The CCPA or the California Consumer Privacy Act is a comprehensive state-level privacy act passed by the California State Legislature and signed into law in 2018. The Act provides California residents rights over their personal data and regulates how businesses can process it.
CCPA came into effect on January 1, 2020, and in July 2020, the California Attorney General (AG) began enforcing the Act. California is the first state in the US to implement data protection and privacy law. This blog will take a detailed look at what is CCPA and how it affects websites and how you can comply with it.
What are the takeaways from one year of CCPA?
In July 2021, the Office of the Attorney General (OAG) announced the first enforcement update of the CCPA and a list of 27 examples where it sent notice of non-compliance. Of the 27 examples, 13 companies received notices of alleged non-compliant privacy policies and 8 were for the absence or non-compliance of the “Do Not Sell My Personal Information” requirement.
The examples suggest that the AOG has sent notices to businesses across the marketing, technology, and retail sectors. As the law passed its second year, the enforcement can get stricter. The best method to mitigate it is by understanding how the CCPA affects your business and adopting compliance practices.
Who has to comply with CCPA?
The CCPA applies to all for-profit organizations that conduct business in California, collects consumers’ personal information and meet any of the following requirements:
- Has gross annual revenue of $25 million or more
- Buys, receives, or sells personal data from more than 50,000 California consumers, households, or devices
- Earns 50% or more of its annual revenue from the sale of personal data
The law also applies to any entity that either:
- Controls or is controlled by a covered business or
- Shares common branding with a covered business, such as a shared name, service mark, or trademark.
What is personal information in CCPA?
The CCPA defines personal information as any information that:
“identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The Act takes a broad approach to define personal information (PI) and specifies different categories of that constitute PI including but not limited to:
- Identifiers such as a real name, alias, postal address, email address, social security number, driver’s license number, passport number, or online identifiers, IP address and other similar identifiers
- Electronic network activity information, including, browser history, search history, and any information regarding a consumer’s interaction with a website, app or advertisement
- Geolocation data, audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Information that is protected classifications under California or federal law such as race, ancestry, national origin, religion, age, mental and physical disability, sex, sexual orientation, gender identity, medical condition, genetic information, marital status, or military status
While the definition of PI is broad, CCPA has several exemptions such as “publicly available” information that is lawfully made available from federal, state, or local government records and pseudonymized or de-identified information that cannot be reasonably linked to an individual.
What are the key definitions of CCPA?
Service provider: Any organization that processes personal information on behalf of a business for a business purpose pursuant to a written contract is a service provider. They are prohibited from retaining, using, or disclosing personal information for any other purpose.
Sale: Sell, selling or sale is broadly defined in the CCPA and it means the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information by a business to another business or a third party for monetary or other valuable consideration.
Third-party: The CCPA defines third parties in the negative. Any entity that is neither the business that collected personal information from the consumer nor a service provider pursuant to the contract is a third party.
Does CCPA apply to businesses outside California?
The CCPA’s territorial scope applies to organizations “doing business in California”. While CCPA does not explicitly define, other federal laws in the state interpret doing business as engaging in transactions for the purpose of monetary gain. Thus, businesses outside California that engage in collecting, selling or disclosing the personal information of residents can fall under the scope of the CCPA. If you have customers in California, you are subject to CCPA compliance.
What are the consumer rights provided by the CCPA?
The CCPA grants California consumers the following rights regarding the use and sale of their personal data.
The right to access information
Consumers have the right to request a business to disclose the categories of personal information that was collected or sold, the specific pieces of information collected, the business purposes for collecting, the sources from which it was collected, the third parties with who the information is shared.
The right to delete information
Consumers have the right to request a business to delete the personal information it has collected about them. Businesses who receive verifiable consumer requests are required to delete the consumer’s personal information from its records and direct any service providers to delete the same.
The right to opt-out
Consumers have the right to direct a business to not sell their personal information to third parties. Businesses also cannot sell the personal information of consumers under 16 years of age unless the consumer or their parent/guardian consents to it or opts in.
The right to non-discrimination
Consumers have the right to be not discriminated against for exercising their CCPA consumer rights. This may include practices like denying goods or services, charging different prices, providing a different level or quality.
How to comply with CCPA?
Conduct data assessment
Conduct a thorough data inventory and review your organization’s data collection practices. Analyze all collected data and create auditable records where the data is located and stored. Here are some specific questions that you need to take into account.
- What is the personal information you’re collecting?
- What is the purpose of the information you are collecting?
- Is the information used only for the purpose it was intended for?
- Where is the information stored?
- Do you collect any sensitive information?
- How does personal information flow through your network?
- Is the information being shared with any third parties and why?
After mapping all the data, conduct a risk assessment to determine where data practices fit within the legal framework for CCPA. Depending on the types of data your organization has acquired, you may have to take steps like organizing, deleting, or anonymizing personal information. If your business works with third parties or vendors, ensure that there are contracts in place to establish their liability for any failures to comply with CCPA.
Review your security measures
CCPA does not specify what security measures need to be implemented to protect personal information, but the Act specifies that penalties can be applied for a “violation of the duty to implement and maintain reasonable security procedures and practices.”
In 2016, the California Office of the Attorney General published a Data Breach Report which listed safeguards that constituting “reasonable security” practices, emphasizing a set of 20 data security controls published by the Center for Internet Security as the universal baseline for any information security program. These can therefore serve as a guide to the CCPA data security requirements.
Display a ‘Do Not Sell My Personal Information’ link
The CCPA’s right to opt-out applies where a business sells personal information relating to Californian consumers.
