California adopted the first major consumer privacy law in the US in 2018 – California Consumer Privacy Act (CCPA). The Act regulates the collection, use and sale of personal information of California residents. CCPA came into effect on January 1, 2020, and the enforcement began on July 1, 2020.
Consumer Rights Under CCPA
This landmark privacy law gives new rights for consumers in California:
- Right to know about personal information a business collects about them and how it is used and shared
- Right to delete personal information collected from them (with some exceptions)
- Right to opt-out of the sale of their personal information
- Right to non-discrimination for exercising their consumer rights
Additionally, consumers have the right to opt-out of the selling their personal information to third parties. They also have the right to know whether and to which third parties the information will be sold/disclosed to.
Notices Required Under CCPA
Under the California Consumer Privacy Act (CCPA), consumers are entitled to certain notices and disclosures regarding the collection and use of their personal information. CCPA mandates that:
The four types of consumer notices required under CCPA are:
1.Notice at collection that must inform consumers at or before collecting their personal information.
2.Notice of right to opt-out that must inform consumers of their right to opt-out of selling their personal information.
4.Notice of financial incentives that must inform consumers about any financial incentive or “price or service difference” provided in exchange for personal information.
All notices should also provide clear and concise information and have the following features:
Language of the CCPA notices should be “plain, straightforward”. Notices should not use technical or legal jargon and should be available in all languages the business uses for providing services.
Accessibility is another key aspect of CCPA requirements. Notices should also be available in a readable format, including on smaller screens such as mobile applications. Businesses should also ensure that the notices are reasonably accessible to consumers with disabilities.
In 2020, the California Attorney General’s office published the proposed regulations with guidelines and examples on how businesses can implement various notices required under CCPA. This blog will outline the guidelines provided for CCPA notices.
Notice at Collection
Businesses have to inform consumers at or before the first time you collect their personal information. A notice at collection should inform the consumer about the categories of personal information businesses collect about them and the purposes for which they use this information. You may provide notice at collection via a banner or a noticeable link when a user visits your website.
CCPA Compliant Notice at Collection
The notice at collection should include:
- The categories of personal information the company collects
- The purposes for which the company uses the personal information
- Links to opt-out of the sale of personal information
If a business collects consumers’ personal information online, it may provide a conspicuous link to the notice on the homepage. For mobile applications, provide a link to the notice on the download page. Bose uses a prominent website footer to link the CCPA notice at collection.
If a business collects consumers’ personal information offline, it may include the notice on printed forms or direct the consumers to the web address where the notice can be found.
- Description of customer rights and how to exercise these rights
- List of categories of personal information that your website collects
- Details about sale or disclosure of personal information in the last 12 months
- Categories of third parties with whom information is sold or disclosures
- Link to opt-out of the sale of personal information
- Instructions for submitting verifiable consumer requests
- Links to online request forms or portal for making the request, if any
- The list of personal data categories must be updated every year
- Details on how consumers can designate an authorized agent for requests
- Contact information and date in which the policy was last updated
Right to Opt-Out Notice
Consumers have the right to opt out of the sale of personal information under CCPA. Notice of right to opt-out is to inform consumers of their right to direct a business to stop selling their personal information or to refrain them from doing so in the future.
Businesses cannot sell their personal information after the consumer opts out unless they get affirmative authorization (opt-in) later. Businesses have to wait at least 12 months before asking consumers to opt into the sale of their personal information again.
Business websites should have a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the homepage. The same opt-out notice should also be made available on the download or landing page of a mobile application.
CCPA Compliant Opt-Out Notice
- Description of the consumer’s right to opt-out of the sale of their personal information
- An online webform by which the consumer can submit their request to opt-out
- Instructions for any other method by which the consumer may submit their request to opt-out
- Information about any proof required when a consumer uses an authorized agent to exercise their right to opt-out
Special Regulation for Minors
If a business receives a request to opt-in to the sale of personal information from a minor (13-16 years of age), they have to inform the minor of the right to opt-out at a later date via a notice.
Note that businesses that exclusively target minor consumers and who do not sell personal information without their (or their parents) affirmative authorization, need not provide the notice of right to opt-out.
Notice of Financial Incentives
Businesses that operate a “financial incentives scheme,” must provide a notice of financial incentives to the consumers. The main purpose of this notice is to explain the terms of a financial incentive or price or services difference offered.
