California adopted the first major consumer privacy law in the US in 2018 – California Consumer Privacy Act (CCPA). The Act regulates the collection, use and sale of personal information of California residents. CCPA came into effect on January 1, 2020, and the enforcement began on July 1, 2020.

Consumer Rights Under CCPA

This landmark privacy law gives new rights for consumers in California:

  • Right to know about personal information a business collects about them and how it is used and shared
  • Right to delete personal information collected from them (with some exceptions)
  • Right to opt-out of the sale of their personal information
  • Right to non-discrimination for exercising their consumer rights

Under the right to know, businesses have to inform through a privacy policy, notices, or through response to consumer requests about the personal information they have collected about consumers, its sources, and the business or commercial purpose for which it is being used. 

Additionally, consumers have the right to opt-out of the selling their personal information to third parties. They also have the right to know whether and to which third parties the information will be sold/disclosed to.

CCPA
Section 1 of CCPA (SBN 1121)

Notices Required Under CCPA

Under the California Consumer Privacy Act (CCPA), consumers are entitled to certain notices and disclosures regarding the collection and use of their personal information. CCPA mandates that:

The four types of consumer notices required under CCPA are:

1.Notice at collection that must inform consumers at or before collecting their personal information.

2.Notice of right to opt-out that must inform consumers of their right to opt-out of selling their personal information.

3.Privacy policy that outlines information about the businesses’ collection, use, sharing and sale of personal information.

4.Notice of financial incentives that must inform consumers about any financial incentive or “price or service difference” provided in exchange for personal information.

All notices should also provide clear and concise information and have the following features:

Language of the CCPA notices should be “plain, straightforward”. Notices should not use technical or legal jargon and should be available in all languages the business uses for providing services.

Accessibility is another key aspect of CCPA requirements. Notices should also be available in a readable format, including on smaller screens such as mobile applications. Businesses should also ensure that the notices are reasonably accessible to consumers with disabilities.

In 2020, the California Attorney General’s office published the proposed regulations with guidelines and examples on how businesses can implement various notices required under CCPA. This blog will outline the guidelines provided for CCPA notices.

Notice at Collection

Businesses have to inform consumers at or before the first time you collect their personal information.  A notice at collection should inform the consumer about the categories of personal information businesses collect about them and the purposes for which they use this information. You may provide notice at collection via a banner or a noticeable link when a user visits your website. 

Vituity uses the cookie banner to inform users about their CCPA-specific privacy policy.

CCPA notice via Vituity

Take a look at this CCPA compliant notice created with CookieYes. There is a customizable link (‘CCPA Notices’) that can lead you to a webpage that includes your notice at collection, CCPA privacy policy and any related information.

CCPA Notice
CCPA Notice via CookieYes

CCPA Compliant Notice at Collection

The notice at collection should include:

  • The categories of personal information the company collects
  • The purposes for which the company uses the personal information
  • Link to the business’s online privacy policy
  • Links to opt-out of the sale of personal information

If a business collects consumers’ personal information online, it may provide a conspicuous link to the notice on the homepage. For mobile applications, provide a link to the notice on the download page. Bose uses a prominent website footer to link the CCPA notice at collection.

CCPA Links on Website
Website footer with CCPA links via Bose

If a business collects consumers’ personal information offline, it may include the notice on printed forms or direct the consumers to the web address where the notice can be found.

Privacy Policy

Under CCPA the privacy policy of a business should detail information about the collection, use, sharing, and sale of consumers’ personal information. CCPA requires privacy policies to inform consumers about their privacy rights and how to exercise them: the right to know, delete, opt-out of sale and the right to non-discrimination.

The privacy policy should be available online through a conspicuous link on the business’s homepage or the download or landing page of a mobile application. Take a look at the CCPA-specific privacy policy of Allergan.

