We are CCPA Privacy Law Experts
2B Advice can give your business a clearer picture of what the key requirements of this privacy regulation are, what steps you can take to meet them and how much time and effort you can expect to put into each step.
Our certified privacy law experts can help you assess your organization’s exposure to risk and design an appropriate level of mitigation.
2B Advice has helped thousands of organizations navigate data protection and privacy laws with experience and know-how developed over 17 years as one first data privacy services and technology firms in the U.S. and Europe.
Get A CCPA Consulting Quote!
Learn more about how we can help your company with a CCPA compliance program.
CCPA Frequently Asked Questions (FAQ)
The California Privacy Rights Act is also referred to as CPRA or CCPA 2.0. CCPA 2.0 is a ballot initiative aimed to regulate big corporations that collect large amounts of data. If passed it till take effect in 2023.
CCPA applies to your business if you are a for-profit entity doing business in California that meets one of three thresholds:
- Has $25 million or more in annual revenue; or
- Possesses the personal data of more than 50,000 “consumers, households, or devices” or
- Earns more than half of its annual revenue selling consumers’ personal data.
Non-profit organizations are excluded from the CCPA unless they potentially are subject to third party obligations if they receive personal information from a covered business.
Yes, your business can be based anywhere in the world. Even if your company is not organized under California law and even if you have no physical presence in California, if meets one of the three thresholds, then CCPA applies to your business.
Amendments to the CCPA have exempted “covered entities”, meaning those companies or healthcare providers that are subject to HIPAA or California’s Confidentiality of Medical Information Act (CMIA) from the CCPA’s scope to the extent that they protect patient data in accordance with HIPAA or CMIA.
Nor does the CCPA apply to:
- Personal information processed under the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act
- Protected health information or medical information governed by HIPAA or CMIA
- Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects
- The “sale” of personal information to or from a credit reporting agency, if used for a consumer report and use is limited to those permitted by the Fair Credit Reporting Act
- Personal information processed pursuant to the Driver’s Privacy Protection Act.
The definition of “household” was revised to mean a group of people who reside at the same address, share a common device or the same service, and are identified by the business as a single account.
Even if your business sells only to other business, also referred to as Business-to-Business or “B2B”, you must allow individuals to request that their information not be sold. You cannot discriminate against users who do so. And you must promptly inform individuals of a data breach.
If you are a B2B, you should:
- Know where personal information is stored and why
- Offer individuals an easy way to opt out from data sales
- Make it easy for individuals to opt out of emails
- Review your vendor relationships, particularly service providers who are processing data.
Consumers gain a number of important rights under CCPA.
- Consumers have the right to request access and deletion of their personal information.
- The CCPA requires any business that sells consumers’ personal information to provide a web page where consumers can opt out of having their personal information sold.
- The CCPA also grants consumers a limited private right of action against businesses that fail to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
There is a “sale” for CCPA purposes where data is exchanged directly for money or similar valuable consideration.
The CCPA defines certain types of vendors to be a “service provider”:
- A legal entity organized for profit
- Which processes consumers’ personal information on a business’s behalf
- And to which a business discloses consumers’ personal information for a business purpose
- There exists a written contact that prohibits the entity from retaining, using, or disclosing the personal information for any purpose other than those services specified in the contract, or as otherwise permitted by the CCPA.
Service providers can be processors, suppliers, and vendors, etc. Service providers must demonstrate that they can protect shared consumer data.
A company may request that service providers delete the consumer’s personal information based on a consumer request.
No. In order to be considered a “service provider” for the purposes of the CCPA, an entity must process personal information “on behalf of a business.” In addition, the vendor must be bound by a written contract that prohibits it from
- Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract”
- Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract”
- Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract”.
CCPA does classify another group of vendors, called “third parties”.
Under CCPA, third parties are the entities to which businesses sell or disclose personal information. The CCPA defines third parties in the negative—that is, a third party does not:
- Collect personal information directly from consumers
- Receive a consumer’s personal information from a business for a business purpose pursuant to a written contract that, among other things, prohibits the third party from selling, retaining, using, or disclosing the personal information.
The California attorney general can seek civil penalties for non-compliance with the CCPA that can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation. A business may not be liable if it cures any noncompliance within 30 days after being notified of alleged noncompliance.
The CCPA gives a private right to action that provides California consumers with a tool to seek redress if their personal information is accessed as the result of a data breach. This may involve actual damages, or statutory damages between $100 and $750 per consumer per incident.
Privacy consultancy 2B Advice named a "Cool Vendor" by Gartner
2B Advice is an IAPP corporate Gold member
2B Advice awarded Grand Prix of the SME 2014 and the Ludwig 2014
2B Advice is a Microsoft Gold-Certified Partner
We are an international company with offices in San Diego, California.
We are one of the providers with the longest experience in the market.
Our data privacy expertise is transnational and we work internationally.
Our Clients (Selection)
Learn more about how data protection compliance software can help you with GDPR compliance.2B Advice Reasons to operationalize CCPA Whitepaper
7 reasons why to get started on the journey to privacy compliance. Download the whitepaper!Free Single User License for 2B Advice PriME
Interested in an unlimited single seat license for comprehensive data privacy software? Register here now.
Why You Need CCPA Consulting
The California Consumer Privacy Act (CCPA) provides California residents with the ability to control how businesses process their personal information.
Regardless of where they are physically based, businesses will be required to honor requests from California residents to access, delete, and opt out of selling or sharing their information. The CCPA covers for-profit companies “doing business” in California that collect and sell personal information or discloses personal data for a business purpose.
The CCPA went into effect in January 1st, 2020. The act will have significant impact on corporate privacy initiatives of both large and small businesses. Even companies who have GDPR compliance programs in place will need to put additional measures in place.
The CCPA will be enforced by the California Attorney General, who may pursue statutory penalties which can go up to $7,500 per violation. The Act also provides for a private right of action in specific circumstances. For instance, if “non-encrypted or non-redacted” consumer information is compromised because of a failure of reasonable security, a consumer may bring a legal action for statutory damages ranging from $100 to $750 per violation or actual damages, whichever is greater.
There is changing viewpoint over the practices of opt-in and opt-out email marketing. Here we explain the difference between opt-in & opt-out and what is the preferred approach today.How Does a Consent Management Platform Help With Data Privacy?
A comprehensive privacy management software platform for managing CCPA compliance includes core elements such as consent manager, cookie banner, and policy notice generators.What is Workflow Automation and Why Do I Need It?
Automated workflow for privacy compliance management is one of a set series of planned tasks to be performed in a chronological order.