The CCPA Is Coming. Here's What It Means for Your Business

Read through to find out more.

A new data privacy law in California

Protecting customer data and privacy is a fundamental and essential requirement of running a business. Back in May 2018, we saw the introduction of the European data privacy law known as the General Data Protection Regulation (GDPR). In January 2020, a similar privacy law known as the California Consumer Privacy Act (CCPA) will come into effect. Although the law continues to be amended by the California legislature, there are some things you should be aware of if you conduct business in California. If you’ve worked on complying with the GDPR, you’re in good shape to meet some of the CCPA requirements. Otherwise, it’s time to prepare. 

Feeling underprepared? You’re not alone. A survey conducted by TrustArc found that only 14% of companies surveyed in February 2019 were compliant with the CCPA and 44% have not yet started an implementation process. This means that more companies should be investing in proper procedures to comply with the CCPA when it’s live. Just as we helped our customers prepare for the GDPR, we’re also working to make sure that our customers have the tools to enable their compliance with the CCPA. 

On this page, we'll walk you through the basics of the law, and some of the most relevant parts for HubSpot customers. As the January deadline draws nearer, we'll create more product-specific resources to help you meet some of the CCPA's requirements. Although most HubSpot customers won’t need to make changes because of the CCPA, it’s important to find out if you meet the specific requirements. 

Does the CCPA apply to my business?

The CCPA won’t apply to the majority of HubSpot customers. Though, it’s important to check if you meet the following requirements. The CCPA applies to any for-profit entity doing business in California that collects and controls the processing of a consumer’s personal information and also satisfies ANY one of the following thresholds:

  • Exceeds $25 million gross revenue annually,
  • Handles the personal information of 50,000 or more California consumers, households, or devices annually, or
  • Derives more than 50% of annual revenue from selling consumers' personal information.

The CCPA also applies to any business that controls or is controlled by an entity that meets one of the above criteria and shares common branding with that entity. For example, non-profit organizations won’t need to comply with the CCPA unless they are owned by, control, or share branding with a for-profit business. 

What was the story before the CCPA?

The U.S. federal government has passed laws targeted at select areas of data privacy such as children’s online protection (COPPA) and spam email (CAN-SPAM), and every state has adopted its own version of a data breach notification law. However, the CCPA is the first and most extensive of its kind in the United States to codify privacy protections for California residents.

Who and what does the CCPA protect?

The CCPA protects privacy by affording Californians the right to access, delete, and opt-out of the sale of their data. The CCPA protects “consumers,” which are broadly defined as California residents. “Consumers” extends to both California residents currently in the state and those traveling outside of the state. They encompass customers of goods and services, employees, and business-to-business transactions. 

You might be wondering what type of data is protected. Right now, the data covered can be broadly described as all data collected on consumers. You can think of it as data that directly or indirectly, identifies, describes, or can reasonably be linked to a particular consumer or household. For example, commercial internet activity information and any inferences drawn about a consumer apply. There’s currently a non-exhaustive list of specific categories of personal information defined in section 1798.140 of the law.

Important requirements under the CCPA

  • The CCPA grants consumers rights to know what personal information a business sells, discloses, or collects about them as well as the categories of third parties who purchased or received their data. Consumers have the right to obtain a copy of personal information collected about them by making “verified consumer requests.” Customers then have the right to transmit the information from one entity to another.

    Consumers can request that a business delete any of the personal information that the business has collected from them. The CCPA creates certain exceptions to this deletion right, like when personal information is necessary to perform a contract or complete a transaction. 

    Consumers are given the right to opt-out of the sale of their personal information, and the CCPA prohibits businesses from discriminating against consumers that exercise their opt-out rights. Companies cannot ask consumers to sign contracts that limit their data privacy rights under the CCPA. This includes contract provisions limiting or waiving the right to a specific remedy or means of enforcement for an alleged violation.

  • Making required disclosures: Businesses must notify consumers of their rights under the CCPA, including their right to deletion, right to know, and data portability rights as well as how to exercise these rights. These required disclosures can either be made via privacy policies, in CCPA-specific notices, or at the time the personal data is collected. Companies’ privacy policies must lay out how the collected data will be used. The CCPA imposes obligations for companies that sell a consumer’s personal information and/or the data of children. However, this blog post will not cover those exceptions because HubSpot customers are not allowed to use our products to sell data or collect childrens’ data. See our Privacy Policy and Acceptable Use Policy for more information. See our Privacy Policy and Acceptable Use Policy

    Responding to consumer rights requests: Businesses must implement processes to respond to verified consumer requests and opt-out requests. For example, responses to customer requests must cover the 12-month period preceding the request, so companies must have a way to date the data they collect. 

    Access and portability: Businesses must make at least two methods for submitting requests available to consumers including, at a minimum, a toll-free telephone number and a website address if the business maintains one. Businesses must respond to consumers requests for information within 45 days of receiving a request, which may be delivered by mail or electronically in a portable format. However, for online-only businesses, one proposed amendment to the CCPA allows them to make, at a minimum, only an email address available for submitting requests for information. You may track the status of this amendment here.

    Deletion: If requested, businesses must delete the consumer’s personal information from its records unless maintaining the information is necessary to complete a transaction, for security or fraud-prevention purposes, or another purpose listed in the Act. 

    Opt-out: Companies that sell data must disclose that they do so to their customers, and include a “Do Not Sell My Personal Information” link giving consumers the opportunity to opt-out both in a privacy policy and on the company’s website homepage. If a consumer opts-out or refuses to opt-in, the business must honor that request and continue to provide equal service and pricing to consumers that opted-out. 

What happens if I don’t comply with the CCPA?

The Act is enforced by the California Attorney General, and currently provides businesses 30-days to comply if accused of noncompliance. However, a proposed bill removes this time period and allows for enforcement immediately. Civil penalties may be imposed of up to $2,500 per violation or $7,500 for intentional violations. The CCPA extends a private right of action to consumers, giving businesses exposure not only to government fines but also to lawsuits from customers.

How is HubSpot helping you prepare for the CCPA?

Since the CCPA is not finalized and is subject to amendment by the CA legislature, we aren’t able to make representations with respect to our compliance with the CCPA. What we know is the following: 

  1. There is and will likely continue to be a significant amount of overlap between the CCPA and the GDPR.
  2. HubSpot has extensive resources on GDPR, including this playbook, that explain our product and system features and functionality used by us and by our customers to support ​​compliance with GDPR.
  3. A good portion of the existing product and system features, processes and policies (that are currently used for GDPR compliance) may be used in the same ways for compliance with CCPA (in whatever final form). Example: you may handle Access and Deletion Requests (these are currently requirements under both bodies of law) by using our existing functionality.
  4. We will provide more information on our official CCPA playbook or other resources once the CCPA is finalized and as they become available.

In the coming months, we’ll be keeping up to date with the CCPA and track its changes over time. Be on the lookout for new blog posts and updates by subscribing to our blog. 

Stay up-to-date on the CCPA