Under CCPA businesses cannot discriminate against consumers who exercise their consumer rights. But, there is a special provision in the CCPA that allows businesses to offer incentives to consumers in exchange for their personal information. The incentive must be based on the actual value that the business derives from consumer’s data.
CCPA Compliant Notice of Financial Incentives
The CCPA notice of financial incentives should include:
- A summary of your financial incentives, price, or service difference offered
- A description of the terms of the scheme, including the categories of personal information involved
- Instructions on how consumers can opt-in for financial incentives
- Notification of consumers’ right to withdraw from the scheme and how to exercise it
- An explanation of how the incentive is reasonably related to the value of the consumer’s data including – a “good faith” estimate of the value of the consumer’s personal information, description of the method you used to calculate it
Here’s another example of a notice of financial incentives from BevMo.
CCPA Updates on Notices
In March 2021, the California Attorney General’s office announced updated CCPA regulations. The updated regulations ban “dark patterns” that blindside consumer’s from opting out of the sale of their personal information. It also prohibits businesses from hindering consumers from opting out via confusing language or unnecessary steps.
The notable provisions in the CCPA amendments concerning CCPA notices are highlighted below.
Offline Opt-Out Notices
Businesses that collect personal information offline and sell such information offline, have to implement specific methods to offer opt-out rights to such consumers. This includes:
- Notify the consumer on paper forms that are collecting the information
- Post signage in the area where the personal information is collected
- For information collected over the phone, inform the consumer of the opt-out right orally
New Opt-Out Icon
After years of back and forth regarding opt-out buttons or icons, the new amendments include an “opt-out icon”. Businesses can use it on their websites in addition to posting the notice of right to opt-out.
But note that businesses cannot use the opt-out icon instead of posting the opt-out notice or the “Do Not Sell My Personal Information” link required under the regulations.
The new opt-out icon can be found here. The icon is not a requirement, rather it is “optional”, as the new regulations suggest.
Simple Methods to Opt-Out
The new amendments require that the process for submitting opt-out requests should have “minimal steps.” Businesses should not use confusing language such as double negatives. For example, an opt-out notice with “Don’t Not Sell My Personal Information” is not allowed.
CookieYes for CCPA Compliance
CookieYes is a cookie consent solution for your website that will help you to comply with data privacy laws like the GDPR and CCPA.
— CookieYes (@CookieYesHQ) April 16, 2021
CookieYes will automatically scan your website for cookies and add them to your site’s list of cookies. You can automatically block 20+ third-party cookies until you obtain user consent.
You can add a fully customizable cookie consent banner and make it available in 26 languages. With CookieYes, you can add your CCPA compliance notice in your cookie banner.
With CookieYes, you can comply with GDPR and CCPA at the same time. So, what are you waiting for? Start complying!
Frequently asked questions
What is CCPA?
The California Consumer Privacy Act of 2018 (CCPA) is the first state-wide legislation that regulates the sale, disclosure, and collection of personal information of California consumers. It came into effect on January 1, 2020. It intends to give consumers more control over how their information is collected and sold.
CCPA applies to any for-profit business or organization that collects California consumers’ personal information, and meets one of the following thresholds:
- $25 million or more in annual revenue,
- processes personal information of 50,000 or more consumers, households, or devices or
- earns more than 50% of its revenue from selling consumers’ personal information.
Under the law, California residents will be able to request from companies to see what personal information they have collected about them, how it was used, and whether it was sold. They will also have the option to opt out of this data collection or selling process.
What is CCPA compliance?
CCPA (California Consumer Privacy Act) is a law that aims to regulate the collection, sale, and distribution of personal information of California residents by business entities. Under this law, business entities have to inform their customers about the following:
- What kind of personal information do you collect?
- Why do you collect personal information?
- How do you collect and process personal information?
- What are the third-party sources with whom you share the personal information?
- How can consumers access and delete their personal information?
- How can consumers opt out of the sale of their personal information?
Do I need a CCPA notice?
Yes, if your business is for-profit and requires personal information of California consumers, and meets all the criteria of CCPA. Your business will require to notify users when collecting their information or to inform them about their opt-out right.
What is a CCPA request?
Under the California Consumer Privacy Act (CCPA), some California residents may request access to personal information held by companies. The consumers can also request companies to delete that information.