Protecting customer data and privacy is a fundamental and essential requirement of running a business. Following the introduction of the General Data Protection Regulation (GDPR) in Europe back in 2018, we have seen the introduction of Privacy Regulations around the world. While the United States has yet to implement a comprehensive national privacy law, many states have taken Privacy laws into their own hands, with California leading the charge. The California Consumer Privacy Act (CCPA) came into force in January 2020, bringing new consumer protections and heightened accountability and responsibilities for businesses.
The CCPA continues to evolve to meet both advances in technology and consumer expectations. The Consumer Privacy Rights Act of 2020 (CPRA) amends and expands certain provisions of the CCPA. These amendments are now in force and will be enforceable from March, 29 2024. As the CPRA amends the CCPA, it does not create a separate, new law. As a result, it is typically referred to as the CCPA or “the CCPA, as amended.”
On this page, we'll walk you through some of the basics of the law, and parts that may be the most relevant for HubSpot customers. While the CCPA may not affect all HubSpot customers, it’s important to consider how it may impact you.
Disclaimer: This website is neither an exhaustive summary of the California Consumer Protection Act (CCPA) nor legal advice for your company to use in complying with it. Instead, it provides background information to help you better understand the CCPA and how it can apply to your business. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so you should consult an attorney if you’d like advice on compliance with the CCPA. You may not rely on this paper as legal advice, nor as an endorsement of any particular legal understanding.
The California Consumer Privacy Act (CCPA) establishes and enhances consumer privacy rights for California residents and imposes rules on businesses that handle their personal information. The CCPA was the first extensive consumer privacy legislation passed in the United States. It went into effect on January 1, 2020, and has now been amended by the CPRA, which became effective on March 29, 2023.
The CCPA applies to any for-profit entity doing business in California that collects and controls the processing of a consumer’s personal information and also satisfies ANY one of the following thresholds:
The U.S. federal government has historically passed laws targeted at select areas of data privacy such as children’s online protection (COPPA) and spam email (CAN-SPAM), and every state has adopted its own version of a data breach notification law. However, the CCPA was the first and most extensive of its kind in the United States to codify privacy protections for California residents. Since its inception, a number of US states have followed California's footsteps in adopting comprehensive privacy regulations. With more on the horizon it is important to be aware of the laws which might apply to your business.
The CCPA protects data privacy by affording Californians the right to access, delete, and opt-out of the sale of their data. The CPRA expanded these rights to include the right to correct, the right to limit the use and disclosure of sensitive personal information, and now requires businesses to allow customers to opt-out of the sale and sharing of their data with third parties (as defined by the CCPA).
The CCPA protects “consumers,” which are broadly defined as California residents. “Consumers” extends to both California residents currently in the state and those traveling outside of the state. They encompass customers of goods and services, employees, and business-to-business transactions.
You might be wondering what type of data is protected. The data covered can be broadly described as all data collected on consumers. You can think of it as data that directly or indirectly, identifies, describes, or can reasonably be linked to a particular consumer or household. The CPRA also introduces "sensitive personal information," which will require businesses to develop additional disclosures about the use of sensitive personal information in their privacy notices and responses to individuals' requests exerting their expanded CPRA rights. While this concept is familiar to the GDPR and other privacy laws, the categories of data considered “sensitive” differ, and we encourage you to review the list thoroughly. There’s currently a non-exhaustive list of specific categories of personal information and a list of Sensitive Personal Information in section 1798.140 of the law.
Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise their individual rights and giving consumers certain notices explaining their privacy practices.
Several obligations under the CCPA hinge on whether your company “sells” personal information, as that term is defined in the CCPA, so it is important to understand whether these obligations may apply to your business. Transfers of personal information that generate value for your company could be “sales” under the CCPA. If your company “sells” personal information, you will need to satisfy several important compliance obligations, including (but not limited to) the following:
The CPRA also introduced new data minimization and data retention requirements. Businesses must not collect more personal information than is necessary and must not retain personal information for longer than is reasonably necessary for disclosed purposes.
The Act is enforced by the California Attorney General, civil penalties may be imposed of up to $2,500 per violation or $7,500 for intentional violations. The CCPA extends a private right of action to consumers, giving businesses exposure not only to government fines but also to lawsuits from customers.
There is a significant amount of overlap between the CCPA and the GDPR.
HubSpot has extensive resources on GDPR, including this playbook, that explain our product and system features and functionality used by us and by our customers to support compliance with GDPR.
A good portion of the existing product and system features, processes, and policies currently used for GDPR compliance may be used in the same ways for compliance with CCPA. Example: you may handle Access and Deletion Requests (these are currently requirements under both bodies of law) by using our existing functionality.
We will provide more information on other resources as they become available.