Debunking 7 Myths About CCPA/CPRA | 🔒 We clarify common privacy misconceptions 🎉🙌

CCPA myths make your life difficult

The California Consumer Privacy Act (CCPA) unifies the rights of California consumers and protects their personal information. It has been in effect since 2018 and was amended to include CPRA on January 1, 2023. If you're a for-profit business and process data of California citizens, you'll likely need to comply with CCPA/CPRA – that much is up front.

For violations, you can face fines of up to $2,500 for each violation and up to $7,500 for a willful violation. 🚨 In addition, there is immense damage to your company's reputation, as data privacy is becoming increasingly important to consumers.

To help you keep your business running risk-free and avoid CCPA pitfalls, we've debunked the most common CCPA myths for you.

CCPA Myth #1: I don’t process any personal data, so CCPA doesn’t apply to me

A common myth is that many website owners, often small businesses and also bloggers, do not process personal data and therefore do not have to comply with CCPA. It’s a misconception that can run into money. That’s why it’s best to clarify what exactly personally identifiable information is under CCPA/CPRA.

According to CCPA Article 798.140, personally identifiable information is information that can be used to identify an individual or their household, such as: Name, email address, date of birth, customer number, log-in data, IP address, cookies, and more. Publicly available information derived from government agencies or records, such as professional licenses and public property records, are not covered by CCPA.

How can you check whether you are processing personal data?

If you answer “yes” to one or more of the following questions, you should be alert:

 Do you have contact forms on your website?

 Do you use commenting systems for posts?

 Do you use Google Analytics?

 Do you see login data and their histories in dashboards?

So, you realize, you’re a data processor faster than you think. Hence, be sure to exercise caution when it comes to CCPA compliance. 

CCPA Myth #2: Businesses are NOT affected if they are not located in California

This assumption is as common as it is fundamentally wrong. Because, just as with the GDPR, the market location principle applies here. This means that in certain cases, European companies can also be affected by CCPA. You don’t need to have a physical presence in California to do so. In fact, your place of business doesn’t even have to be in the US.

Once you run a for-profit business that collects, processes, or sells data from California citizens AND you meet one of the following criteria, you must comply with CCPA/CPRA:

• Gross annual revenue of more than $25 million

• Processing of at least 100,000 consumers data

• 50% or more of annual profits come from the sale or transfer of personal data

So, even if you’re a “small fish” out there, the rule of thumb is, no one is exempt from CCPA.

 

CCPA Myth #3: GDPR Compliance guarantees CCPA Compliance

Many consider the European General Data Protection Regulation (GDPR) to be one of the strictest data protection laws in the world – there’s some truth to that. Still, being GDPR-compliant doesn’t mean your company is automatically CCPA-compliant. That’s partly because the CCPA definition of personal data is broader than under the GDPR. But don’t worry, since both laws are still quite similar, you don’t have to do much further to comply with CCPA if you’re already compliant with the GDPR.

But there is one thing you definitely need to consider: The “Do not sell my personal data” page. The reason is that with CCPA, the so-called right to opt-out applies. This means that you must allow consumers to prohibit the sale of personal data to third parties. And this is where the CCPA legislative text is particularly specific. Namely, this must take place via a separate page with the mandatory heading, “Do not sell my personal information.” On this page, the request to opt-out must be made as simple as possible.

 

CCPA Myth #4: CCPA does not apply to employees

Alarm! Danger! ⚠️ Banish this myth from your mind as soon as possible!

This may have been true for a while, but since the January 2023 amendment to the CCPA by CPRA, the exception regarding employees has been removed. Since the CPRA went into effect, data protection applies to all consumers, and that term now includes employees and even freelancers or job applicants. If you are an employer located in California, you must provide your employees with the common CCPA rights now as well. Thus, your employees also have the right to see an updated privacy policy that explains exactly how their data is collected. Also consider the right to know/disclosure: Your employees must be informed of the purpose and duration of data retention BEFORE it occurs.

 

CCPA Myth #5: For compliance, the ability to opt-out is sufficient; an opt-in right does not need to be granted

Unfortunately, no.

This assumption is not true for all audiences. Because there is a special feature under CCPA: if data is collected and sold from consumers who are under 16 years old, opt-in consent must be obtained. And for children under 13, consent must even be obtained from a parent or guardian. If their permission is not granted, your company must wait 12 months before asking for consent again.

According to the text of the law, this obligation only applies to a company if it has “actual knowledge” of the child’s age. Don’t speculate on this passage, however. Ignorance does not protect against punishment. The penalties for breaches of children’s personal information are higher than other penalties, up to $7,500 for each breach.

 

CCPA Myth #6: Nonprofits are off the hook

A closer read should be made on this myth as well. That’s because CCPA Section 1798.140 (c) (2) defines what exactly “businesses” are that must comply with CCPA. Here it describes that nonprofit entities can also be affected if the following scenarios apply to them:

• You are a nonprofit business organization, and you own a for-profit subsidiary

• You are a nonprofit business with commercial operations

• You are a nonprofit business that enters into a cooperative arrangement with a company that is covered by CCPA/CPRA

In other words, you’d better read up on whether your nonprofit should be CCPA-compliant before risking hefty penalties.

 

CCPA Myth #7: I don’t need tools to help me comply with the CCPA

Under CPRA Section 1798.105, consumers have the right to make a request for the deletion of personal information. A right to request correction of the data is also available to consumers. As a business, you must follow up on these requests within 45 calendar days. Hence, you should have a tool that allows you to quickly and easily search, modify and, if necessary, clean up data.

 

Conclusion: CCPA Myths debunked

As you can see, common beliefs about data privacy laws are often misconceptions. As a result, it is always worthwhile to read the law carefully and seek advice from experts. CCPA/CPRA-compliance is not witchcraft, but it is something that requires diligence.