CCPA, California’s data privacy law, seeks to empower Californians with rights over their personal information. It regulates data collection, recommends privacy practices, honors privacy rights, and implements security safeguards to protect consumer data. With the latest amendments and constant monitoring, CCPA continues to be a leader in the privacy legal landscape. Let us explore the key CCPA requirements for privacy compliance.
What is the California Consumer Privacy Act (CCPA)?
The Californian privacy law was signed into law in 2018 and was amended by the California Privacy Rights Act (CPRA) in 2020. It applies to for-profit entities that meet any of the following thresholds:
- Annual gross revenue greater than $25 million
- Buy, sell or share the personal information of 100,000 or more consumers/households annually
- Derives 50% or more of its annual revenue from selling/sharing personal information
The law mostly focuses on empowering California residents with rights over their personal information. All covered businesses must comply with the CCPA regulations and respect consumers’ privacy rights.
The following are the CCPA rights:
- Know about the personal data the business collects and how they use or share them
- Correct any inaccurate information in their personal data
- Delete their personal information handled by a business
- Opt out of sharing/selling their personal information
- Limit the sharing/disclosure of sensitive personal information
- Right to not be discriminated against others for exercising consumer rights
The CCPA also requires businesses to be transparent about their data processing activities and consumer rights, provide consumer request mechanisms, respond to such requests and more.
The prescribed fines for CCPA violations range between $2500 and $7500 per violation. Intentional violations are more prone to heavy fines than unintentional ones. The California Attorney General and the California Privacy Protection Agency (CPPA) enforce the law. It also grants a limited private right of action to consumers.
What is personal information?
Personal information is any information capable of identifying a consumer/household and includes but is not limited to:
- Real name or alias name
- Postal address
- Unique identifiers
- IP addresses
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional/employment-related information
- Passport number
- Social security number
- Geolocation data
What is sensitive information?
Sensitive personal information is prone to cause serious consequences if compromised and includes the following.
- Racial/ethnic origin
- Citizenship or immigration status
- Religious or philosophical beliefs
- Union membership
- State identification card, driver’s license number, passport and social security numbers
- Account login, financial account, debit card/credit card number with access codes, or passwords
- Precise geo-location
- Genetic data
- Mail/text message from consumers if the business is not the intended recipient
- Biometric information used for unique identification
- Health information
- Sexual life or sexual orientation
Types of obligations for businesses under CCPA
Below are the types of obligations that CCPA requires businesses to comply with.
Transparency obligations
The California Consumer Privacy Rights Act emphasises informing consumers about how and why businesses will use their personal data and what actions they can take.
The following are the important privacy documents/disclosures under CCPA:
- Privacy policy: It Informs consumers about the organisation’s data practices regarding collecting, using, and storing personal data. This policy also includes consumer rights and how to exercise them.
- Notice at collection: It is given at or before the collection of personal data to inform the consumers of the categories of data collected and the purposes for which they will be used.
- Notice of right to opt out: Provides information about a consumer’s right to direct businesses to not sell/share their personal data. This is not necessary if you do not sell/share personal data.
- Notice of right to limit: Informs consumers of their right to limit the use or disclosure of sensitive data. You can skip this notice if you do not use consumers’ sensitive data.
- Notice of financial incentive: It explains the terms of a financial incentive program run by the company and allows consumers to decide on whether to join the program.
Consent obligations
CCPA has a distinct approach from GDPR towards consent and follows an opt-out model. This means you can collect consumer data without obtaining consent unless consumers exercise their right to opt-out or limit.
However, consent is necessary under these circumstances:
- To sell/share the personal information of consumers between the age of 13-16 or under 13:
- Obtain consent directly from consumers between 13 and 16
- Obtain consent from parent/ guardian for children below 13
- To sell/share the personal information of consumers who formerly opted out of it.
In addition to the above consent requirements, you must also provide opt-out mechanisms:
- Opt out of sale/ share of personal data: Provide a link to stop controllers from selling/sharing consumers’ personal data.
- Limit the use of sensitive data: This link allows consumers to restrict the controllers from using or disclosing their sensitive personal data.
Consumer request obligations
CCPA stresses the importance of recognising and fulfilling consumer requests promptly. Provide convenient ways to submit requests. It can be a toll-free number, an active email address, or a web form. Always verify the requests. For example, by asking the consumer who submitted a deletion request to confirm it by clicking on a link on their email or by re-entering passwords.
Contractual obligations
This is another type of CCPA obligation where businesses must enter into a contractual agreement with service providers and third parties. Such a contract must define the rights and obligations of each party, the nature and purpose of processing, and other aspects of the processing activities.
The 7 crucial CCPA rules and requirements businesses must follow
Below are the 7 CCPA requirements to be included in your handbook to effectively comply with the law.
Data minimisation and purpose limitation
Unlike before, businesses must be mindful of the personal data they collect and process.
CCPA imposes minimisation requirements where businesses have to limit the collection of personal data to what is necessary for the specific purpose for which it was collected. Moreover, you cannot process personal data for any purpose other than what was disclosed to the consumer or exceeds consumer expectations.
To illustrate some examples, a headphone user will not expect it to monitor and record all their conversations or a flashlight application to track user location.
Disclosures and communications
This is one of the top CCPA obligations that you must comply with. The disclosures such as privacy policy and notice at collection should be easily understandable and conspicuously provided.
