What does it do?
Grants California residents new rights regarding their personal information and imposes various data protection duties on for-profit entities conducting business in California.
Who is affected?
In a nutshell, for-profit companies doing business in California or with California residents.
Any for-profit entity doing business in California, that meets one of the following:
- Has a gross revenue greater than $25 million
- Annually buys, receives, sells, or shares personal information; or has more than 50,000 consumers, households, or devices for commercial purposes
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The law also applies to any entity that controls, is controlled by, or shares common branding with a for-profit business meeting the test above.
We’ve heard a lot about GDPR – how is CCPA different?
GDPR and CCPA are similar, but not the same. Consumer rights, the right to access information, the right to change information, portability, and the right to delete information are all the same. But where GDPR permitted companies to use information whether with your consent or for legitimate business interest, CCPA doesn’t require either. CCPA focuses on transparency - letting consumers know what is going to be done with their information so that they can decide if they want to opt-out.
CCPA applies to for-profit entities that do business in CA and meet one of the following criteria:
- Global revenue is greater than $25M (global revenue; not just CA); or
- Collect PI information of 50K consumers (globally); or
- Derives 50% of revenue from selling data
CCPA does NOT apply to non-profits (unless it controls a for-profit entity)
The term “resident,” includes every individual (1) who is in the State for other than a temporary purpose (e.g. business or personal travel), and (2) who lives in California and who is temporarily travelling outside the state. All other individuals are nonresidents.
A California resident whose data you are processing, note that as of today, employees do not fall under the definition of a consumer under CCPA. This is set to be reevaluated by 1/1/2021.
Any disclosure of consumer information for monetary or other valuable consideration.
Obtaining any personal information from a consumer, either actively or passively, or by observing the consumer's behavior.
|1. Transparency||1. Notice|
|2. Access||2. Access and portability|
|3. Rectification||3. Deletion|
|4. Erasure||4. Opt Out of Sale of Personal Information|
|5. Restrict Processing||5. Equivalent Services|
|6. Data Portability|
|7. Object to processing|
|8. Automated decision making|
Not necessarily. A separate agreement like a DPA is not specifically required, but CCPA requires a business to have a written contract with its vendors that prohibits the vendor from retaining, using, or disclosing the personal information for any purpose other than as specified in the vendor contract. A separate addendum (or “DPA”) may be the easiest way to achieve this purpose to make sure existing vendors are classified as Service Providers. See Cvent’s Customer Service Provider addendum here.
A Service Provider is a business that you contract with to process personal information on your behalf (e.g. CRM provider, cloud storage, marketing automation software).
Personal information is information that identifies or could reasonably be linked to a particular consumer or household (e.g., name, online identifier, IP address, government ID number, email address, products or services purchased, pictures, voice recordings, browsing history, geolocation data, education information, and more).
No, privacy shield is for the transfer of personal data in between the US and the EU.
Cvent provides this material for informational purposes only. The material provided herein is general and in summary form and is not intended to be comprehensive. Further, it is not intended to be legal advice and should not be construed as such. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer or other professional advisor who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship.