What is CCPA? | Requirements & How to Comply

Back to glossary

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a state law that protects citizens of California from private data abuses and exposures. The legislation was passed in 2018, following a petition by a privacy group called Californians for Consumer Privacy. It went into effect on January 1, 2020.

An amendment to CCPA, the California Privacy Rights Act (CPRA), introduces new applicability criteria and stricter regulations than the CCPA, as well as heftier fines for organizations that fail to comply. CPRA was passed in 2020 and goes into full effect on January 1, 2023.

What type of data is protected by CCPA?

CCPA protects personal data, which is defined by the legislation as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

This includes:

  • Names, aliases, addresses, and social security numbers
  • Driver’s licenses or state ID numbers, passport numbers, and phone numbers
  • Medical, health insurance, and other insurance data
  • Current location, geolocation, travel histories, and property records
  • Email and internet addresses, such as IP addresses and account names
  • Web search and browser histories and other internet and electronic activity
  • Site, application, and advertisement interactivity and data on past purchases
  • Audio, video and image records, and heat signatures
  • Financial accounts such as bank accounts, debit and credit card numbers, and data
  • Signatures, descriptions of physical identifiers, such as height, hair color and weight
  • Biometric data, such as retinas, fingerprints and faces
  • Education and employment records,
  • Any inference someone can use to profile an individual and their intellect, characteristics, belief systems, and psychology

Which companies must comply with CCPA?

CCPA applies to any business that collects, processes and stores data on California citizens, regardless of whether they have a physical presence in the state. Organizations that do business with Californians must comply with the CCPA if they meet any of these criteria:

  • They generate yearly revenue of $25 million
  • They receive, buy or sell the data of 50,000 or more California residents, homes, or devices
  • They generate half or more of their earnings from selling California residents’ data

A lot of businesses have found it easier to apply the CCPA across the country rather than distinguish California residents. Furthermore, CCPA — and its European predecessor, the General Data Privacy Regulation (GDPR) — is thought to be the first of many privacy regulations to come. Some organizations have chosen to adopt the requirements in anticipation of future restrictions and to build consumer trust.

How do you become CCPA compliant?

Businesses are CCPA compliant when they adhere to the regulations outlined in the legislation. At the core of CCPA are the data privacy rights given to California citizens, and these have many implications for how and when businesses can store personal data.

  • The right to disclosure – Consumers have the right to know what personal information a business is collecting and how it is used and shared. Businesses must reveal the nature and use of any cookies or other methods to collect data from consumers. This includes data collected in person, email, phone and on a website or mobile app. Consumers can request to see a copy of the information that a business has collected, and businesses have 45 days to comply.
  • The right to delete their data – Businesses must inform consumers that they have the right to request that their data be deleted. They must respond to any such requests in a timely manner, and the data must be destroyed, with some exceptions.
  • The right to opt out – Organizations must notify consumers that they have a right to opt out of data being collected and sold by providing both a general opt-out link and a link specifically titled, “Do Not Sell My Information.” They must minimize the manual steps the consumer needs to take to opt out, avoid using complex and confusing language in connection with opting out, and cannot require users to review why not to opt out.
  • The right to non-discrimination – Companies cannot hinder consumers’ use of the site and its resources based on the permissions they grant or refuse.

In addition, businesses are required to have a privacy policy and give consumers certain notices when data is breached.

How does CCPA affect third-party vendors?

CCPA requires companies to allow consumers to choose not to have their data shared with third parties. That means that companies will now have to ensure that their this-party vendors cannot access sensitive data.

Furthermore, organizations are not only responsible for upholding the consumer rights themselves, but also for whether or not their third-party vendors also comply. Such vendors often provide JavaScript code snippets, including social media pixels, chatbots tracking scripts and payment iframes.

If consumer data is exposed on your site because of an attack on a third-party vendor, you are no longer compliant with CCPA and liable for any damages that result. Even if third-party code accesses sensitive data on a site non-maliciously, the website owner could still be in violation of CCPA.

Third-party code vendors often state in their legal agreements that they aren’t responsible for what data gets grabbed by their systems. If they do get access to sensitive data, they are free from liability because the onus was on the website to not grant access in the first place. It is critical to continuously audit third-party code and always verify that it is collecting expected data.

How does client-side code threaten CCPA compliance?

Using client-side JavaScript leaves websites at risk of a supply chain attack that exposes protected data. Here’s why:

  • Lack of visibility at runtime – Client-side code runs on users’ browsers rather than the central web server. It can be difficult to detect changes in scripts that load dynamically at runtime. This includes malicious code injections or modifications, such as adding a token to identify a visitor or another desired dynamic function.
  • Frequent code changes – Third-party libraries are continually being changed and updated. Even if a script is reviewed when it is first added to a site, it does not mean that subsequent modifications are secure. Over 50% of website owners state that the third-party scripts running on their web properties change four or more times every year.
  • Nth-party vendors – Third-party vendors may themselves obtain code from external libraries. Your vendors’ dependence on other vendors for JavaScript code may be undisclosed, lengthening the software supply chain and increasing business risk. It may be the nth-party script down the line that is vulnerable, and this can affect the entire website supply chain.
  • Insufficient security reviews – Developers rely on third-party code to quickly bring capabilities to market. They don’t want to be slowed down by internal processes and may introduce code to an application without going through the appropriate security reviews. Even if an initial review is conducted, it does not account for future code changes.

By leveraging vulnerabilities in client-side code, cybercriminals can conduct digital skimming and PII harvesting attacks. If consumer data is exposed due to an attack on your site, you could be forced to pay a hefty CCPA fine.

What happens if you don’t comply with CCPA?

The penalties for CCPA noncompliance with the CCPA are severe. Organizations can receive fines up to $2,500 per accidental violation and up to $7,500 for each time the law is purposely broken. The penalties follow a notice from the California attorney general’s office and a 30-day grace period to rectify the situation.

CCPA allows civil suits if an organization allows unauthorized access, theft, or disclosure of protected data because it failed to use reasonable data security measures. Judgments can reach $750 per affected consumer.

In addition, CCPA allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.

Many well-known brands have been heavily fined for CCPA violations.

  • TikTok reached a $92 million settlement payment in a class action suit claiming that the app didn’t disclose the data it stored, including biometric facial scans, unpublished videos, personally identifiable information (PII) and user devices data.
  • Children’s clothing retailer Hanna Anderson agreed to pay $400,000 to settle a CCPA-related class action lawsuit for allowing sensitive customer data to be accessed via form fields.

How can HUMAN help ensure CCPA compliance?

HUMAN Client-Side Defense ​​provides real-time visibility and granular control into the client-side supply chain attack surface. The solution identifies vulnerabilities and anomalous behavior, and proactively mitigates risk using a combination of Content Security Policy (CSP), granular JavaScript blocking, and comprehensive client-side mitigation. This allows website owners to prevent known malicious scripts from loading and transmitting personal data, as well as to block third-party JavaScript from accessing sensitive form fields, without disabling the entire script. Client-Side Defense safeguards users’ PII against unauthorized exposure, helping to ensure CCPA compliance.

What is GDPR? | Data types protected | GDPR compliance requirements

What is PCI DSS compliance? | Requirements & how to comply

What is personally identifiable information (PII) harvesting?

What is digital skimming and how does it work?

Supply chain attacks | What they are & how to prevent them