The Hedge | Brutal Honesty Over Hype Since 2008
The California Consumer Privacy Act — expanded by the California Privacy Rights Act into what is now commonly called CCPA/CPRA — is one of the most comprehensive consumer data privacy laws in the United States. It applies to any business that collects personal information from California residents and meets certain thresholds. For entrepreneurs building consumer-facing businesses or any business that collects customer data, CCPA/CPRA is a compliance obligation that competitors in most other states don’t face — and that carries real enforcement risk if ignored.
Who Must Comply
CCPA/CPRA applies to for-profit businesses doing business in California that satisfy at least one of these thresholds: (1) annual gross revenues over $25 million; (2) buy, sell, or share for commercial purposes the personal information of 100,000 or more consumers or households per year; or (3) derive 50% or more of annual revenues from selling consumers’ personal information. The first threshold catches mid-size businesses growing toward enterprise scale. The second catches businesses with significant consumer data collection even if revenue is modest — 100,000 users is not a large number for a consumer app or e-commerce site. The third applies primarily to data brokers and advertising-heavy businesses.
Businesses below all three thresholds are technically exempt — but the California Privacy Protection Agency (CPPA) has indicated intent to expand these thresholds, and many small businesses that handle sensitive data (health information, financial information, children’s data) may be covered under other California statutes even if CCPA/CPRA technically doesn’t apply.
What CCPA/CPRA Requires
Covered businesses must provide consumers with: the right to know what personal information is collected and how it’s used; the right to delete their personal information; the right to opt out of the sale or sharing of their personal information; the right to correct inaccurate personal information; and for sensitive personal information, the right to limit its use and disclosure. Businesses must update their privacy policies to include specific CCPA disclosures, implement a “Do Not Sell or Share My Personal Information” link or mechanism, respond to consumer rights requests within 45 days, and maintain data processing records.
The Employee and Job Applicant Data Layer
CCPA/CPRA’s protections now fully apply to employee, job applicant, and contractor personal information — an extension that was phased in over multiple years. This means that California employers are subject to CCPA/CPRA for the personal information they collect from their California employees: HR records, payroll data, benefits information, performance records, and more. Employers must provide CCPA-compliant privacy notices to California employees and honor employee rights requests regarding their employment data. This extension significantly broadened CCPA’s impact on businesses that were already complying for customer data but had not extended their programs to the employment context.
Enforcement and Penalties
The California Privacy Protection Agency (CPPA) has enforcement authority alongside the Attorney General. Penalties for CCPA violations are $2,500 per unintentional violation and $7,500 per intentional violation — assessed per consumer affected per violation. A data breach affecting 10,000 California consumers with multiple data element violations can generate penalties in the tens of millions of dollars. Businesses in most other states don’t face comparable state-level privacy enforcement risk — Virginia, Colorado, and Texas have enacted privacy laws, but California’s enforcement regime is the most mature and most active.
For entrepreneurs building businesses with any California consumer touchpoint, CCPA compliance is not optional and not trivial. Budget for it in your operational planning from the beginning — a privacy program built from scratch after you’ve been audited or received a CPPA inquiry costs far more than one built correctly from day one.
The Hedge has been cutting through financial and business noise since 2008. Brutal honesty over hype — always.
The Hedge 