You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
The California Consumer Privacy Act (CCPA) unifies the rights of California consumers and protects their personal information. It has been in effect since 2018 and was amended to include CPRA on January 1, 2023. If you're a for-profit business and process data of California citizens, you'll likely need to comply with CCPA/CPRA – that much is up front.
For violations, you can face fines of up to $2,500 for each violation and up to $7,500 for a willful violation. 🚨 In addition, there is immense damage to your company's reputation, as data privacy is becoming increasingly important to consumers.
To help you keep your business running risk-free and avoid CCPA pitfalls, we've debunked the most common CCPA myths for you.
A common myth is that many website owners, often small businesses and also bloggers, do not process personal data and therefore do not have to comply with CCPA. It’s a misconception that can run into money. That’s why it’s best to clarify what exactly personally identifiable information is under CCPA/CPRA.
According to CCPA Article 798.140, personally identifiable information is information that can be used to identify an individual or their household, such as: Name, email address, date of birth, customer number, log-in data, IP address, cookies, and more. Publicly available information derived from government agencies or records, such as professional licenses and public property records, are not covered by CCPA.
If you answer “yes” to one or more of the following questions, you should be alert:
Do you have contact forms on your website?
Do you use commenting systems for posts?
Do you use Google Analytics?
Do you see login data and their histories in dashboards?
So, you realize, you’re a data processor faster than you think. Hence, be sure to exercise caution when it comes to CCPA compliance.
This assumption is as common as it is fundamentally wrong. Because, just as with the GDPR, the market location principle applies here. This means that in certain cases, European companies can also be affected by CCPA. You don’t need to have a physical presence in California to do so. In fact, your place of business doesn’t even have to be in the US.
Once you run a for-profit business that collects, processes, or sells data from California citizens AND you meet one of the following criteria, you must comply with CCPA/CPRA:
Gross annual revenue of more than $25 million
Processing of at least 100,000 consumers data
50% or more of annual profits come from the sale or transfer of personal data
So, even if you’re a “small fish” out there, the rule of thumb is, no one is exempt from CCPA.
Many consider the European General Data Protection Regulation (GDPR) to be one of the strictest data protection laws in the world – there’s some truth to that. Still, being GDPR-compliant doesn’t mean your company is automatically CCPA-compliant. That’s partly because the CCPA definition of personal data is broader than under the GDPR. But don’t worry, since both laws are still quite similar, you don’t have to do much further to comply with CCPA if you’re already compliant with the GDPR.
But there is one thing you definitely need to consider: The “Do not sell my personal data” page. The reason is that with CCPA, the so-called right to opt-out applies. This means that you must allow consumers to prohibit the sale of personal data to third parties. And this is where the CCPA legislative text is particularly specific. Namely, this must take place via a separate page with the mandatory heading, “Do not sell my personal information.” On this page, the request to opt-out must be made as simple as possible.
Alarm! Danger! ⚠️ Banish this myth from your mind as soon as possible!
This assumption is not true for all audiences. Because there is a special feature under CCPA: if data is collected and sold from consumers who are under 16 years old, opt-in consent must be obtained. And for children under 13, consent must even be obtained from a parent or guardian. If their permission is not granted, your company must wait 12 months before asking for consent again.
According to the text of the law, this obligation only applies to a company if it has “actual knowledge” of the child’s age. Don’t speculate on this passage, however. Ignorance does not protect against punishment. The penalties for breaches of children’s personal information are higher than other penalties, up to $7,500 for each breach.
A closer read should be made on this myth as well. That’s because CCPA Section 1798.140 (c) (2) defines what exactly “businesses” are that must comply with CCPA. Here it describes that nonprofit entities can also be affected if the following scenarios apply to them:
You are a nonprofit business organization, and you own a for-profit subsidiary
You are a nonprofit business with commercial operations
You are a nonprofit business that enters into a cooperative arrangement with a company that is covered by CCPA/CPRA
In other words, you’d better read up on whether your nonprofit should be CCPA-compliant before risking hefty penalties.
Under CPRA Section 1798.105, consumers have the right to make a request for the deletion of personal information. A right to request correction of the data is also available to consumers. As a business, you must follow up on these requests within 45 calendar days. Hence, you should have a tool that allows you to quickly and easily search, modify and, if necessary, clean up data.
As you can see, common beliefs about data privacy laws are often misconceptions. As a result, it is always worthwhile to read the law carefully and seek advice from experts. CCPA/CPRA-compliance is not witchcraft, but it is something that requires diligence.
Andreas Springer _Actonic_
Head of Marketing
2 accepted answers