- The Act requires businesses to provide a conspicuous “Do Not Sell My Personal Information” (DNSMPI) link on your website’s homepage or mobile application, or on any webpage where you collect personal information.
- Place the DNSMPI link on your website’s footer and link it to a dedicated page where they can opt out of the sale of their personal information.
- Your business is required to stop selling personal information when the consumer opts out unless the consumer provides explicit consent to do so at a later stage.
- You have to restrict from asking the consumer’s permission to sell their personal information again till 12 months after the consumer opts out.
- Provide two or more methods for consumers to opt out. These can include a toll-free telephone number or a designated email address.
Opt-in consent for minors
CCPA’s has special “opt-in” requirements for children. Businesses can only sell the personal information of minors between the ages of 13 and 16 with the child’s consent and can only sell the personal information of children below 13 with the consent of their parent or guardian. If you collect any children’s personal information ensure that you turn only sell such personal information if you obtain consent.
Add a cookie notice
CCPA requires businesses to give consumers a notice at collection, at or before collecting their personal information. As personal information can include online identifiers like IP addresses, cookies and trackers, you can present the notice at collection as a banner or via a conspicuous link that appears when a visitor first arrives at your website.
While CCPA does not involve opt-in consent, if you sharing personal information with third parties for tracking, analytics or cross-site behavioural advertising, you have to enable users to opt-out. This can be achieved via a cookie notice that blocks third-party cookie scripts from being set on a user’s device.
CCPA compliance with CookieYes CMP
CookieYes is a cookie consent solution that is tailored to help your website comply with the CCPA. You can display a custom cookie banner or a ‘Do not sell’ opt-out notice on your homepage as per your website’s design.
- Categories of personal information the company collected in the last 12 months
- The commercial purposes for which such personal information will be used
- The sources from where the information is collected
- The categories of personal information that you have shared with third parties
- An explanation of a consumer’s rights under the CCPA
Provide consumer request forms
CCPA gives individuals the right to request information about the way companies handle their personal information. Consumers can make this request via email, an online form, toll-free number or any method designated by the business. The easiest way is to add a form to your website.
Request forms should enable consumers to exercise their right to access their personal information. The business then needs to verify the requestor’s identity and existence within their database and respond “without undue delay” and within 45 days to follow the compliance guidelines of CCPA.
Businesses must also inform the consumer in case of no action regarding consumer requests. They should also provide the information free of charge unless the request is excessive. Similar to the right to opt-out, provide consumers with alternative methods to request access to information.
CCPA compliance checklist
Here’s a quick recap of all the things you need to do to fulfil CCPA requirements.
- Conduct data assessment of your collection practices
- Review security measures and improve technical safeguards
- Display ‘Do not sell’ link and a dedicated page on your website
- Give users multiple methods to opt-out of sale
- Provide consumer request forms to exercise their CCPA rights
What is the penalty for CCPA violation?
Under the CCPA, businesses will be notified of any alleged violations and will have 30 days to cure the non-compliance. If a business fails to do so, it may be subject to a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.
The CCPA also provides for a private right of action for damages resulting from a data breach involving certain defined types of personal information. To recover damages, consumers can get penalties of $100 and $750 per incident. Alternatively, consumers can claim for actual damages, whichever is greater.
Consumers who are seeking only statutory damages must provide a defendant business 30-day written notice of the alleged CCPA violation. If the business “cures” the alleged violation within 30 days, then the consumer may not sue. However, if consumers are seeking to recover actual damages (monetary loss as a result of a breach) they can proceed to file without any written notice.
What is the new Consumer Privacy Rights Act (CPRA)?
In November 2020, California voters passed Proposition 24—the California Privacy Rights Act (CPRA). It amends and strengthens the CCPA and moves California’s privacy laws toward GDPR standards, including the creation of a data protection authority, the California Privacy Protection Agency (CPPA).
CPRA also strengthens its focus on businesses that involves internet advertising, automated decision-making technologies, collection and use of sensitive personal information or children’s data.
The CPRA’s is set to go into effect on January 1, 2023. However, CPRA has a 12-month “look-back” provision i.e. it will impact personal information collected on or after January 1, 2022. This means businesses should be substantially in compliance with CPRA by January 1, 2022.
You can read this guide to Consumer Privacy Rights Act.
FAQ on CCPA
Who enforces the CCPA?
California’s Office of Attorney General, California Department of Justice will enforce the CCPA and will have the power to issue non-compliance fines.
What data is exempt from CCPA?
CCPA’s exemptions include personal information that is collected and used “wholly outside” of California, employee information (collected from employees, job applicants, owners, directors, officers, medical staff, members or contractors of a business), personal information collected about B2B contacts; related to certain warranties and recalls; or subject to other state and federal laws. The CPRA extends the current CCPA exemption for employment and business-to-business data until January 1, 2023.
Does CPRA replace CCPA?
The CPRA will significantly expand the requirements of the CCPA and adds new provisions such as the creation of a new Privacy Protection Agency in California to enforce California’s privacy laws. However, it is unclear whether the law will continue to be known as the CCPA or will instead be known as CPRA, effective January 1, 2023.
Is GDPR compliance enough for CCPA compliance?
No, but GDPR compliance gives you a considerable advantage for CCPA compliance, as at its core both the regulations are set up to protect individual’s personal data and provide them with rights over their data.
Focussing on their key differences can help you to take steps to ensure compliance with both. Check out this GDPR vs CCPA blog for the same.
Steps like implementing a cookie notice that can be geo-targeted as per the user’s browser location can help you easily comply with both GDPR and CCPA at the same time. Tools like CookieYes will help you achieve compliance with multiple privacy laws at the same time.