CCPA Myth #1: I don’t process any personal data, so CCPA doesn’t apply to me
A common myth is that many website owners, often small businesses and also bloggers, do not process personal data and therefore do not have to comply with CCPA. It’s a misconception that can run into money. That’s why it’s best to clarify what exactly personally identifiable information is under CCPA/CPRA.
According to CCPA Article 798.140, personally identifiable information is information that can be used to identify an individual or their household, such as: Name, email address, date of birth, customer number, log-in data, IP address, cookies, and more. Publicly available information derived from government agencies or records, such as professional licenses and public property records, are not covered by CCPA.
How can you check whether you are processing personal data?
If you answer “yes” to one or more of the following questions, you should be alert:
✔️ Do you have contact forms on your website?
✔️ Do you use commenting systems for posts?
✔️ Do you use Google Analytics?
✔️ Do you see login data and their histories in dashboards?
So, you realize, you’re a data processor faster than you think. Hence, be sure to exercise caution when it comes to CCPA compliance. A good overview is also this ultimate guide to CCPA compliance.
CCPA Myth #2: Businesses are NOT affected if they are not located in California
This assumption is as common as it is fundamentally wrong. Because, just as with the GDPR, the market location principle applies here. This means that in certain cases, European companies can also be affected by CCPA. You don’t need to have a physical presence in California to do so. In fact, your place of business doesn’t even have to be in the US.
Once you run a for-profit business that collects, processes, or sells data from California citizens AND you meet one of the following criteria, you must comply with CCPA/CPRA:
-
Gross annual revenue of more than $25 million
-
Processing of at least 100,000 consumers data
-
50% or more of annual profits come from the sale or transfer of personal data
So, even if you’re a “small fish” out there, the rule of thumb is, no one is exempt from CCPA.
CCPA Myth #3: GDPR Compliance guarantees CCPA Compliance
Many consider the European General Data Protection Regulation (GDPR) to be one of the strictest data protection laws in the world – there’s some truth to that. Still, being GDPR-compliant doesn’t mean your company is automatically CCPA-compliant. That’s partly because the CCPA definition of personal data is broader than under the GDPR. But don’t worry, since both laws are still quite similar, you don’t have to do much further to comply with CCPA if you’re already compliant with the GDPR.
But there is one thing you definitely need to consider: The “Do not sell my personal data” page. The reason is that with CCPA, the so-called right to opt-out applies. This means that you must allow consumers to prohibit the sale of personal data to third parties. And this is where the CCPA legislative text is particularly specific. Namely, this must take place via a separate page with the mandatory heading, “Do not sell my personal information.” On this page, the request to opt-out must be made as simple as possible.
CCPA Myth #4: CCPA does not apply to employees
Alarm! Danger! Banish this myth from your mind as soon as possible!
This may have been true for a while, but since the January 2023 amendment to the CCPA by CPRA, the exception regarding employees has been removed. Since the CPRA went into effect, data protection applies to all consumers, and that term now includes employees and even freelancers or job applicants. If you are an employer located in California, you must provide your employees with the common CCPA rights now as well. Thus, your employees also have the right to see an updated privacy policy that explains exactly how their data is collected. Also consider the right to know/disclosure: Your employees must be informed of the purpose and duration of data retention BEFORE it occurs.
If you use Jira and Confluence in your organization and want to make them CCPA-compliant, take a look at this helpful article: How to comply with the CCPA Right to Know in Jira.
CCPA Myth #5: For compliance, the ability to opt-out is sufficient; an opt-in right does not need to be granted
Unfortunately, no.
This assumption is not true for all audiences. Because there is a special feature under CCPA: if data is collected and sold from consumers who are under 16 years old, opt-in consent must be obtained. And for children under 13, consent must even be obtained from a parent or guardian. If their permission is not granted, your company must wait 12 months before asking for consent again.
According to the text of the law, this obligation only applies to a company if it has “actual knowledge” of the child’s age. Don’t speculate on this passage, however. Ignorance does not protect against punishment. The penalties for breaches of children’s personal information are higher than other penalties, up to $7,500 for each breach.
CCPA Myth #6: Nonprofits are off the hook
A closer read should be made on this myth as well. That’s because CCPA Section 1798.140 (c) (2) defines what exactly “businesses” are that must comply with CCPA. Here it describes that nonprofit entities can also be affected if the following scenarios apply to them:
-
You are a nonprofit business organization, and you own a for-profit subsidiary
-
You are a nonprofit business with commercial operations
-
You are a nonprofit business that enters into a cooperative arrangement with a company that is covered by CCPA/CPRA
In other words, you’d better read up on whether your nonprofit should be CCPA-compliant before risking hefty penalties.
Under CPRA Section 1798.105, consumers have the right to make a request for the deletion of personal information. A right to request correction of the data is also available to consumers. As a business, you must follow up on these requests within 45 calendar days. Hence, you should have a tool that allows you to quickly and easily search, modify and, if necessary, clean up data.
Let’s say an employee leaves your company and asks you to delete data. You use Confluence and Jira and are looking for a simple, fast solution to anonymize user data? Then Data Protection and Security Toolkit for Jira/Confluence is your salvation. The tool can help you with all use cases to be CCPA-compliant.
Conclusion: CCPA Myths debunked
As you can see, common beliefs about data privacy laws are often misconceptions. As a result, it is always worthwhile to read the law carefully and seek advice from experts, such as our data privacy compliance service. CCPA/CPRA-compliance is not witchcraft, but it is something that requires diligence. We are happy to support you on your personal path to risk-free compliance.