CCPA Compliant Privacy Policy

To get compliant with the CCPA, update your privacy policy and include the following details:

  • Description of customer rights and how to exercise these rights
  • List of categories of personal information that your website collects 
  • Details about sale or disclosure of personal information in the last 12 months
  • Categories of third parties with whom information is sold or disclosures
  • Link to opt-out of the sale of personal information 
  • Instructions for submitting verifiable consumer requests 
  • Links to online request forms or portal for making the request, if any
  • The list of personal data categories must be updated every year
  • Details on how consumers can designate an authorized agent for requests
  • Contact information and date in which the policy was last updated  

Ensure that CCPA requirements in the privacy policy are marked separately or made available in a CCPA-specific privacy policy.  If you use a general privacy policy for all the consumers, make sure you label the CCPA specifications clearly. Businesses that do not operate websites should make the privacy policy conspicuously available to consumers.

Take a look at the CCPA privacy policy of LiveRamp that details how consumers can exercise their rights. 

CCPA Privacy Policy
CCPA complaint privacy policy via LiveRamp

Right to Opt-Out Notice

Consumers have the right to opt out of the sale of personal information under CCPA. Notice of right to opt-out is to inform consumers of their right to direct a business to stop selling their personal information or to refrain them from doing so in the future.

Businesses cannot sell their personal information after the consumer opts out unless they get affirmative authorization (opt-in) later. Businesses have to wait at least 12 months before asking consumers to opt into the sale of their personal information again.

Business websites should have a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the homepage. The same opt-out notice should also be made available on the download or landing page of a mobile application. 

CCPA Compliant Opt-Out Notice

An opt-out notice should include the information given below or should link to the section of the privacy policy that contains the same information. It should include:

  • Description of the consumer’s right to opt-out of the sale of their personal information
  • An online webform by which the consumer can submit their request to opt-out
  • Instructions for any other method by which the consumer may submit their request to opt-out
  • Information about any proof required when a consumer uses an authorized agent to exercise their right to opt-out
  • Link to the privacy policy

Special Regulation for Minors

If a business receives a request to opt-in to the sale of personal information from a minor (13-16 years of age), they have to inform the minor of the right to opt-out at a later date via a notice.

Businesses that have “actual knowledge” of selling personal information of minors should include a description of the opt-in and opt-out process in their privacy policy. 

Note that businesses that exclusively target minor consumers and who do not sell personal information without their (or their parents) affirmative authorization, need not provide the notice of right to opt-out.

Notice of Financial Incentives

Businesses that operate a “financial incentives scheme,” must provide a notice of financial incentives to the consumers. The main purpose of this notice is to explain the terms of a financial incentive or price or services difference offered.

Under CCPA businesses cannot discriminate against consumers who exercise their consumer rights. But, there is a special provision in the CCPA that allows businesses to offer incentives to consumers in exchange for their personal information. The incentive must be based on the actual value that the business derives from consumer’s data.

CCPA Compliant Notice of Financial Incentives

The CCPA notice of financial incentives should include:

  • A summary of your financial incentives, price, or service difference offered
  • A description of the terms of the scheme, including the categories of personal information involved
  • Instructions on how consumers can opt-in for financial incentives
  • Notification of consumers’ right to withdraw from the scheme and how to exercise it
  • An explanation of how the incentive is reasonably related to the value of the consumer’s data including – a “good faith” estimate of the value of the consumer’s personal information, description of the method you used to calculate it

Businesses can include this notice as a section in their privacy policy and provide a link to that section. For instance, Frontier Airlines links their notice in the privacy policy.  

Here’s another example of a notice of financial incentives from BevMo.

CCPA Notice
Notice of Financial Incentive via BevMo

CCPA Updates on Notices

In March 2021, the California Attorney General’s office announced updated CCPA regulations. The updated regulations ban “dark patterns” that blindside consumer’s from opting out of the sale of their personal information. It also prohibits businesses from hindering consumers from opting out via confusing language or unnecessary steps.

