California Consumer Privacy Act (CCPA): Why should you care?
The CCPA is the most comprehensive data regulation in the U.S., and while it may not affect you now, it may indicate what future federal data laws might look like.
There’s been an ongoing gold rush, not for precious metals, but for personal consumer data. For a while, this highly valuable resources was up-for-grabs with minimal or non-existent consumer protections. But it’s no longer the wild west, and the era of free range data in the U.S. has ended with California being the first state to get a proper handle on data privacy legislation.
While we wait for federal data policies to be passed, the California Consumer Privacy Act (CCPA) has become the gold standard this side of the Atlantic, following in the footsteps of Europe’s GDPR. In this post, we’ll tell you all you need to know about the CCPA, what it means for senders, for businesses, and how to comply with it.
Just another piece of legislation? Time will tell…
The California Consumer Privacy Act (CCPA) is legislation that protects the data rights of California residents. It holds for-profit businesses that collect consumer data to strict data standards, regardless of where the organization is based. That means that any company dealing with personal data belonging to California residents must comply with CCPA.
Spoiler alert (maybe), there is some speculation that the CCPA is the first move indicating California is moving toward a model where consumers are paid directly for their data.
The CCPA was passed and signed by Gov. Brown on June 28, 2018. It became effective on January 1, 2020 and was dependent on the withdrawal of the previous Consumer Right to Privacy Act (initiative 17-0093).
The CCPA gives consumers more control over their personal data, and it continues to evolve.
In November of 2022, California voted to approve Proposition 24 (a.k.a. the California Privacy Rights Act or CRPA), which will amend the CCPA with additional privacy protections that go into effect on January 1, 2023.
That’s a lot of acronyms. Here’s a quick snapshot of what to expect under the pending CRPA:
Good question.
Personal data rights are only protected under the CCPA if you are a resident of California.
CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and does not include publicly available information.
Personal identifiable information (PII) covers a few categories. From identifying data like your name, email, IP address, and social security number, to biometric information, geolocation data, and your browser history.
Here’s a summary of what counts —and doesn’t count— as PPI in California:
| Counts as PPI | |
|---|---|
| Direct identifiers | Your name, bank or credit card details, home and email addresses, phone number, etc. |
| Indirect identifiers | Unique identifiers like your usernames, account names, IP addresses, or records that hold indirect identifiers like invoice or ticket numbers. |
| Internet data | Cookie preferences, browsing history, web analytics, search history, and app activity. |
| Geolocation data | Mobile device location history, geolocation linked to app activity, geotags on photos and videos, images that show identifiable landmarks or location names. |
| Protected class data | Your race, gender, sexual orientation, nationality, age, citizenship status, or disability status. |
| Educational data | Institutes and years attended, grades, grants, and scholarships. |
| Inferred data | Concerns data from profiles built about you through an organization’s analytics, your preferences, characteristics, psychological predispositions, attitudes, and social and political preferences. |
| Commercial data | Property records, purchase invoices, marketing records, pre-sales queries. |
| Doesn’t count as PPI – These are the exceptions: | |
|---|---|
| Data and consent | When the user (person identified in the data) consents to the organization selling their information to a third party. |
| Pseudonymized data | Organizations are permitted to sell user data that has been masked, hidden, or scrambled in some way to protect personal details. |
| Publicly available data | Data that is public record like listed numbers or public property records does not count under PPI. |
The main consumer rights granted to California residents under CCPA are five: the right to access, the right to know, the right to delete, the right to opt in and opt-out, and to non-discrimination.
