The California Consumer Protection Act (CCPA) that was enforced on Jan 1, 2020, is changing the way American companies use consumer data dramatically. Much like Europe’s General Data Protection Regulation (GDPR), it ensures consumers a long list of privacy rights. The challenge lies in how companies reexamine their previous methods of handling consumer data and adjust to the post CCPA era.
3 months down the line, there are many misconceptions that are in the minds of organizations regarding the CCPA:
Misconception #1: CCPA applies only to for-profit that meet specific criteria
Fact: The CCPA primarily applies to any for-profit entity that operates in California 1) having annual gross revenues over $25 million, or 2) possessing the personal information of 50,000 or more consumers, households, or devices, or 3) earning more than half of its annual revenue from selling consumers’ personal information. Nevertheless, non-profit entities may also be subject to the CCPA if they control or are controlled by a company or if they have joint branding with a company.
Misconception #2: The CCPA doesn’t apply to companies that don’t operate or have its headquarters in California
Fact: The CCPA primarily applies to any for-profit entity (that meets the criteria mentioned above) that “operates in California” - this doesn’t mean that the company has to be located in California to come under the scope of CCPA. As long as the company is doing business in California and collecting personal information about California residents, the CCPA remains applicable.
Misconception #3: The CCPA does not cover healthcare organizations
Fact: The CCPA exempts personal data covered by current federal privacy laws, like the Health Insurance Portability and Accountability Act (HIPAA). But private information that is not covered by HIPAA is subject to the CCPA.
Misconception #4: Non-profit healthcare organizations and small companies don’t meet the CCPA requirements, so they need not be bothered
Fact: Non-profit healthcare organizations and small companies may fall under the scope of the CCPA indirectly if they process the personal information of California residents through an agreement or if they host an electronic Health Information Exchange (HIE) or possess some other HIE networks.
Misconception #5: GDPR compliance means CCPA compliance
Fact: Although the CCPA’s requirements are not as arduous as the GDPR, in other respects, it goes even farther. Compared to the GDPR, the CCPA takes a broader view of what constitutes personal data. If you have made sure your organization is GDPR compliant, you won’t have to start from scratch for CCPA compliance. But the GDPR is not CCPA. There are some subtle, and some not so subtle differences which, if you don’t pay attention to, could end up landing you in trouble.