California Consumer Privacy Act (CCPA): Why should you care?
The CCPA is the most comprehensive data regulation in the U.S., and while it may not affect you now, it may indicate what future federal data laws might look like.
PUBLISHED ON
There’s been an ongoing gold rush, not for precious metals, but for personal consumer data. For a while, this highly valuable resources was up-for-grabs with minimal or non-existent consumer protections. But it’s no longer the wild west, and the era of free range data in the U.S. has ended with California being the first state to get a proper handle on data privacy legislation.
While we wait for federal data policies to be passed, the California Consumer Privacy Act (CCPA) has become the gold standard this side of the Atlantic, following in the footsteps of Europe’s GDPR. In this post, we'll tell you all you need to know about the CCPA, what it means for senders, for businesses, and how to comply with it.
Table of contents
What counts as PPI under CCPA?
What rights do California residents have under CCPA?
Managing data expectations
What does the CCPA mean for data processors like Mailgun?
Domestically
Globally
What is the CCPA?
Just another piece of legislation? Time will tell...
The California Consumer Privacy Act (CCPA) is legislation that protects the data rights of California residents. It holds for-profit businesses that collect consumer data to strict data standards, regardless of where the organization is based. That means that any company dealing with personal data belonging to California residents must comply with CCPA.
Spoiler alert (maybe), there is some speculation that the CCPA is the first move indicating California is moving toward a model where consumers are paid directly for their data.
What is the history of the CCPA?
The CCPA was passed and signed by Gov. Brown on June 28, 2018. It became effective on January 1, 2020 and was dependent on the withdrawal of the previous Consumer Right to Privacy Act (initiative 17-0093).
The CCPA gives consumers more control over their personal data, and it continues to evolve.
In November of 2022, California voted to approve Proposition 24 (a.k.a. the California Privacy Rights Act or CRPA), which will amend the CCPA with additional privacy protections that go into effect on January 1, 2023.
That’s a lot of acronyms. Here’s a quick snapshot of what to expect under the pending CRPA:
Residents will gain the right to correct inaccurate personal information that a business has collected on them.
Residents will have the right to limit the use and disclosure of sensitive personal information collected about them.
We don’t have all the details on the CPRA yet but stay tuned to our blog for of-the-moment updates as legislation evolves.
Whose data rights are covered under the CCPA?
Good question.
Personal data rights are only protected under the CCPA if you are a resident of California.
What counts as PPI under CCPA?
CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and does not include publicly available information.
Personal identifiable information (PII) covers a few categories. From identifying data like your name, email, IP address, and social security number, to biometric information, geolocation data, and your browser history.
Here’s a summary of what counts —and doesn’t count— as PPI in California:
Counts as PPI | |
|---|---|
Counts as PPI | |
Direct identifiers | Your name, bank or credit card details, home and email addresses, phone number, etc. |
Indirect identifiers | Unique identifiers like your usernames, account names, IP addresses, or records that hold indirect identifiers like invoice or ticket numbers. |
Internet data | Cookie preferences, browsing history, web analytics, search history, and app activity. |
Geolocation data | Mobile device location history, geolocation linked to app activity, geotags on photos and videos, images that show identifiable landmarks or location names. |
Protected class data | Your race, gender, sexual orientation, nationality, age, citizenship status, or disability status. |
Educational data | Institutes and years attended, grades, grants, and scholarships. |
Inferred data | Concerns data from profiles built about you through an organization’s analytics, your preferences, characteristics, psychological predispositions, attitudes, and social and political preferences. |
Commercial data | Property records, purchase invoices, marketing records, pre-sales queries. |
Doesn’t count as PPI - These are the exceptions: | |
|---|---|
Doesn’t count as PPI - These are the exceptions: | |
Data and consent | When the user (person identified in the data) consents to the organization selling their information to a third party. |
Pseudonymized data | Organizations are permitted to sell user data that has been masked, hidden, or scrambled in some way to protect personal details. |
Publicly available data | Data that is public record like listed numbers or public property records does not count under PPI. |
What rights do California residents have under CCPA?
The main consumer rights granted to California residents under CCPA are five: the right to access, the right to know, the right to delete, the right to opt in and opt-out, and to non-discrimination.
These are its privileges:
The right to know: California residents have a right to know what data is being collected about them. Under the CCPA, business can collect any information that identifies or relates to you or your household. Information that is a matter of public record, like property records and public education records are not protected data. CA residents can also request (up to twice per year) their personal data that the business sells or discloses to third parties.
The right to access: The CCPA requires a business to respond to an access request by disclosing all information that it has collected about a consumer in the previous 12 months. The CCPA allows very few exceptions to a business’s obligation to provide access to information.
The right to delete: Californian residents can request that their PPI is deleted, not just from the company’s databases but from their service providers. An exception to this rule would be any data that the company is otherwise legally required to keep.
The right to opt-out: This doesn’t opt you out of data collection but prevents the company from selling your information to third parties. Additionally, it forces the company to wait at least 12 months before asking you to opt back in.
The right to non-discrimination: Discrimination laws protect CA residents who have exercised their rights under the CCPA. Companies cannot interrupt or affect your service based on how you decide to manage your data.
How is CCPA different from GDPR?
There is a lot of comparison going around between the EUs General Data Protection Regulation (GDPR) and the CCPA. The good news? If you’re already GDPR compliant, CCPA compliance is only a small step away.
GDPR | CCPA | |
|---|---|---|
Effective | May 25, 2018 | January 1, 2020 |
GDPR | ||
Affects | Global businesses that process personal data of EU citizens including nonprofits that accept donations from EU citizens. | Businesses operating in CA that have revenue of $25M or more, or process data on 50,000 residents or more. |
CCPA | ||
Protects | EU citizens | Only residents of CA |
Fines | €20M or 4% of annual global turnover (whichever is greater). | $100-$750 per consumer per incident. $2400-$7500 per civil violation. |
Right to know | EU citizens have the right to know the purpose for processing their data (at the time of collection), details of the data controller, who is receiving the data, and how long their information is retained. | CA residents must be informed about the reason for data collection at the point of collection. They have the right to request a copy of the data collected on them. |
Right to delete | Covers all data that concerns a citizen regardless of data origin. | Covers data collected from the CA resident only. |
Right to opt out | No right to opt out | Residents can opt out of data collection, and request their data not be sold. Additional protections are in place to prevent discrimination if a resident opts out. |
Data breaches | Companies acting as data controllers must report a data breach within 72 hours to the data protection authority. | Businesses are not required to report data breaches under the CCPA as they are already obligated under California law. |
What are some of the criticisms of the CCPA?
You know what they say... You can’t please everyone.
We compare data to gold and oil, natural resources that fuel our progress, but data is different. It’s the most influential resource we have, and the most revealing. Data reveals behaviors and personal information of the human population – making it equal parts natural resource and personal property.
As data regulations become more consumer focused, some primary concerns unfold. An increased requirement for opt-outs, unsubscribes, and disclaimers makes it challenging — and expensive — for businesses to restructure their data processes to scale with these regulations.
The other main concern relates to designation and translating terms for clients. More restrictions on distinctions about which types of businesses are considered service providers, and the need for longer privacy policies and terms, make the legal side of operations much more demanding.
The CCPA is not stagnant. In California, data laws are about to change again with the introduction of CPRA, which will extend data protection for California residents even further, probably resulting in additional criticism from business throughout the country.
There have also been calls for a federal or nation-wide applicable law, since the CCPA is related to California residents only, making some businesses question whether or not they must comply.
What does the CCPA mean for businesses?
The CCPA only applies to for-profit businesses that do business in California and meet certain conditions. Non-profits and government agencies are exempt. These are the parameters:
Businesses with a gross ARR of $25M and above.
Businesses that buy, receive, or sell personal information of 50,000 or more CA residents.
Businesses that derive 50% or more ARR from selling CA resident’s personal information.
Managing data expectations
Strict data laws mean lots of opportunities for users to make requests based on their rights. That can mean an increase in workload for support teams, not to mention potential hefty fines. There are some best practices to counteract this: double opt-ins, clear unsubscribe links, and notices of data collection processes.
What does the CCPA mean for data processors like Mailgun?
As a business that does business with California residents and CA-based companies, the CCPA affects us, our clients and their businesses – and other businesses like us – under the same terms outlined above.
Beyond being an issue of data compliance, legislations like the CCPA and the GDPR are created to make users feel safer about their data on the internet. Email plays a big role in online marketing and communications, and Sinch Mailgun is invested in treating data as a respected, personal asset. Mailgun has and will continue to respect our customers’ privacy and will make sure to abide by all applicable laws and regulations.
The future of data
The CCPA isn’t a federal law, but according to Cisco’s Consumer Privacy Survey, 89% of people say they care about data privacy and want more control. Compliance standards are always evolving and individual states rolling out their own privacy laws could indicate that federal data laws are not far behind. At Mailgun, we’re evolving right along with them.
Domestically
We’re keeping our eyes on the American Data Privacy Protection Act (ADPPA) for one. This bipartisan U.S. legislations isn’t federal law yet, but if enacted it would standardize how the U.S. manages and processes data both Nationally and across different industries and would open the door wider for future global data policies.
Globally
For recent progress on a data protection standpoint, an Executive Order was signed by President Biden in early October implementing the European Union-U.S. Data Privacy Framework, which takes us closer to cross border data transfer protections.
Mailgun’s ongoing commitment
Our dedication to user data protection is a big part of our personality. And we’re pretty passionate about delving into the details. Learn more about how we approach and value your security with our in-depth breakdown of email security and compliance.
Learn about email security and compliance
Email security and compliance
Email security isn't easy. But you need to protect your business, brand, employees, and subscribers. Find out about the benefits of continually improving email security and compliance from our industry experts. It's yours to explore. No form filling required.
Disclaimer: U.S. data protection laws, including the CCPA, are complex. This blog post shouldn’t be considered legal advice. Please consult a legal professional for details on how the CCPA impacts your specific business case.
