The methods you use to meet CCPA requirements depend on your business, industry, and size. Here`s a step-by-step process you can use to comply with the CCPA: It should also be noted that the CCPA does not apply to PII subject to other federal regulations, including: No, it is not. The California government may have used the momentum created by the introduction of the EU`s General Data Protection Regulation (GDPR) to expand the ePrivacy Directive, but the CCPA`s requirements are not as broad as the GDPR`s cookie consent requirements. Yes, the CCPA may apply to businesses located outside of California if they collect or sell PII from CA residents, do business in the state, and meet at least one of the following conditions: What are the new requirements? A business subject to the CCPA must: How is a franchisor or franchisee affected? The CCPA defines a business as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity organized or operated for the profit or financial benefit of its shareholders. A business is also defined as a legal entity that uses a “common mark,” that is, a common name, service mark or trademark. Franchisors and franchisees may be subject to the CCPA if personal information is collected from a California resident (either as a prospective franchisee of the franchisor or as a customer/customer of the franchisor or franchisee) and does not comply with CCPA requirements. Regardless of other consumer protection laws, businesses covered by the aforementioned consumer protection laws must continue to comply with the CCPA`s consumer requirements. If you combine the requirements of both laws, you will understand that your privacy policy must be written in plain language and must include at least the following: No, if you comply with the GDPR, it does not guarantee compliance with the CCPA by default. Chances are you`re already meeting some of the CCPA`s requirements by simply being GDPR compliant, but you still have work to do. CCPA compliance means that you meet all compliance requirements set out in the CCPA.

Read our ultimate CCPA Privacy Policy Compliance Checklist here. While some of the changes to the current CCPA will take effect immediately, most will not take effect until January 1, 2023 and will only apply to personal data collected after January 1, 2022. There is some uncertainty about the exact definition of “doing business” in California. It may not be necessary to have a physical headquarters in California. For example, if your company has employees in the state, conducts online transactions with California residents, or has certain other state connections, the CCPA may apply to you. The CCPA should complement, not replace, existing protections for personal data. CalOPPA and other privacy laws will remain in place, meaning the requirements for your business will remain. The introduction of the CCPA does not change your obligations to comply with other California privacy laws such as CalOPPA, Shine the Light, and the Privacy Rights for California Minors in the Digital World Act, as well as federal laws such as HIPAA. Companies that must comply with the CCPA must also comply with the CCPA 2.0. The only difference in the applicability requirements is that one of the thresholds has been updated – the threshold of 50,000 residents or households in California from which the company collects data has been moved to 100,000 residents or households.

Failure to comply with the CCPA will result in hefty fines. You can expect the Attorney General to take legal action against you if you do not comply with CCPA requirements within 30 days of notification. * Keep in mind that it is not clear whether the State of California would attempt to aggregate all franchisees plus the franchisor in calculating this $25 million figure or aggregate the franchisor and its affiliates. For example, if your annual sales are $15 million and the combined revenue of all your franchisees is $15 million, would the CCPA apply to you and each of your franchisees? There are no guidelines yet on how to calculate this number. A “consumer” is a person (i.e., not an entity such as a business) who resides in California, including any person who is in the state for purposes other than temporary or temporary, or any person who resides in the state and is out of state for temporary or temporary purposes. The definition is quite broad, meaning it appears to cover California residents when traveling to other states. Exclusions The CCPA`s obligations do not limit a company`s ability to collect or sell a consumer`s personal information when all aspects of that business conduct take place entirely outside of California. In other words, if the company collected the consumer`s personal information while the consumer was outside of California, no part of the sale of the consumer`s personal information took place in California and no personal information collected during the consumer`s stay in California will be sold. The CCPA also does not apply to information subject to other federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA); the Gramm-Leach Bliley Act (GLBA); the Fair Credit Reporting Act (FCRA); or the Driver Privacy Protection Act (DPPA), However, the CCPA applies to companies subject to these laws to the extent that they collect and process other personal information about consumers. What rights does the CCPA grant to consumers? The CCPA will give consumers new rights, including a right to transparency in data collection, a right to be forgotten, and a right to opt out of selling their data (opt-in for minors).

While the list of rights may seem largely identical to the list of rights guaranteed to the data subject in the EU under the GDPR, there are a number of significant differences, including the structure of the GDPR as an opt-out mechanism as opposed to the confusing opt-in mechanism of the GDPR. The CCPA`s opt-out structure grants consumers the following rights and does the following: The right to know if their personal information is being collected about them The CCPA does not apply to all businesses that operate in California. However, affected businesses that break the law could face lawsuits from private consumers or the California Attorney General. Even if your business isn`t covered by the CCPA, a proactive privacy policy can help you stand out from the competition. It is a challenge to meet these requirements without expertise and resources. Make sure you have the right tools in place to protect consumers. Which CCPA regulations apply if a company violates consumers` privacy rights? And that`s a good thing, because there are other privacy challenges: Nevada`s Internet Privacy Protection Act (“SB 2020”) went into effect on October 1, 2019, New York`s new SHIELD data security requirements will go into effect on March 21, 2020, and several other states have considered such laws. Does the CCPA apply to my business and, if so, how can I comply? These additional requirements require measures that go beyond the steps affected companies may have already taken to comply with the GDPR.

A closer look at the legislation shows that some not-for-profit organizations may not be exempt from the CCAC. In particular, a not-for-profit entity that controls or is controlled by a for-profit entity that shares a common mark with that entity (for example, a common name, service mark, or trademark) may be subject to CCPA requirements. A nonprofit could also fall under the CCPA if it receives personal information from a business through a “sale” under the law.