What the CCPA means for your business

Protecting customer data and privacy is a fundamental and essential requirement of running a business. Following the introduction of the General Data Protection Regulation (GDPR) in Europe back in 2018, we have seen the introduction of Privacy Regulations around the world. While the United States has yet to implement a comprehensive national privacy law, many states have taken Privacy laws into their own hands, with California leading the charge. The California Consumer Privacy Act (CCPA) came into force in January 2020, bringing new consumer protections and heightened accountability and responsibilities for businesses.  

The CCPA continues to evolve to meet both advances in technology and consumer expectations. The Consumer Privacy Rights Act of 2020 (CPRA) amends and expands certain provisions of the CCPA. These amendments are now in force and will be enforceable from March, 29 2024.  As the CPRA amends the CCPA, it does not create a separate, new law. As a result, it is typically referred to as the CCPA or “the CCPA, as amended.”

On this page, we'll walk you through some of the basics of the law, and parts that may be the most relevant for HubSpot customers. While the CCPA may not affect all HubSpot customers, it’s important to consider how it may impact you.

The U.S. federal government has historically passed laws targeted at select areas of data privacy such as children’s online protection (COPPA) and spam email (CAN-SPAM), and every state has adopted its own version of a data breach notification law. However, the CCPA was the first and most extensive of its kind in the United States to codify privacy protections for California residents. Since its inception, a number of US states have followed California's footsteps in adopting comprehensive privacy regulations. With more on the horizon it is important to be aware of the laws which might apply to your business.

The CCPA protects data privacy by affording Californians the right to access, delete, and opt-out of the sale of their data. The CPRA expanded these rights to include the right to correct, the right to limit the use and disclosure of sensitive personal information, and now requires businesses to allow customers to opt-out of the sale and sharing of their data with third parties (as defined by the CCPA).

The CCPA protects “consumers,” which are broadly defined as California residents. “Consumers” extends to both California residents currently in the state and those traveling outside of the state. They encompass customers of goods and services, employees, and business-to-business transactions. 

You might be wondering what type of data is protected. The data covered can be broadly described as all data collected on consumers. You can think of it as data that directly or indirectly, identifies, describes, or can reasonably be linked to a particular consumer or household. The CPRA also introduces "sensitive personal information," which will require businesses to develop additional disclosures about the use of sensitive personal information in their privacy notices and responses to individuals' requests exerting their expanded CPRA rights. While this concept is familiar to the GDPR and other privacy laws, the categories of data considered “sensitive” differ, and we encourage you to review the list thoroughly.  There’s currently a non-exhaustive list of specific categories of personal information and a list of Sensitive Personal Information in section 1798.140 of the law.