CCPA and CPRA Privacy Notices
The California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA) do not explicitly require a cookie banner, but having a cookie banner can help you meet other requirements. Learn about CCPA and CPRA Privacy Notices here.
The California Consumer Protection Act (CCPA) does not explicitly require a cookie banner, and neither does the California Privacy Rights Act (CPRA). However, if you do have a cookie banner, you can meet other requirements quickly.
The CCPA requires businesses to provide privacy notices to customers. These notices have to be served to users as soon as they arrive on the website. There are various types of notifications, and you can serve any of them as a banner.
To better understand your legal responsibilities, you should learn:
- What are CCPA and CPRA, and do they apply to your business?
- What types of privacy notices are required?
- What is the required information for each privacy notice
- What are the consequences for non-compliant CCPA and CPRA privacy notices?
Update: California’s Attorney General published the revisions to CCPA’s proposed regulations on February 7, 2020.
Do CCPA and CPRA Apply to Your Business?
CCPA does not apply to every business. It only applies to for-profit companies that collect and process consumer personal information and conduct business in California if the business meets at least one of the following criteria:
- Have annual gross revenue of more than $25 million
- Processes personal information of at least 50,000 Californians annually
- Earns at least 50% of the annual income from selling consumers’ personal information
CPRA raises the processing criteria from 50,000 Californians to 100,000 Californians, and the earning criteria from 50% of the sales of personal information to 50% of the sales and sharing of personal information.
If your business does not meet these requirements, the CCPA does not apply to you, and you are not required to provide privacy notices.
But if you do meet these requirements, keep reading.
See CCPA 2.0 Update: Latest Changes to the CPREA
CCPA/CPRA Privacy Notice v. GDPR Cookie Banner
According to California privacy laws, all that is required is a privacy notice. The notice's purpose is to inform users about data processing, data sales, or financial incentives in exchange for data. However, it does not request consent to use online trackers.
GDPR, on the other hand, requires businesses to obtain cookie consent. That’s why GDPR-compliant businesses need a GDPR-compliant cookie banner.
The CCPA/CPRA privacy notice provides information on data processing. It is not necessary to obtain consent before collecting data.
The GDPR cookie banner's goal is to inform users about the processing and collect consent for cookies.
What is a CCPA/CPRA Privacy Notice?
Because you process your users' personal information, California consumer privacy laws require you to be transparent with them about it. Privacy notices are the tool that businesses use to inform their customers about their privacy practices.
CCPA and CPRA both require three different types of privacy notices:
- Notice on collection
- Notice on the right to opt-out of the sales of personal information
- Notice on financial incentives
CCPA Notice on Collection Requirements
The CCPA notice on collection aims to inform consumers that you collect and process their data, what your process is, and why you do so. You have to provide them with the notice at the time of data collection or before. With how tracking technology works, you need to show the notice on your website at the moment of arrival.
Only businesses that collect personal information are required to provide notice.
Some important rules to remember when it comes to the notice on collection:
- You can only collect the information specified in the notice for the purposes specified in the notice.
- If you want to use previously collected data for a purpose that was not previously listed in the privacy notice, you must obtain a consumer’s consent.
- If you are not collecting any personal information, there is no need to provide notice at the time of collection.
CCPA Notice to Opt-Out of the Sales of Personal Information Requirements
Not all businesses sell personal information. Those who do so must notify users and allow them to opt out of the sale of personal information.
You must provide this notice at the time of collection of consumers’ data. It must include:
- A description of the right to opt-out of the sales of personal information
- The interactive online form through which the consumer can submit the opt-out request, or an offline method for submitting a request if the company does not have a website
- Instructions for any other method of opting out, if available
The notice must also contain a “Do Not Sell My Personal Information” link. The notice of the consumer's right to opt-out should be placed on the web page to which they are directed after clicking such a link.
For personal information collected via mobile apps, such as the settings menu, the notice can be placed within the app.
CCPA Notice on Financial Incentives Requirements
Businesses may provide financial incentives to customers in the form of discounts, coupons, loyalty programs, and so on. These financial incentive programs require the processing of personal information. If you process personal data for this purpose, you must provide consumers with a notice on financial incentives.
The notice of financial incentive's purpose is to assist consumers in understanding the tradeoff between providing their information and the financial incentive you provide.
This notice must also be served at the time of data collection. Businesses that operate online can include a separate section in their privacy policies dedicated to financial incentive programs to comply with this requirement.
Standard Rules for Privacy Notices
In addition to these requirements, all privacy notices must meet the following criteria:
- They have to be written in plain, straightforward language, free of technical jargon
- They have to be readable even on smaller screens
- The format of the notice has to draw consumer’s attention
- They have to be written in languages that the consumers understand (if the website is in English and Spanish, a notice in English and Spanish will suffice)
- They have to be accessible to people with disabilities (i.e., Web Content Accessibility Guidelines).
Consequences for Non-Compliant Notices
Not showing notices or showing non-compliant notices is a violation of the law that can result in penalties.
The maximum penalty for CCPA or CPRA violations is $7,500 per violation per consumer. The fine can be reduced but not increased.
Furthermore, one consumer equals one violation. If you fail to show the notice to 1,000 consumers, that is equivalent to 1,000 violations. 1,000 violations multiplied by $7,500 equals $7,500,000. As a result, the fines can get quite hefty quickly.
Businesses, on the other hand, have 30 days under the CCPA to correct the violation. The CPRA does not allow a correction period.
How to Comply with Secure Privacy
Secure Privacy has created a CCPA-compliant privacy notice solution that is easy to integrate into websites that must follow the law. Our privacy notices will be compliant with the CPRA once it goes into effect. Check out Secure Privacy's Ultimate CCPA Guide.
Download our CCPA eBook,
Want to try
Get your free cookie banner up and running today!
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection