FAQ: CCPA and privacy with BlueConic

Marketing teams use BlueConic to manage customer data privacy and consent compliance worldwide. BlueConic supports multiple legislation zones, including the CCPA, which goes into effect January 1, 2020. For general information on managing privacy with BlueConic see the Privacy section of our Knowledge Base.

This FAQ covers questions specific to the California Consumer Privacy Act, or CCPA.

What is CCPA?

The California Consumer Privacy Act, or CCPA, aims to bring more transparency and control to California consumers. As part of this new legislation, California residents will have the right to:

  • Know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information
  • Delete personal information held by businesses and by extension, a business’s service provider
  • Opt-out of the sale of personal information
    Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
  • Nondiscrimination in terms of price or service when a consumer exercises a privacy right under CCPA

Where can I learn more about CCPA?

Teams charged with managing CCPA compliance should read up on the privacy act. For this FAQ, we used documents provided by the office of the attorney general in California and the National Law Review. We also suggest consulting with your legal team to understand how your company is handling compliance.

Who does CCPA apply to?

Businesses are subject to the CCPA if one or more of the following are true:

  • Has gross annual revenues in excess of $25 million
  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices
  • Derives 50 percent or more of annual revenues from selling consumers’ personal information

As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.

What is the difference between CCPA and GDPR?

The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are separate legal frameworks with different scopes, definitions, and requirements.

But a business that already complies with GDPR will likely have a leg up when it comes to complying with CCPA. However, the two legislations differ from one another in specific ways.

  • For example, under GDPR, companies must undertake a data inventory and mapping of data flows in furtherance of creating records to demonstrate compliance. Additional data mapping may be important to reflect the different requirements under CCPA.
  • Under GDPR, companies must develop processes and/or systems to respond to individual requests for access to personal information and for erasure of personal information. These processes and/or systems may be applied to handling CCPA consumer requests, although businesses may need to review and reconcile the different definitions of personal information and applicable rules on verification of consumer requests.

For other specifics on how these two legislations differ and how your company is handling these legislations, consult your legal team.

How does CCPA define personal information?

According to the National Law Review, the CCPA defines personal information broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household. Significantly, the CCPA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (more on this below).

The statute provides a non-exhaustive list of categories of personal information, including:

  • Identifiers including real name, alias, postal address, unique personal identifier (UUID), online identifier, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric information
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA)

How can BlueConic help me to comply with CCPA?

Similar to GDPR – we’ve enabled a new legislation zone for CCPA. For details and FAQs on our privacy and consent management, see our FAQ on privacy and consent management with BlueConic

Watch this short video on enabling consent management in BlueConic for CCPA:

Does BlueConic provide consulting to its customers about how to be CCPA-compliant?

No. BlueConic is not a consulting or law firm. This document does not constitute legal advice. We recommend you consult your organization’s legal and/or privacy experts to determine what is required for your specific organization. 

Sources

Content about CCPA adapted from the fact sheet written by the office of the attorney general in California and the National Law Review. This document was last updated on December 17, 2019.

Learn more about privacy compliance

Learn more about using BlueConic to manage privacy and consent for CCPA: