California Consumer Privacy Act (CCPA)

CCPA overview

The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law in the United States. It provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like consumer data subject rights (DSRs), an 'opt-out' for certain data transfers, and an 'opt-in' requirement for minors.

The CCPA only applies to companies doing business in California which satisfy one or more of the following: (1) have a gross annual revenue of more than $25 million, or (2) derive more than 50% of their annual income from the sale of California consumer personal information, or (3) buy, sell or share the personal information of more than 50,000 California consumers annually.

The CCPA goes into effect on January 1, 2020. However, enforcement by the California Attorney General (AG) will start on July 1, 2020.

The California AG will enforce the CCPA and will have power to issue non-compliance fines. The CCPA also provides a private right of action which is limited to data breaches. Under the private right of action, damages can come in between $100 and $750 per incident per consumer. The California AG also can enforce the CCPA in its entirety with the ability to levy a civil penalty of not more than $2,500 per violation or $7,500 per intentional violation.

Microsoft and the CCPA

For commercial customers doing business in California, Microsoft will be acting as a 'service provider' with respect to our Online Services and Professional Services offering. The terms of the Online Services Terms (OST) and the Microsoft Professional Services Data Protection Addendum (MSDPA) already meet the requirements for Service Providers under the CCPA and are generally sufficient to permit customers to continue to transfer data to our Online Services. As such, no additional contractual changes are required for customers to be able to rely on Microsoft as a Service Provider under the CCPA.

As set out in the OST, Microsoft complies with all laws and regulations applicable to its provision of the Online Services, which would include the CCPA.

Microsoft in-scope cloud services

How you can prepare for your CCPA compliance when using Microsoft Products and Services

Here are a few steps you could take to get ready for the CCPA:

  • Start leveraging the GDPR assessment in Compliance Manager as part of your CCPA privacy program.
  • Establish a process to efficiently respond to Data Subject Access Requests (DSARs) using the Data Subject Requests tool.
  • Set up label and policies to discover, classify & label, and protect sensitive data with Microsoft Information Protection.
  • Use email encryption capabilities to further control sensitive information.

Frequently asked questions

How will the CCPA affect my company?

Many of the CCPA's rights afforded to Californians are similar to the rights the GDPR provides, including the disclosure and data subject right (DSR) requests, such as access, deletion, and portability. As such, customer can look to our already existing GDPR solutions to help them with their CCPA compliance.

To begin your CCPA journey you should focus on Discovery of information, determining how personal information is shared, governing how it is used, how it is protected and having a formal data breach response program in place.

What are the differences between GDPR and CCPA?

There are many differences. It's easier to focus on the similarities, including:

  • Transparency/disclosure obligations,
  • Consumer rights to access, delete, and receive a copy of data,
  • Definition of 'service providers' that is similar to how GDPR defines 'processors' with a similar contractual obligation, and
  • Definition of 'businesses' that encompasses the GDPR definition of 'controllers'.

The biggest difference in CCPA is the core requirement to enable an opt-out from sales of data to third parties (with 'sale' broadly defined to include sharing of data for valuable consideration).

What rights must companies enable under the CCPA?

The CCPA requires regulated businesses that collect, transfer, and sell personal information to, among other things:

  • Provide disclosures to consumers, prior to collection, regarding the categories and purposes of collection.
  • Provide more detailed disclosures in a privacy policy regarding the sources, business purposes, and categories of personal information that is collected, including how those categories are sold or transferred to other entities.
  • Enable DSR rights of access, deletion, and portability for the specific pieces of personal information that has been collected by you.
  • Enable a control that will permit consumers to opt out of the sale of the consumer's data. However, transfers to exempt entities, such as service providers, will be permitted.
  • For minors, under 16, enable an opt-in process so that no sale of the minor's personal information can occur without actively opting-in to the sale.
  • Ensure that consumers are not discriminated against for exercising any of their rights under CCPA.

How does the CCPA apply to children?

  • CCPA introduces parental consent obligations consistent with The Children's Online Privacy Protection Act (COPPA) for children under the age of 13.
  • For children between 13 and 16 years old, CCPA imposes a new obligation to obtain opt-in consent from the child.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources