without a doubt, a more specific law.

Let’s go further. GDPR provides six legal reasons to process personal data, whereas CCPA doesn’t give any. This means that businesses in California can process personal data however way they want and for whatever they want. All they have to do is provide the opt-out procedure.

Secondly, GDPR protects any consumer who is in the European Union at the time of collection or processing (they don’t have to be residents of the EU). On the other hand, CCPA only protects California residents.

Another difference – CCPA deals with personal information that identifies, relates to, describes, or links with a consumer or household. GDPR deals with any personal data of an individual but does not include households. Only anonymized data is exempt.

And the last thing that is worth mentioning is penalties. Both legal acts have some penalties for practices that go against their guidelines. However, the European regulation is much more strict here. The penalty can go up to 4% of the company’s global annual turnover. When it comes to CCPA, there is a maximum penalty of just 2,500 USD per violation (or 7,500 USD in case of international breaches).

Thank you for reading. If you have any questions about CCPA, GDPR, identity graphs or data onboarding, you can find me at LinkedIn.