Business News Daily receives compensation from some of the companies listed on this page. Advertising Disclosure
BND Hamburger Icon


BND Logo
Search Icon
Updated Dec 20, 2023

How California’s Consumer Privacy Act Affects Your Business

author image
Max Freedman, Business Operations Insider and Senior Analyst

Table of Contents

Open row

Although the California Consumer Privacy Act (CCPA) technically applies only to the Golden State, California residents shop online with out-of-state businesses. As such, if your business collects personal information from people in California, you must comply with the CCPA no matter your location. However, if you’ve already taken steps to comply with Europe’s General Data Protection Regulation (GDPR), you likely already meet many of the CCPA’s requirements. Here’s what you should know about the CCPA and business compliance.

What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA) is a California state law that protects the following California consumer rights:

  • Right to know all data collected on them, including what categories of data and why it is being acquired, before it is collected, and any changes to its collection
  • Right to refuse the sale of their information
  • Right to request deletion of their data (with limited exceptions)
  • Mandated right to opt in before the sale of information of children under 16
  • Right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired
  • Enforcement by the attorney general of the state of California
  • Private right of action should certain data breaches occur, to ensure companies keep their information safe
Consumers can sue businesses for CCPA noncompliance only in the event of a data breach. In all other cases, the California Attorney General’s office handles legal action around CCPA noncompliance.

Businesses have 45 days to respond to consumer requests, though this time frame is just 15 days for opt-out requests. Any damages that occur due to a qualifying data breach are limited to $750 per consumer per incident.

The CCPA, before it was in amendment with Assembly Bill 375, originally had more stringent regulations that might have nearly paralyzed the tech industry, which has thrived in California’s Silicon Valley. But the official CCPA allows businesses a 30-day window to amend any violations as long as they can prove they have been amended and that no more will occur. Otherwise, violators might face a penalty of up to $7,500 per intentional violation.

How does the CCPA impact businesses?

All businesses with gross annual revenue in excess of $25 million must comply with the CCPA. So too must all businesses that earn at least 50 percent of their revenue from the sale of California residents’ data. A third qualifying class of businesses exists: any that buy, sell or share data obtained from at least 100,000 California residents, devices or households. These criteria apply to all businesses that collect or sell personal information from consumers in California, regardless of where the company itself is located. Businesses inside California are as affected as out-of-state entities.

The University of Berkeley’s Center for Long-Term Cybersecurity has pointed to the following CCPA business impacts as the most important:

  • Less reliance on data-intensive processes: For example, in response to the CCPA, behavioral retargeting is becoming less common among businesses that work with California residents’ data. Instead, a renewed focus on peer accountability has emerged.
  • Confusing opt-out tools: The requirement to educate website visitors on cookie usage and allow them to opt out has led many businesses to rush into creating cookie opt-out banners. The result is unclear banners that aren’t user-friendly either. These may leave consumers flustered instead of confident that you’re protecting their data. It may also leave businesses noncompliant and consumer privacy unguarded.
  • Data infrastructure challenges: It can be quite costly for businesses to adhere to CCPA requirements. This can place obstacles in front of smaller businesses that qualify based on the CCPA 50 percent rule. These businesses may lack the money to fund the required resources for data mapping, inventory and retention, resulting in noncompliance.
FYIDid you know
The Berkeley report recommends the pursuit of newer regulatory frameworks to close any gaps in the CCPA and similar laws. Expect future data protection laws to gradually start looking different from the CCPA.

Why should your businesses address CCPA requirements?

While the CCPA technically might not cover your business, this doesn’t mean you shouldn’t prepare.

“The CCPA provides small businesses with incentive and motivation to [think] about the personal data processed and protected within their business environment,” said Matt Dumiak, director of privacy services at CompliancePoint. “Most organizations feel resource-constrained, and small businesses are no different, if not more so.”

“California’s law [raises] the bar significantly, and this won’t be the last time it’s raised as states seek to emulate the GDPR,” added Robert Cattanach, a partner at Dorsey & Whitney who helps clients navigate regulatory law. “This [law] is likely to increase litigation as more consumer rights are created and expanded.”

The lack of awareness could lead to a lack of compliance, which could expose businesses to significant financial penalties.

“It’s clear that businesses are confused about this regulation; they do not know whether they are subject to the law and what they need to do to become compliant,” said Tony Anscombe, chief security evangelist at ESET. “Businesses should particularly focus on the ‘reasonable security’ aspect of the law by ensuring they have stringent processes and practices in place, including strong endpoint protection and encryption, throughout their organization.”

How will the CCPA shape the future of data regulation?

While California is just one state, its regulations are spreading awareness and encouraging like-minded individuals to speak up and take action. Businesses should expect similar laws to be passed across the country in the next few years. In fact, Nevada, Colorado, and Virginia have all passed similar laws.

“Congress will feel pressure from both pro-privacy advocates to endorse the rights created by California, and businesses to try to bring uniformity to what is increasingly a dynamically evolving policy area,” said Cattanach. “The bottom line is that this leverages on the concepts contained in GDPR and is certain to be picked up as the standard by other states.”

Did You Know?Did you know
Hawaii, Indiana, Kentucky, Montana, New Hampshire, Oklahoma and Vermont have advanced their own consumer privacy acts. Although it remains to be seen whether these proposed bills will become law, more such legislation is expected in the years to come.

How can your business immediately comply with the CCPA?

Dumiak recommended reviewing the following business areas for CCPA compliance:

  • Information security posture
  • Personal data processing
  • Honoring of access requests
  • Other applicable rights or requirements

“Further, the fines and privacy right of action, while having an impact on any organization, will arguably be a larger percentage of their revenue and more impactful on business operations and revenue,” said Dumiak. “While many see regulation as a headache, this regulation is a terrific opportunity for organizations, small and large, to get much-needed resource help in the security and business operations space.”

If your small business hasn’t already hired a data processing consultant to make sure your company is compliant with GDPR, now may be the time to investigate such a professional. You may want to look for someone who is certified by the International Association of Privacy Professionals (IAPP). It is the largest and most comprehensive global information privacy community, with 40,000 members.

Data privacy regulations are here to stay

The CCPA covers any business, in any location, that processes California consumer data. Other states’ data laws, which are almost certain to be passed into law in the coming months and years, will be similarly expansive. This means it’s always a good time for your business to devote resources to data best practices. With a qualified consultant in your realm, you can check all the required boxes while focusing on business proper. This way, you stay in good graces with the law – and your customers too.

author image
Max Freedman, Business Operations Insider and Senior Analyst
Max Freedman has spent nearly a decade providing entrepreneurs and business operators with actionable advice they can use to launch and grow their businesses. Max has direct experience helping run a small business, performs hands-on reviews and has real-world experience with the categories he covers, such as accounting software and digital payroll solutions, as well as leading small business lenders and employee retirement providers. Max has written hundreds of articles for Business News Daily on a range of valuable topics, including small business funding, time and attendance, marketing and human resources.
Back to top
Desktop background imageMobile background image
In partnership with BDCBND presents the b. newsletter:

Building Better Businesses

Insights on business strategy and culture, right to your inbox.
Part of the network.