The notable provisions in the CCPA amendments concerning CCPA notices are highlighted below.

Offline Opt-Out Notices

Businesses that collect personal information offline and sell such information offline, have to implement specific methods to offer opt-out rights to such consumers. This includes:

  • Notify the consumer on paper forms that are collecting the information
  • Post signage in the area where the personal information is collected
  • For information collected over the phone, inform the consumer of the opt-out right orally

New Opt-Out Icon

After years of back and forth regarding opt-out buttons or icons, the new amendments include an “opt-out icon”. Businesses can use it on their websites in addition to posting the notice of right to opt-out. 

But note that businesses cannot use the opt-out icon instead of posting the opt-out notice or the “Do Not Sell My Personal Information” link required under the regulations. 

CCPA Opt-out Button
The opt-out button suggested in CCPA amendments.

The new opt-out icon can be found here. The icon is not a requirement, rather it is “optional”, as the new regulations suggest.

Simple Methods to Opt-Out

The new amendments  require that the process for submitting opt-out requests should have “minimal steps.” Businesses should not use confusing language such as double negatives. For example, an opt-out notice with “Don’t Not Sell My Personal Information” is not allowed. 

On clicking the opt-out link, the business should not lead the consumer to a confusing interface. For instance, the consumer should not have to search or scroll through the text of a privacy policy or webpage to locate the mechanism for submitting a request to opt-out. 

CookieYes for CCPA Compliance

CookieYes is a cookie consent solution for your website that will help you to comply with data privacy laws like the GDPR and CCPA. 

CookieYes will automatically scan your website for cookies and add them to your site’s list of cookies. You can automatically block 20+ third-party cookies until you obtain user consent.

CookieYes Dashboard

You can add a fully customizable cookie consent banner and make it available in 26 languages. With CookieYes, you can add your CCPA compliance notice in your cookie banner. 

CookieYes CCPA Banner

Opting for a CCPA compliant banner will add a “Do Not Sell My Personal Information” link to the notice. By clicking on the link consumers can opt-out of third-party cookies that collect personal information through the website. You can add customizations such as a link to your privacy policy and more.

CookieYes also features a free privacy policy generator. You can create a CCPA compliant privacy policy exclusively for your business, all in a few clicks.

With CookieYes, you can comply with GDPR and CCPA at the same time. So, what are you waiting for? Start complying!

Frequently asked questions

What is CCPA?

The California Consumer Privacy Act of 2018 (CCPA) is the first state-wide legislation that regulates the sale, disclosure, and collection of personal information of California consumers. It came into effect on January 1, 2020. It intends to give consumers more control over how their information is collected and sold. 

CCPA applies to any for-profit business or organization that collects California consumers’ personal information, and meets one of the following thresholds:

  • $25 million or more in annual revenue,
  • processes personal information of 50,000 or more consumers, households, or devices or
  • earns more than 50% of its revenue from selling consumers’ personal information.

Under the law, California residents will be able to request from companies to see what personal information they have collected about them, how it was used, and whether it was sold. They will also have the option to opt out of this data collection or selling process.

What is CCPA compliance?

CCPA (California Consumer Privacy Act) is a law that aims to regulate the collection, sale, and distribution of personal information of California residents by business entities. Under this law, business entities have to inform their customers about the following:

  • What kind of personal information do you collect?
  • Why do you collect personal information?
  • How do you collect and process personal information?
  • What are the third-party sources with whom you share the personal information?
  • How can consumers access and delete their personal information?
  • How can consumers opt out of the sale of their personal information?

Do I need a CCPA notice?

Yes, if your business is for-profit and requires personal information of California consumers, and meets all the criteria of CCPA. Your business will require to notify users when collecting their information or to inform them about their opt-out right.

What is a CCPA request?

Under the California Consumer Privacy Act (CCPA), some California residents may request access to personal information held by companies. The consumers can also request companies to delete that information.