California Consumer Privacy Act

The Basics of CCPA

Categories: Certifications, Compliance Tags:

California is the birthplace of skateboards, Barbie dolls, arcade games, McDonald’s, the internet, and the California Consumer Privacy Act (CCPA). Maybe it’s not as glamorous as the bright lights of Hollywood or as mind-blowing as the innovations emerging from Silicon Valley. Still, the CCPA gives consumers more control over the personal information that businesses collect. And that’s actually really cool.

Let’s take a look at the basics of the CCPA and how it applies to businesses and consumers in and out of California. 

What Is the California Consumer Privacy Act?

The California Consumer Privacy Act of 2018 gives consumers more control over the personal information that businesses collect about them. The CCPA regulations provide guidance on how to implement the law. 

These privacy rights for California consumers include:

  • The right to know about the personal information a business collects and how it’s used and shared
  • The right to delete personal information collected from them (with some exceptions)
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers specific notices explaining their privacy practices. The CCPA applies to many companies, including data brokers.


CCPA and the Right to Know

As a California resident, you can request your information from businesses. They have to disclose what personal data they collected, used, shared or sold. Organizations even have to explain why they collected, used, shared, or sold your information. 

Specifically, you may request that businesses disclose:

  • The categories of personal information collected
  • Specific pieces of personal data collected
  • The types of sources from which the company collected personal information
  • The purposes for which the business uses the personal information
  • The categories of third parties with whom the business shares the personal information
  • The types of information that the business sells or discloses to third parties

The CCPA requires businesses to provide answers for free and for the 12 months preceding your request.


CCPA and the Right to Delete

You may request that businesses delete the personal information they collected from you. And to tell their service providers to do the same! There must be at least two methods for you to submit your request. Toll-free numbers, email addresses, website forms, or hard copy forms are all acceptable avenues for requesting deletion. But the CCPA clearly states that while companies don’t have to provide an online form, they cannot make consumers create an account just to submit a deletion request. If you already have an account with a business, though, you may submit your request through that account.

Some exceptions allow businesses to keep your personal information, including:

  • Private information like medical, consumer credit reporting or other types of information.
  • Transactions regarding purchased products or services, including warranty and product recall purposes.
  • Certain business security practices
  • Complying with legal obligations, exercising legal claims or rights or defending legal claims


CCPA and the Right to Opt-Out

Asking businesses to stop selling your personal information is called opting out. After receiving your opt-out request, companies must wait at least a year before asking you to opt back in.  


CCPA and the Right to Non-Discrimination

This clause is pretty simple. Businesses can’t deny goods or services, charge you a different price, or provide a different level or quality of goods or services simply because you exercised your rights under the CCPA. 

This checklist has CCPA guidelines and considerations for your business and recommendations for policies and processes to implement. It should help you get CCPA compliant fast, without any unnecessary headaches.


What Are Data Brokers?

A data broker collects and sells personal information about consumers they have no relationship with. CCPA exempts certain companies that are regulated by other laws. For example, credit bureaus, certain financial institutions and insurance companies. There’s a Data Broker Registry on the Attorney General’s website, where you’ll find contact information and links for each registered data broker. It gets into specifics if you need to exercise your CCPA rights.


CCPA in and out of California

CCPA regulates how businesses worldwide handle the Personally Identifiable Information (PII) of 40 million California residents. 

So if you collect consumers’ personal information, alone or jointly with others, do business in the State of California, and satisfy one or more of the following thresholds, CCPA applies to you:

  • Have an annual gross revenue of over 25 million dollars 
  • Annually buy, receive, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
  • Derive 50 percent or more of your annual revenues from selling consumers’ personal information

Only California citizens have rights under the CCPA. 



The General Data Protection Regulation (GDPR) was created to give E.U. citizens more control over their personal data. Under the GDPR, companies must ensure that personally identifiable information (PII) is collected legally and that the data is appropriately managed and safeguarded. It aims to give people the power to protect their PII while telling organizations how to comply. CCPA was based on GDPR. Similarities include the right to data deletion and data portability and giving people control over how companies use their personal data online. 

However, the GDPR and CCPA are not the same. One of the most significant differences is that the CCPA only regulates companies conducting business in California based on their annual gross revenues. Or how much data they process and sell. GDPR applies to all businesses that deal with E.U. citizens regardless of income or size. 

For a more detailed look at CCPA vs. GDPR, check out our 5 Step Comparison Guide.


California Consumer Privacy Act Enforcement and Fines

The CCPA was effective January 1, 2020 and enjoyed a grace period until July 1, 2020. But CCPA is now in full swing. A non-compliant business has 30 days to fix the alleged violation after notification from the California Attorney General before enforcement action is initiated. In the last year, warnings have been given to data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers.

The CCPA Bill states:

  • Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150)
  • A fine of up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).

No charges have been laid yet, but the California Attorney General created a tool to help consumers compose a noncompliance notice to businesses. 


How Tugboat Logic Can Help

With over 100 years of combined experience working in security, let our team of ex-auditors and security veterans assist you on your CCPA compliance journey. Our CCPA framework can help you precisely determine which controls you need and map any overlapping evidence to avoid duplicating evidence collection efforts.

Are you interested in turning your security and compliance program into a business advantage? Get a free trial or contact one of our representatives at today.