The California Consumer Privacy Act:Frequently Asked Questions
This FAQ is provided "as-is." Information and views expressed in this FAQ, including URL and other references, may change without notice. You bear the risk of using it. This FAQ has been created as a guide and should not be construed as legal advice. You should consult with your own legal counsel.
The California Consumer Privacy Act (CCPA) is the most comprehensive privacy legislation in the United States. Like the General Data Protection Regulation (GDPR), it requires companies to take certain steps to protect personal information and make available personal information rights to individuals.
While the CCPA is similar to the GDPR, it is not the same. If you already prepared for the GDPR, you may be able to leverage some of the work that you did to meet your CCPA requirements. Many privacy laws across the world share common themes. These often include:
- Consumer rights to access, update, delete, and receive a copy of personal information
- Different obligations based on a company’s role as a business or service provider
- Transparency and notice about a company’s data practices
In contrast to the GDPR, the CCPA also adds the right for consumers to opt-out of the “sale” of their personal information. Under the CCPA, “sale” is defined to include any sharing or disclosure for valuable consideration.
The CCPA applies to any company that does business in the state of California and satisfies at least one of the following criteria:
(a) Has annual gross revenues in excess of twenty-five million dollars;
(b) Buys, receives, sells, or shares, the personal information of 50,000 or more consumers, households, or devices; and
(c) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The CCPA becomes operative on January 1, 2020, but the California Attorney General will not bring enforcement actions until July 1, 2020.
The CCPA requires companies to take steps to protect personal information and provide rights to Californians. If you already comply with the GDPR, you will find that many of these rights are similar, such as the right to access, update, or delete information a business holds about an individual. As a business, you may want to take a few important steps to understand how you process personal information and how to address CCPA-compliance. While it is up to you to determine your CCPA compliance obligations and consult with your legal counsel, Okta can share some important steps to consider for your CCPA readiness plan. These steps can include:
- Inventory: Understanding the personal information you have about individuals and how you store, use, and share personal information, such as by creating a data map.
- Create: Creating procedures to protect and secure personal information and respond to consumer requests to know, access, opt-out, and delete their personal information.
- Protect: Taking steps to prevent, detect, and respond to security incidents. These may include putting in place greater security controls such as multi-factor authentication and identity management.
- Record: Maintain recordkeeping of your privacy and security practices, including your notices to consumers about processing their personal information.
The CCPA makes a distinction between “businesses” (analogous to “controllers” under the GDPR) and “service providers” (analogous to “processors” under the GDPR). Under the CCPA, businesses have direct obligations to consumers, while service providers support the data processing of the business and are restricted to only process personal information as permitted by the business in its contract.
Under the CCPA, as a business, you’re required to transparently describe your personal information practices to consumers and provide them with rights. Based on your internal processes and procedures, you may have to take steps to adjust your operations to reflect the legal requirements. The rights you have to make available to consumers include:
- Right to Know About Personal Information Collected, Disclosed, or Sold. Consumers have the right to request that your business disclose what personal information you collect, use, disclose, and sell about them, the purposes for which the data is used, and the right to this information in a portable format.
- Right to Request Deletion of Personal Information. Consumers have the right to request the deletion of their personal information collected or maintained by a business.
- Right to Opt-Out of the Sale of Personal Information. Consumers have the right to opt-out of the sale of their personal information by you as a business, in the event you sell personal information. For minors, you will have to enable an “opt-in” for the sale of data.
- Right to Non-Discrimination for the Exercise of Consumer Privacy Rights. Consumers have the right to not receive discriminatory treatment by your business for the exercise of their privacy rights conferred by the CCPA.
- Authorized Agent. Consumers may designate an authorized agent to make a request under the CCPA on their behalf.
- Financial Incentives. Consumers have a right to know if you provide any financial incentives tied to the collection, sale, or deletion of consumer personal information.
For more details on these rights and implementation, you should review the California Attorney General’s website and consult your legal counsel.
No. Okta is a service provider and our customer agreements reflect this relationship. You are permitted to share personal information with service providers, even when a consumer has opted-out of data sharing.
The California legislature amended the CCPA in October 2019. These amendments included a one-year suspension on the application of the CCPA to the personal information of employees of a business. This suspension will sunset on January 1, 2021. California may introduce a new employee-focused data protection law in 2020.
Under the CCPA, the term “sale” has a broad definition that ranges from actually selling or renting personal information to even disclosing, disseminating, and making available personal information by one business to another business or a third party for monetary or other valuable consideration, which may not be monetary in nature. Consumers have the choice to opt-out data sharing that is considered a sale and businesses have to respect the consumer’s preference.
Some data sharing arrangements are exempt from being considered a sale. For example, if your business transfers are (i) to a service provider; (ii) to an exempted entity or contractor; or (iii) made at the intentional request of the consumer, then you may be able to exclude your data sharing from the sale category. For these exceptions to apply, as a business, you may have to take additional steps to make sure that you fall within this provision, such as updating your contracts to reflect the arrangement you have and the restriction on sale.
The CCPA has a broad definition of personal information which includes any information relating to an identified or identifiable person. Some examples of personal information are name, address, phone number, mobile number, email address, race, government identifiers, bank account numbers, social media names, IP address, geolocation data, and unique online identifiers (cookies). Unlike the GDPR, the CCPA also includes family and household data.
The CCPA requires companies to disclose specific details to consumers. This includes:
- A description of the new rights available to consumers;
- Categories of personal information collected in the last 12 months and the business or commercial purposes for collecting that data;
- Categories of data sources used in data collection;
- Categories of third parties with whom you “share” personal information;
- Categories of third parties to whom you “sell” personal information;
- Categories of third parties to whom you “disclose for a business purpose” personal information;
- Specific pieces of personal information collected about a consumer; and
- A link to an opt-out page;
The California Attorney General can enforce the CCPA and impose a civil fine of not more than $2,500 per violation or $7,500 per intentional violation. The private right of action under the CCPA is limited to data security breaches. Under those private rights of action, damages are between $100 to $750 per incident per consumer.
As a service provider to our Customers, Okta is well-positioned to meet the CCPA’s requirements. Okta also limits how it uses Customer Data in our customer contracts as well as limiting how our service providers can utilize Customer Data. Through our Service, we enable companies to create, update, and delete users, thereby helping to enable our customers to address their consumer requests.