What is CCPA?
The California Consumer Privacy Act (CCPA) is a state law, which aims at enhancing the privacy rights and consumer protection of Californian residents. It is the first comprehensive privacy regulation in the USA. It became effective January 1, 2020, with some exceptions (Cal. Civ. Code §§ 1798.100-1798.199) and enforcement postponed until July 1, 2020.
Why it is important?
The CCPA grants California residents new rights regarding their personal information and imposes various data protection duties on certain entities conducting business in California.
How does it apply?
The CCPA only protects natural persons (individuals/consumers) and does not cover legal persons.
A "consumer" who has rights under the CCPA is "a natural person who is a California resident." The California Code of Regulations defines a resident as "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents."
The CCPA obligations apply to an organization ("business") that:
- is for-profit;
- collects consumers' personal information, or on the behalf of which such information is collected;
- determines the purposes and means of the processing of consumers' personal information;
- does business in California; and
- meets any of the following thresholds:
- has annual gross revenue in excess of $25 million;
- alone or in combination, annually buys, receives for the business's commercial purposes, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- derives 50% or more of its annual revenues from selling consumers' personal information.
Which information is covered?
CCPA defines personal information not only as such which can be associated with, or could reasonably be linked, directly or indirectly, with a particular consumer but also to a household. This extends the scope of personal data compared to GDPR. Except for the common types of personal information, this can then include among others also: Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
What are the main terms?
- Consumer – an individual, Californian resident. Corresponds to “data subject” as per GDPR.
- Business - a for-profit entity that determines the purposes and means of the processing of consumer's personal information, doing business in California. Corresponds to “controller” as per GDPR.
- Service provider – a for-profit entity that processes information on behalf of a CCPA-covered business. Corresponds to “processor” as per GDPR.
Note: As with GDPR, a business must disclose consumer's personal information for a business purpose only pursuant to a written contract. The contract should prohibit the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract.
For the cases when our customers are ‘businesses’ (in the meaning of CCPA) and need to sign a specific contract with Acronis, acting as a service provider (in the meaning of CCPA), we can provide you with a Data Processing Addendum (DPA).
Please note that if you are a reseller, distributor or corporate end user who obtains Acronis cloud products through a service provider, other reseller or distributor, you need a DPA with that service provider/reseller or distributor. Only businesses who purchase directly from Acronis can enter into a DPA with Acronis!
If you want to sign a DPA with us, please send a request to data-protection-office@acronis.com or contact your Partner Account Manager/Technical Account Manager.
More information on the DPA signing process can be found here: GDPR compliance
- Sell/selling – under CCPA the term covers selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
“Selling” is similar to “processing” under GDPR. The word should not be interpreted in its common definition. It rather specifies any processing associated with monetary or other valuable consideration.Note that Acronis does not “sell” personal information in the meaning of CCPA!
What rights do I have under CCPA?
While it incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the CCPA requirements are more specific than those of the GDPR, or where the GDPR goes beyond the CCPA requirements.
Under CCPA Californians, have the following main rights:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information, including the right this data to be provided free of charge in a readily usable format that allows for the transmission of this data to third parties (data portability);
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
Note that Acronis does not “sell” personal information in the meaning of CCPA!
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA (Note that Acronis does not discriminate consumers exercising their privacy rights!).
How do I exercise my rights under CCPA?
If you want to exercise some of your rights under CCPA or have any other related concern, you can
- directly submit a privacy support ticket to our Acronis Support in section Privacy or use this direct link https://support.acronis.com/submit-ticket. Please put subject “CCPA” and the specific right you want to exercise (e.g. “Right to delete/delete my data”);
- reach us at our toll-free number at: +18885687931 or
- send us an email at data-protection-office@acronis.com.