The CCPA Compliance Checklist for Your Business

The Internet data privacy laws, including the new California Consumer Privacy Act (CCPA) has already become a hot topic of discussion among the online entrepreneurs and marketers today. CCPA is the first most comprehensive law in the US that has taken immense efforts to protect the personal information of California residents. In this article, we will discuss a checklist for your business for CCPA compliance.

What is CCPA? — California Consumer Privacy Act (CCPA) is a data privacy law that came into existence in order to protect the personal information rights of California residents.

Enforcement — The legislation was signed by Gov. Kate Brown on June 28, 2018; and became effective on January 1, 2020.

Scope of the law — Any for-profit organization processing the personal information of California consumers falls under the scope of CCPA if they meet one or more of the following criteria:

1. Gross annual income exceeding twenty-five million dollars ($25,000,000).
2. Alone or in combination buys, sells, shares, or receives the personal information of at least 50,000 California consumers, households, or devices annually.
3. An organization having 50% or more of the annual gross revenues from selling the personal information of California consumers.

Fines/penalties for violations — Ranges from $2500 for an unintentional violation to $7500 for any intentional violation.

To know more about, click here.

Check out the similarities and differences between CCPA and the EU’s GDPR here.

Here’s a checklist that would help you throughout preparing your business for CCPA compliance. You would be able to find whether your organization is subject to the CCPA. It will make you understand the major steps that you need to take in order to comply with the law.

Determine whether the CCPA applies to your organization

CCPA applies to your organization, if your business:

• Falls under the “for-profit” category.
• Operates in California or serves/targets California residents.
• Match with any of the benchmarks mentioned below;
  • Earns more than twenty-five million dollars ($25,000,000) gross annual income.
  • Buys, sells, shares, or receives, alone or in combination, the personal information of at least 50,000 California consumers, households, or devices annually.
  • Makes 50% or more of the annual gross revenues from selling the personal information of the California consumers.

How to comply with the CCPA?

1. Understand what personal information needs to be protected

• Any information that identifies, relates to, describes, and is capable of being associated with a particular consumer or household needs to be protected.

Refer to the California Civil Code Section 1798.140 (o) (1-2) of the CCPA for more details.

2. Create a Privacy Policy for your organization
If your business already has a Privacy Policy in place, here’s how to update it for CCPA compliance:

• Draft your Privacy Policy document in plain language, so that your consumers can easily understand it.
• Clearly describe what kind of personal information you collect, and how you use, store, and share it.
• Explain what all rights your consumers have over their personal data.
• Add a “Do Not Sell My Personal Information” (DNSMPI) link to allow consumers to opt-out of the “sale” of their personal information.
• Include your contact details.
• Mention when was it last updated — Your Privacy Policy must be updated every 12 months.

Ensure you place the link to your Privacy Policy on your website in such a way that it is easily accessible.

3. Rights of the consumers

Under CCPA, the consumers will have the following rights over their personal information:

• Right to access — Your consumers will have the right to access the personal information you have collected about them.
• Right to portability — When consumers request for their information, you must provide it in a portable, ready-to-use format, so as to enable them to smoothly transmit their personal information to another entity.
• Right to deletion — When consumers request for data deletion, you are obliged to permanently delete all of their personal information stored within your organization.
• Right to notice — You have to inform consumers about your organization’s data collection practices and its purposes before collecting any kinds of personal information from them.
• Right to opt-out — The consumers have the right to opt-out from “selling” their personal information to third parties.
• Right to non-discrimination — It’s important to be impartial to your consumers on pricing, service offerings, and so forth.

Therefore, make sure your business has:

• • A minimum of two specific methods (For example:- e-mail address and a toll-free number) to enable your consumers to submit their requests seamlessly.
  • An appropriate system to verify, validate, and respond to consumer requests without significant delays.
  • A legal team or your own attorney who has thorough knowledge about consumer rights and can guide you to help your consumers.

4. Consent requirements

• • Under CCPA, you must get opt-in consent for “selling” personal information of minors aged between 13 and 16 years.
  • And, if you want to “sell” the personal information of children under the age of 13, you must obtain parental consent.

5. Provide an opt-out mechanism

• Include a quickly-accessible “Do Not Sell My Personal Information” link on your website to enable consumers to opt-out of the “sale” of their personal information.

Read on opt-in and opt-out to get a deeper understanding of what they are and how you can implement them.

6. Inform consumers about your use of cookies

• Though CCPA does not require you to obtain opt-in consent from your consumers before using cookies, you’re required to disclose what kind of cookies are being used by your business and how it processes consumer data.

7. Take necessary steps to control and prevent leakage of consumer data

Following are the important aspects to be considered in the occasion of data breaches or any other data privacy threats:

• If you suspect any of your consumers have fallen victim to online data privacy breaches, you must notify them as soon as possible.
• If you are required to notify more than 500 California residents, you must submit a single sample notification copy to California’s Attorney General.
• Your business must have an efficient breach management procedure to protect your consumers from potential data breaches.
• Build an appropriate incident response plan that specifies how your organization responds to potential data privacy threats.

CookieYes is a SaaS application that lets your website to collect user consent to store cookies and manage the cookie consent. It offers an easy and simple setup to add a cookie consent notice to your website, where you can provide information about the cookies and its purpose and give the users an option to opt-out of cookies that sell personal information.

If you select CCPA, it will add a “Do Not Sell My Personal Information” link on the consent notice as shown.

If you select the cookies that sell personal information of the users, clicking on the DNSMPI link will block these cookies.

And you can set the banner to display to only visitors from California or the US.

CookieYes also offers cookie script blocking, automatic cookie scan for websites, visitor cookie consent log, privacy policy generator, and auto-translation of consent notice, among other features.

Sign up for a free trial.

If you target California residents for your online sales and have not yet taken any serious steps towards complying with the CCPA, get on it right away! The above checklist specifies the important factors that help your business achieve CCPA compliance. Adhering to the online data privacy laws will not only keep away your business from the alleged non-compliance/security risks but also helps build trust and loyalty with your consumers.