CCPA Compliance Software to Secure Your Business
Implement all your CCPA compliance requirements under one roof. Display opt-out notice, ‘Do not sell’ link and generate privacy disclosures.
The #1 cookie consent solution, trusted by 1.5 Million+ websites
What is CCPA?
The California Consumer Privacy Act (CCPA) is data privacy legislation that applies to businesses that process the personal data of California residents. Effective January 1, 2020, CCPA provides individuals control over the personal data that businesses collect about them.
From January 01, 2023, the California Privacy Rights Act (CPRA) amends the existing CCPA.
Who does CCPA
apply to?
The CCPA applies to for-profit businesses that collect, share, or sell the personal information of California residents and fit any of the criteria.
$25M
Has annual gross revenues over $25 million
50K
Process personal information of 50,000 or more consumers, households, or devices
50%
Earns more than 50% of annual revenue from the sale of personal information
CCPA Compliance Checklist for Websites
Display CCPA opt-out notice to respect the user’s right to opt-out
Add a clear and conspicuous “Do Not Sell My Personal Information” link
Include an up-to-date and accessible privacy policy and cookie policy
Comply with CCPA using CookieYes
compliance software
Implement ‘Do not sell’ opt-out notice
The CCPA requires businesses to respect the consumer’s right to opt-out of the sale of their personal information to third parties. This includes data collected through cookies. With CookieYes you can
Comply with GDPR and CCPA regulations
If your website has visitors from both US and the EU, then it is important to comply with both laws. Businesses are required to display an opt-out notice for CCPA and a cookie consent banner for GDPR. With CookieYes, you can
Add a privacy policy
Under CCPA, businesses should include an up-to-date privacy policy on their website. It should describe what personal information is collected, the data processors, the purpose of collection and description of consumer rights. With our privacy policy generator, you can
Create a cookie policy
Under the CCPA, businesses must include a disclosure about their use of cookies in their policies. It can either be included within the privacy policy or added as a separate disclosure. With our cookie policy generator, you can
Comply with CCPA and ever-evolving privacy laws in the US
What are consumer rights under CCPA?
Right to notice
The right to know about the personal information a business collects about them and how it is used and shared.
Right to deletion
The right to delete personal information that a business has collected from them.
Right to opt-out
The right to opt-out of the sale of their personal information by a business.
Right to non-discrimination
The right to not be discriminated against for exercising their consumer rights under CCPA.
What are the penalties for non-compliance with the CCPA?
Businesses can get civil penalties of up to $7500 for each intentional violation while each unintentional can amount to a fine of up to $2500. Businesses will have a 30-day cure period to rectify violations before the California Attorney General takes action.
CCPA provides a private right of action to consumers under limited circumstances if they suffer a data breach due to negligence from a business. Consumers can sue for the amount equal to the monetary damages they actually suffered from the breach or “statutory damages” of up to $750 per incident.
FAQ on CCPA Compliance
The California Consumer Privacy Act (CCPA) is a state-wide privacy regulation enacted in 2018. CCPA compliance applies to any for-profit entity doing business in California that collects, shares, or sells the personal information of California residents.
To be CCPA compliant, companies are required to meet certain standards for data collection and processing of any personal data that can be linked, associated, or related to Californians.
Help guide: How to use CookieYes for CCPA Compliance
No, the California Privacy Rights Act (CPRA) does not replace the CCPA but amends it. The CPRA is an expansion of the CCPA, as it modifies existing provisions and introduces additional requirements for businesses operating in California. The CPRA came into effect on January 1, 2023.
Read more: Complete Guide to CPRA
Under CCPA, personal information is any information relating to an identified or identifiable individual. It is any data that can directly or indirectly lead to the identification of a specific consumer or household. CCPA maintains a broad definition of personal information but excludes de-identified/anonymized information from it.
Personal information can be identifiers such as name, identification number, IP addresses, biometric information or characteristics such as race, ancestry, religion, age, sex, sexual orientation, gender, medical condition etc.
Cookies and similar tracking technologies are classified as unique identifiers and can be considered personal information under CCPA. A unique identifier could directly or indirectly identify an individual consumer, family, or device over time and across services.
These identifiers can include IP addresses, cookies, beacons, pixel tags, mobile ad identifiers, customer numbers, unique pseudonyms, user aliases, and telephone numbers.
CCPA requires that users be able to opt out of the sale of personal information. This means the website should give users the choice to opt out of the use of cookies that are not strictly necessary, especially third-party cookies such as tracking cookies used for advertising.