These are its privileges:
There is a lot of comparison going around between the EUs General Data Protection Regulation (GDPR) and the CCPA. The good news? If you’re already GDPR compliant, CCPA compliance is only a small step away.
| GDPR | CCPA | |
|---|---|---|
| Effective | May 25, 2018 | January 1, 2020 |
| Affects | Global businesses that process personal data of EU citizens including nonprofits that accept donations from EU citizens. | Businesses operating in CA that have revenue of $25M or more, or process data on 50,000 residents or more. |
| Protects | EU citizens | Only residents of CA |
| Fines | €20M or 4% of annual global turnover (whichever is greater). | $100-$750 per consumer per incident. $2400-$7500 per civil violation. |
| Right to know | EU citizens have the right to know the purpose for processing their data (at the time of collection), details of the data controller, who is receiving the data, and how long their information is retained. | CA residents must be informed about the reason for data collection at the point of collection. They have the right to request a copy of the data collected on them. |
| Right to delete | Covers all data that concerns a citizen regardless of data origin. | Covers data collected from the CA resident only. |
| Right to opt out | No right to opt out | Residents can opt out of data collection, and request their data not be sold. Additional protections are in place to prevent discrimination if a resident opts out. |
| Data breaches | Companies acting as data controllers must report a data breach within 72 hours to the data protection authority. | Businesses are not required to report data breaches under the CCPA as they are already obligated under California law. |
You know what they say… You can’t please everyone.
We compare data to gold and oil, natural resources that fuel our progress, but data is different. It’s the most influential resource we have, and the most revealing. Data reveals behaviors and personal information of the human population – making it equal parts natural resource and personal property.
As data regulations become more consumer focused, some primary concerns unfold. An increased requirement for opt-outs, unsubscribes, and disclaimers makes it challenging — and expensive — for businesses to restructure their data processes to scale with these regulations.
The other main concern relates to designation and translating terms for clients. More restrictions on distinctions about which types of businesses are considered service providers, and the need for longer privacy policies and terms, make the legal side of operations much more demanding.
The CCPA is not stagnant. In California, data laws are about to change again with the introduction of CPRA, which will extend data protection for California residents even further, probably resulting in additional criticism from business throughout the country.
There have also been calls for a federal or nation-wide applicable law, since the CCPA is related to California residents only, making some businesses question whether or not they must comply.
The CCPA only applies to for-profit businesses that do business in California and meet certain conditions. Non-profits and government agencies are exempt. These are the parameters:
Strict data laws mean lots of opportunities for users to make requests based on their rights. That can mean an increase in workload for support teams, not to mention potential hefty fines. There are some best practices to counteract this: double opt-ins, clear unsubscribe links, and notices of data collection processes.
As a business that does business with California residents and CA-based companies, the CCPA affects us, our clients and their businesses – and other businesses like us – under the same terms outlined above.
Beyond being an issue of data compliance, legislations like the CCPA and the GDPR are created to make users feel safer about their data on the internet. Email plays a big role in online marketing and communications, and Sinch Mailgun is invested in treating data as a respected, personal asset. Mailgun has and will continue to respect our customers’ privacy and will make sure to abide by all applicable laws and regulations.
The CCPA isn’t a federal law, but according to Cisco’s Consumer Privacy Survey, 89% of people say they care about data privacy and want more control. Compliance standards are always evolving and individual states rolling out their own privacy laws could indicate that federal data laws are not far behind. At Mailgun, we’re evolving right along with them.
We’re keeping our eyes on the American Data Privacy Protection Act (ADPPA) for one. This bipartisan U.S. legislations isn’t federal law yet, but if enacted it would standardize how the U.S. manages and processes data both Nationally and across different industries and would open the door wider for future global data policies.
For recent progress on a data protection standpoint, an Executive Order was signed by President Biden in early October implementing the European Union-U.S. Data Privacy Framework, which takes us closer to cross border data transfer protections.
Our dedication to user data protection is a big part of our personality. And we’re pretty passionate about delving into the details. Learn more about how we approach and value your security with our in-depth breakdown of email security and compliance.
Disclaimer: U.S. data protection laws, including the CCPA, are complex. This blog post shouldn’t be considered legal advice. Please consult a legal professional for details on how the CCPA impacts your specific business case.
