CCPA and CPRA Privacy Notices
The California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA) do not explicitly require a cookie banner, but having a cookie banner can help you meet other requirements. Learn about CCPA and CPRA Privacy Notices here.
The California Consumer Protection Act (CCPA) does not explicitly require a cookie banner, and neither does the California Privacy Rights Act (CPRA). However, if you do have a cookie banner, you can meet other requirements quickly.
The CCPA requires businesses to provide privacy notices to customers. These notices have to be served to users as soon as they arrive on the website. There are various types of notifications, and you can serve any of them as a banner.
To better understand your legal responsibilities, you should learn:
- What are CCPA and CPRA, and do they apply to your business?
- What types of privacy notices are required?
- What is the required information for each privacy notice
- What are the consequences for non-compliant CCPA and CPRA privacy notices?
Update: California’s Attorney General published the revisions to CCPA’s proposed regulations on February 7, 2020.
Do CCPA and CPRA Apply to Your Business?
CCPA does not apply to every business. It only applies to for-profit companies that collect and process consumer personal information and conduct business in California if the business meets at least one of the following criteria:
- Have annual gross revenue of more than $25 million
- Processes personal information of at least 50,000 Californians annually
- Earns at least 50% of the annual income from selling consumers’ personal information
CPRA raises the processing criteria from 50,000 Californians to 100,000 Californians, and the earning criteria from 50% of the sales of personal information to 50% of the sales and sharing of personal information.
If your business does not meet these requirements, the CCPA does not apply to you, and you are not required to provide privacy notices.
But if you do meet these requirements, keep reading.
See CCPA 2.0 Update: Latest Changes to the CPREA
CCPA/CPRA Privacy Notice v. GDPR Cookie Banner
According to California privacy laws, all that is required is a privacy notice. The notice's purpose is to inform users about data processing, data sales, or financial incentives in exchange for data. However, it does not request consent to use online trackers.
The CCPA/CPRA privacy notice provides information on data processing. It is not necessary to obtain consent before collecting data.
The GDPR cookie banner's goal is to inform users about the processing and collect consent for cookies.
What is a CCPA/CPRA Privacy Notice?
Because you process your users' personal information, California consumer privacy laws require you to be transparent with them about it. Privacy notices are the tool that businesses use to inform their customers about their privacy practices.
CCPA and CPRA both require three different types of privacy notices:
- Notice on collection
- Notice on the right to opt-out of the sales or sharing of personal information
- Notice on the right to limit the use of sensitive personal information
- Notice on financial incentives
CCPA Notice on Collection Requirements
The CCPA notice on collection aims to inform consumers that you collect and process their data, what your process is, and why you do so. You have to provide them with the notice at the time of data collection or before. With how tracking technology works, you need to show the notice on your website at the moment of arrival.
Only businesses that collect personal information are required to provide notice.
Some important rules to remember when it comes to the notice on collection:
- You can only collect the information specified in the notice for the purposes specified in the notice.
- If you want to use previously collected data for a purpose that was not previously listed in the privacy notice, you must obtain a consumer’s consent.
- If you are not collecting any personal information, there is no need to provide notice at the time of collection.
CCPA Notice to Opt-Out of the Sales or Sharing of Personal Information Requirements
Not all businesses sell personal information. Those who do so must notify users and allow them to opt out of the sale or sharing of personal information.
You must provide this notice at the time of collection of consumers’ data. It must include:
- A description of the right to opt-out of the sales or sharing of personal information
- The interactive online form through which the consumer can submit the opt-out request, or an offline method for submitting a request if the company does not have a website
- Instructions for any other method of opting out, if available
The notice must also contain a “Do Not Sell My Personal Information” link. The notice of the consumer's right to opt-out should be placed on the web page to which they are directed after clicking such a link.
Instead of a link to opt-out, the business can choose to offer an alternative opt-out link where the consumer could limit the use of sensitive data as well as opt-out of the sale or sharing of their data.
On top of that, businesses are now obliged to honor opt-out preference signals received by users’ browsers. The most notable example of such a signal is the Global Privacy Control (GPC).
For personal information collected via mobile apps, such as the settings menu, the notice can be placed within the app.
CCPA Notice of Right to Limit the Use of Sensitive Personal Information
Businesses that process sensitive personal information, such as health data, financial data, ethnic origin, sexual life, political and religious views, and so on, must allow consumers to limit the use of such personal information.
The notice must contain a “Limit the Use of My Sensitive Personal Information” link, which leads to a page where the consumer can learn more about it and make their choice.
Instead of a link to limit, the business can choose to offer an alternative opt-out link where the consumer could limit the use of sensitive data as well as opt-out of the sale or sharing of their data.
CCPA Notice on Financial Incentives Requirements
Businesses may provide financial incentives to customers in the form of discounts, coupons, loyalty programs, and so on. These financial incentive programs require the processing of personal information. If you process personal data for this purpose, you must provide consumers with a notice on financial incentives.
The notice of financial incentive's purpose is to assist consumers in understanding the tradeoff between providing their information and the financial incentive you provide.
This notice must also be served at the time of data collection. Businesses that operate online can include a separate section in their privacy policies dedicated to financial incentive programs to comply with this requirement.
Standard Rules for Privacy Notices
In addition to these requirements, all privacy notices must meet the following criteria:
- They have to be written in plain, straightforward language, free of technical jargon
- They have to be readable even on smaller screens
- The format of the notice has to draw consumer’s attention
- They have to be written in languages that the consumers understand (if the website is in English and Spanish, a notice in English and Spanish will suffice)
- They have to be accessible to people with disabilities (i.e., Web Content Accessibility Guidelines).
Consequences for Non-Compliant Notices
Not showing notices or showing non-compliant notices is a violation of the law that can result in penalties.
The maximum penalty for CCPA or CPRA violations is $7,500 per violation per consumer. The fine can be reduced but not increased.
Furthermore, one consumer equals one violation. If you fail to show the notice to 1,000 consumers, that is equivalent to 1,000 violations. 1,000 violations multiplied by $7,500 equals $7,500,000. As a result, the fines can get quite hefty quickly.
Businesses, on the other hand, have 30 days under the CCPA to correct the violation. The CPRA does not allow a correction period.
Read more about CPRA requirements.
Recently The California Privacy Protection Agency (CPPA) issued draft regulations on risk assessment and cybersecurity audits under the CCPA (California Consumer Privacy Act). Learn about CCPA Risk Assessments.
How to Comply with Secure Privacy
Secure Privacy has created a CCPA-compliant privacy notice solution that is easy to integrate into websites that must follow the law. Our privacy notices will be compliant with the CPRA once it goes into effect. Check out Secure Privacy's Ultimate CCPA Guide.
EU Digital Markets Act (DMA): What Businesses Must Know
Explore the European Union's Digital Markets Act (DMA) and its impact on tech giants, gatekeepers, and SMEs. Uncover key provisions, designated companies, and the relevance of compliance for small to medium-sized enterprises.
- Europe GDPR
- Data Protection
The Complete Guide to WordPress GDPR Compliance: Make Your Wordpress Site is Compliant
Learn about the General Data Protection Regulation (GDPR) and its significance for WordPress websites. Discover essential steps, potential consequences of non-compliance, and effective cookie management strategies to ensure GDPR compliance.
- Europe GDPR
Understanding the Utah Consumer Privacy Act (UCPA): A Comprehensive Overview of the New Consumer Privacy Law
Learn about the Utah Consumer Privacy Act (UCPA), its impact on businesses operating in Utah or targeting Utah customers, compliance requirements, consumer rights, data security measures, and penalties for non-compliance.