Here are some more transparency requirements:
- Ensure that they are readable even on smaller screens
- Review and update your policies regularly
- Make available the information in all the languages used to communicate with consumers to guarantee that all of them can comprehend the content of the disclosure.
- Meet the accessibility standards to ensure they are accessible to persons with disabilities.
- Websites must provide the CCPA links such as the link to privacy policy or opt-outs conspicuously in a similar way as other links on their home pages.
- For mobile applications, hyperlink the privacy policy on the platform page, download page or settings menu.
What must your disclosures contain?
Privacy policy/ Privacy notice
- Categories of personal information collected in the previous year and its sources
- The specific purpose of collecting personal information
- Categories of personal information sold, shared or disclosed in the previous year
- Categories of third parties to whom the information was sold/shared/disclosed
- Purpose of the sale/share/disclosure of personal information
- Whether you sell/share the personal information of children below 16 years of age
- Whether you use sensitive information of consumers
- An explanation of consumer rights and how they exercise them
- Links to consumer request mechanisms like an online portal or a form
- Links to the opt-out notices under CCPA
- Description of the request verification process
- Description of how a global opt-out signal can be implemented and how it will be processed
- Description of the opt-in process for minors under 16 years
- Contact information of the business
- Date of the last privacy policy update
Do it right with CookieYes
Create a CCPA privacy policy with our privacy policy generatorGenerate for free
Saves time and effort
Notice at collection
- Categories of personal data to be collected including categories of sensitive data
- The purposes for which they will be collected
- Whether each category of personal data or sensitive data will be shared/sold
- Data retention period
- CCPA Opt-out links
- Link to privacy policy
Notice of Right to opt-out
- Description of a consumer’s right to opt out of the sale or share of personal information
- Instructions on how to opt-out and the interactive form for submitting the opt-out request
Notice of right to limit sensitive data processing
- Description of consumers’ right to limit the use of sensitive data
- Instructions on how to exercise the right to limit and the interactive form by which they can submit the request
Opt-in and opt-out
CCPA mainly focuses on an opt-out model. Therefore, you can continue processing personal data until a consumer opts out of it. To comply with the law, you must provide opt-out banners and links where consumers can decide whether to stop you from selling or sharing their personal data. Below are some major opt-out requirements.
- Place a “Do not sell my personal information” and “Limit the use of my sensitive data” link conspicuously on your website.
- You may also provide an alternate link for both of the above requirements under the title “Your Privacy Choices” or “Your California Privacy Choices”.
- These links can either effectuate the opt-outs instantly or take the consumer to a webpage where they can learn more about it and make an informed choice.
Obtain opt-in consent before processing the personal data of children under 16 years of age. Also ensure to not sell or share personal data if a person opts out, unless they further opt-in.
You must also implement measures to geo-target users from California to deploy consent messages/banners, recognise universal opt-out signals and record user consent preferences. Complying with these requirements can be a hassle for many. In that case, you can automate the process by using Consent Management Platforms like CookieYes.
Automate your consent management
Just 3 simple stepsSign up for a free trial
14-day free trialCancel anytime
In the US, around 19% of businesses automated their CCPA compliance between 2022 and 2023. The shares may have risen further in 2024.
Respond to consumer requests
Along with providing easy methods to exercise consumer rights such as to correct and delete, you must also respond to them without delay.
Confirm the receipt of the request within 10 days and fulfil it in 45 days. If necessary, you may extend the time to another 45 days after notifying the consumer of the extension.
Contractual relationship
If you share, sell or disclose personal information collected from consumers, CCPA requires you to have an agreement with those third parties or service providers involved in the data processing. Such an agreement must determine at least the following:
- The rights and obligations of each party
- Specify that the personal information will only be shared for specific and limited purposes
- Require third parties to notify you if they can no longer meet the privacy requirements
- Require third parties to take reasonable steps to stop and resolve any unauthorised access
Security measures
Enhance your security and privacy protocols, conduct regular cybersecurity checks, and implement reasonable security measures at technical, organisational, and physical levels. This means encryption, activating two-factor authentications, and timely backups.
Also, conduct impact assessments assess risks and determine risk mitigation measures. You may also train your employees to keep up with privacy standards, handling requests and responding to data breaches.
Data auditing
Keep a well-organised tracking system for the data you collect and streamline the data processing activities. This will help you channel the steps to ensure all the above CCPA requirements.
Identify the categories of data collected, the purpose of collection, and how long they will be in your system. Conduct internal audits and determine whether the processing complies with the CCPA requirements. You may consider the following while conducting data mapping activities:
- Determine the sources of personal data and categorise the data collected such as names, email addresses, etc.
- Document the data flow within your organisation
- Create data flow diagrams
- Review and update the internal documents
- Determine the level of security required for each category and implement measures accordingly
FAQ on CCPA requirements
Though both are privacy regulations, there are notable differences between GDPR and CCPA.
The General Data Protection Regulation (GDPR) applies to the European Union whereas the California Consumer Privacy Act (CCPA) is a Californian law.
GDPR requires businesses to have a legal basis for data processing, one among which is consent. However, CCPA allows the collection of personal data without prior consent but consumers can opt out of the sale of personal data or limit the use of sensitive data.
Non-compliance penalties for GDPR range between 10M EUR to 20 Million EUR or 2 to 4 per cent of the global annual revenue. CCPA has no upper limit and the fines can be between $2500 to $7500 per violation.
Yes. If your business offers products or services to Californians, you must be CCPA-compliant regardless of the location of your business.