CCPA requires businesses to disclose how they collect, use and retain personal information about California residents. Businesses are therefore required to maintain a CCPA-specific privacy policy that is available to the consumers.
A CCPA privacy policy should disclose what personal information is being collected about consumers, how it is being used, and with whom it is being shared. It should also detail the consumer’s rights as per CCPA and how they can exercise these rights.
CCPA applies to all for-profit organizations that process the information of California residents to offer goods or services. The law does not require the business to have a physical presence in California. In short, any business that deals with the personal data of California residents have to be CCPA compliant.
The CCPA law provides consumers with the right to opt out, i.e. the right to ask a business to stop selling their personal information. A CCPA-compliant opt-out mechanism should be accessible and transparent and should not require consumers to search or scroll through a privacy policy or similar document to perform an opt-out request.
Under the CCPA, the sale of personal information occurs when a business transfers the consumers’ information to another business or third party for financial gain. The definition includes any disclosure that involves the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means”.
The GDPR and CCPA/CPRA are two comprehensive data privacy regulations that aim to protect individuals’ data and impose regulations on how businesses process user data. While the two regulations have similar goals, they have different scopes and requirements.
GDPR is a data protection law that applies to all organizations that collect, use, or share personal data of individuals in the European Union. CCPA/CPRA, on the other hand, is a California state law that applies to for-profit companies that meet specific requirements and collect personal data of California residents.
No, the CCPA (California Consumer Privacy Act) and its amendment, the California Privacy Rights Act (CPRA) can be applicable outside California. While CCPA/CPRA is a state-level legislation in California, it has extraterritorial reach and can apply to businesses outside of the state that ‘do business’ in California (i.e. cater to California consumers) and meet the applicability thresholds.
CCPA/CPRA imposes certain obligations on businesses that are considered “covered entities”. Some of the key CPRA/CCPA guidelines are:
CCPA notice requirements: Businesses must inform consumers at or before the point of collection about the categories of personal information to be collected and the purposes for which the information will be used.
Privacy policy: Maintain a comprehensive privacy policy that discloses the categories of personal information you collect, the purposes for which it will be used, and whether it will be sold or shared with third parties.
Right to opt out: If you sell/share personal information, you must provide a clear and conspicuous “Do Not Sell/Share My Personal Information” link on their website and respect consumer opt-out requests.
Consumer rights: CCPA/CPRA provides more consumer rights such as the right to know, request deletion, the right to correct data, and protection against discrimination for exercising these rights. Businesses are required to inform consumers of their rights under the CCPA/CPRA and how to exercise them.
Limitation on sensitive personal information: The CCPA/CPRA requires businesses to restrict the use of sensitive personal information. Businesses must provide an additional notice specifying the categories of sensitive information collected and the purposes for which it will be used.
CCPA compliance involves your organization’s responsibilities and obligations outlined in the CCPA. Some key requirements for CCPA/CPRA compliance include:
- Conduct data mapping to identify and review all personal information being collected or processed.
- Review third-party vendor contracts to ensure continued compliance.
- Update your privacy policy to reflect CCPA/CPRA requirements.
- Provide notice to consumers about what personal information is collected and for what purposes.
- Implement a method for consumers to exercise their right to opt out of the sale or sharing of their personal information.
- Accept universal opt-out signals such as Global Privacy Control.
- Fulfil consumer requests to access, delete, or correct their personal information.
- Implement reasonable security measures to protect personal information.
- Train employees on privacy policies and procedures.
Applicability: GDPR applies to any organization (regardless of whether it’s for-profit or non-profit) that processes the personal data of individuals in the European Union, regardless of their citizenship. On the other hand, CCPA/CPRA applies to for-profit organizations collecting personal data about California residents.
Data covered: GDPR has a broader scope in terms of the types of data covered and includes all personal data, while CCPA/CPRA focuses on personal information that is not publicly available. CCPA also does not apply to data that is already made available and exempts data covered under the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) etc.
Opt-in requirement: GDPR also requires users to opt-in for data processing and requires obtaining explicit and affirmative consent (opt-in) from individuals before processing their data. CCPA/CPRA does not have strict opt-in requirements. Instead, it requires businesses to provide consumers with the right to opt out of the sale/sharing of their data.
Here are some links you can refer to for additional reading:
Fast-track your CCPA compliance with CookieYes
Set up your CCPA opt-out notice in 3 simple steps and get compliant easily.