CCPA Myths vs. Reality: Busting the 7 Most Common Myths about the California Consumer Privacy Act

The CCPA, or California Consumer Privacy Act, was passed in June 2018 and went into effect in January 2020. It mirrors the European Union’s GDPR in that it enforces very strict laws regarding how consumer data is handled, with huge penalties for those who fail to comply completely. At Aparavi, we can help you control and manage your data, keeping you totally compliant.

The first step toward CCPA compliance is understanding what the law entails. We look at 7 myths people have about the CCPA and examine the truth around those myths.

CCPA Myths vs. Reality: Busting the 7 Most Common Myths about the California Consumer Privacy Act

1. If You’re in Healthcare, You’re Already CCPA-Compliant

Companies that operate in the healthcare sector already comply with HIPAA, so they might think they are off the hook when it comes to this new law. The reality is that HIPAA only covers certain customer data, and there’s plenty of additional information that was previously unprotected but is now covered.

Third-party vendor information, assisted care facility data, and additional patient information that is not strictly medical-related all fall under the umbrella of the new law. Your best course of action is to comply with both HIPAA and CCPA. You might wind up having a little bit of overlap, but it’s worth the hassle.

2. My Existing Insurance Will Cover Penalties

Companies have insurance for a reason, and, understandably, you might think that your existing insurance will cover you if you accidentally violate the California Consumer Privacy Act. The reality is a little bit more sobering. Expect fines of up to $7,500 for a single violation per user.

If your database contains hundreds of customers, you could be looking at astronomical fines, plus major damage to your organization’s reputation. It’s far better to do the legwork to get compliant so that you can sleep easily at night. Make sure that your data is organized, secure, and compliant. You don’t want to have any surprise penalties that could disrupt the course of your business.

3. If My Company Isn’t Headquartered in California, I Don’t Need to Worry


Many people think that if their company is not headquartered in California that they don’t need to bother with CCPA compliance. However, many companies that are not located in California can be subject to this new law. If you have even a single California resident as one of your clients, you may be subject to it. If you’re collecting any personal information on California residents, no matter how you plan to use that information, you need to make sure that your data is both organized and completely in line with the new law.

Additionally, many other states are making a move to implement similar data protection laws. It doesn’t hurt to get ahead of the curve to get your data organized and totally secure now.

4. I Can Take My Time

The law has been in effect for all of 2020, and you are fully expected to have your data compliant by now, even though the California Attorney General didn’t start enforcing the CCPA immediately. There is not a grace period for California companies, and if you are caught not complying, you could face exceptionally stiff penalties, especially if you are found to have violated the rights of minors. It’s wise to move toward compliance now.

With the help of tools like The Aparavi Platform, many businesses over multiple sectors have been able to organize and streamline their data. Start today. It will take a load off your mind and put you in a much better position moving forward.

5. Non-Profits Are Exempt

While the CCPA does apply only to businesses that are defined as for-profit entities, the non-profit world is not completely exempt from this law. If your non-profit has a for-profit subsidiary, has a contractual relationship or joint venture with any for-profit businesses, or engages in commercial activity, now is the time to reexamine your data privacy policies.

In addition, just because your non-profit is exempt doesn’t mean that your vendors are. This is especially true if the non-profit in question uses third-party vendors to get data for member drives or other funding. Consumer data sources and other third-party direct marketing companies that collect or process consumer information are not exempt. As with virtually every other company, many non-profits collect data on their donors or members, and that data is subject to California’s privacy laws.

Finally, the new law comes with an increased expectation from consumers that their information will be guarded more heavily. If a data incident does occur, you can expect that your non-profit’s reputation will still suffer. With this new law, it’s better to be safe than sorry, and if you don’t know where your data is coming from, you could be in for a very unpleasant surprise. Non-profits should have a good handle on their data also and will benefit tremendously from upgrading their existing systems so that their data is both compliant and completely secure.

6. CCPA Only Applies to Large Companies

Businesses large and small may need to be in full compliance with the CCPA or risk incurring very large fines. Small companies that operate outside of California but still have clients within the Golden State must also comply with it. We may see changes to the scope of the law if California’s Proposition 24 passes on November 3rd, but under the current law, the CCPA applies to any business who meets one or more of these criteria:

• Has an annual gross revenue of at least $25 million;
• Annually buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices;
• Or derives 50% or more of its annual revenue from selling consumers’ personal information

Since the definition of private information is exceptionally broad, it is easy to make a single misstep. This could be extremely costly, especially for smaller businesses. The best rule of thumb here is to assume that all of the data you collect is subject to this vast California privacy law.

7. I Don’t Keep Sensitive Data on My Customers so I Don’t Need to Worry


It’s very easy to confuse this new privacy law with HIPAA, but the two are simply not interchangeable. HIPAA covers sensitive healthcare data, but the new California privacy act covers a plethora of additional data that might seem completely innocent or innocuous.

The CCPA applies to any personal information that identifies, relates to, describes, or can be associated with (or reasonably capable or being associated with) a particular consumer, household, or device. Examples include name, alias, address, IP address, email address, social security number, or driver’s license, as well as geolocation data, biometric data, race, gender, education level, religion, and more. Consumer profiling to predict preferences also falls under the definition.

Even data that you wouldn’t suspect as being problematic could very well be. For example, employees and job applicants are included under the definition of consumer, so you need to carefully examine the data your HR department collects and retains. This is why it is so absolutely vital that you completely comply with the new law. Ignorance of the finer points will not save you from being fined.

Keep Yourself Safe

Fortunately, there’s an easy way to keep your data automated, organized, up to date, and compliant. At Aparavi, we understand the challenges that come with controlling and understanding your data. That’s why we offer user-friendly systems that allow you to control your data in a cost-effective, insight-rich way that lets you see the bigger picture.

Our cloud-based Platform makes compliance with data privacy laws easy. The California Consumer Privacy Act is here to stay, so ensuring your organization is compliant is critical. Contact Aparavi and take control of your data today.