This information is provided "as-is." Information and views expressed in this topic, including links and Internet Web site references, may change without notice. You bear the risk of using it. This has been created as a general guide and should not be construed as legal advice. You should consult with your own legal professionals regarding any legal questions you have.
The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law in United States. It was signed into law at the end of June 2018 and went into effect on January 1, 2020 and provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an “opt-out” for certain data transfers and an “opt-in” requirement for minors.
The CCPA only applies to companies doing business in California, which annually satisfy one or more of the following: (1) have a gross revenue of more than $25 million, (2) derive 50% or more of its annual revenue from the sale of consumer personal information, or (3) buys, sells, or shares the personal information of more than 50,000 consumers.
The CCPA goes into effect on January 1, 2020. Enforcement by the California Attorney General (AG) began July 1, 2020.
Many of the CCPA’s rights afforded to Californians are similar to the rights the GDPR provides, including the disclosure and consumer requests similar to data subject right (DSR) requests, such as data access, deletion, and portability. As such, customers can look at our existing GDPR data subject right requests procedures to help them with their CCPA related requests and should review our Privacy Notice.
The CCPA requires regulated businesses that collect, use, transfer, and sell personal information to, among other things:
The CCPA requires disclosure of the following:
Calendly does not sell our customers data.
The definition of “sell” in the CCPA is incredibly broad, including “making personal information available to” a third party for monetary or other valuable consideration. Where a consumer has elected to “opt-out”, the business will be required to turn off the flow of personal information to any third party.
The CCPA does provide a number of carve-outs to this “sale” opt-out control. The three primary carve-outs are transfers (i) to a Service Provider, (ii) to an “exempted entity” or “contractor”, and (iii) at the direction of the consumer. Even if a consumer has elected to “opt-out”, personal information can continue to transfer to third parties who fit into those carve-outs.
In the context of CCPA, Businesses are individuals or entities that determine the purposes and means of the processing of consumer’s personal data, and Service Providers are individuals or entities that process information on behalf of a business. These are broadly synonymous with the terms Controllers and Processors used in GDPR.
The private right of action in the CCPA is limited to data breaches. Under the private right of action, damages can come in between $100 and $750 per incident per consumer. The California AG also can enforce the CCPA in its entirety with the ability to levy a civil penalty of not more than $2,500 per violation or $7,500 per intentional violation.
There are many differences. It’s easier to focus on the similarities, including:
The biggest difference in CCPA is the core requirement to enable an opt-out from sales of data to third parties (with “sale” broadly defined to include sharing of data for valuable consideration). This is a narrower and more specific obligation than the broad GDPR right to object to processing, which encompasses this type of “sale,” but is not specifically limited to covering this type of sharing.
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Personal information is any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. The defined term “personal information” roughly lines up with “personal data” under GDPR. However, CCPA also includes family and household data.
Examples of personal data include: