CCPA and CPRA Privacy Notices

The California Consumer Protection Act (CCPA) does not explicitly require a cookie banner, and neither does the California Privacy Rights Act (CPRA). However, if you do have a cookie banner, you can meet other requirements quickly.

The CCPA requires businesses to provide privacy notices to customers. These notices have to be served to users as soon as they arrive on the website. There are various types of notifications, and you can serve any of them as a banner.

To better understand your legal responsibilities, you should learn:

• What are CCPA and CPRA, and do they apply to your business?
• What types of privacy notices are required?
• What is the required information for each privacy notice
• What are the consequences for non-compliant CCPA and CPRA privacy notices?

Update: California’s Attorney General published the revisions to CCPA’s proposed regulations on February 7, 2020.

Do CCPA and CPRA Apply to Your Business?

CCPA does not apply to every business. It only applies to for-profit companies that collect and process consumer personal information and conduct business in California if the business meets at least one of the following criteria:

• Have annual gross revenue of more than $25 million
• Processes personal information of at least 50,000 Californians annually
• Earns at least 50% of the annual income from selling consumers’ personal information

CPRA raises the processing criteria from 50,000 Californians to 100,000 Californians, and the earning criteria from 50% of the sales of personal information to 50% of the sales and sharing of personal information.

If your business does not meet these requirements, the CCPA does not apply to you, and you are not required to provide privacy notices.

But if you do meet these requirements, keep reading.

See CCPA 2.0 Update: Latest Changes to the CPREA

CCPA/CPRA Privacy Notice v. GDPR Cookie Banner

According to California privacy laws, all that is required is a privacy notice. The notice's purpose is to inform users about data processing, data sales, or financial incentives in exchange for data. However, it does not request consent to use online trackers.

GDPR, on the other hand, requires businesses to obtain cookie consent. That’s why GDPR-compliant businesses need a GDPR-compliant cookie banner.

The CCPA/CPRA privacy notice provides information on data processing. It is not necessary to obtain consent before collecting data.

The GDPR cookie banner's goal is to inform users about the processing and collect consent for cookies.

What is a CCPA/CPRA Privacy Notice?

Because you process your users' personal information, California consumer privacy laws require you to be transparent with them about it. Privacy notices are the tool that businesses use to inform their customers about their privacy practices.

CCPA and CPRA both require three different types of privacy notices:

• Notice on collection
• Notice on the right to opt-out of the sales or sharing of personal information
• Notice on the right to limit the use of sensitive personal information
• Notice on financial incentives
  

CCPA Notice on Collection Requirements

The CCPA notice on collection aims to inform consumers that you collect and process their data, what your process is, and why you do so. You have to provide them with the notice at the time of data collection or before. With how tracking technology works, you need to show the notice on your website at the moment of arrival.

You must provide a link to the privacy policy in your notice and the link must lead to the parts of the privacy policy where the required information is provided. You must not take the consumer at the beginning of the privacy policy and let them search for the information they need.

Only businesses that collect personal information are required to provide notice.

Some important rules to remember when it comes to the notice on collection:

• You can only collect the information specified in the notice for the purposes specified in the notice.
• If you want to use previously collected data for a purpose that was not previously listed in the privacy notice, you must obtain a consumer’s consent.
• If you are not collecting any personal information, there is no need to provide notice at the time of collection.

CCPA Notice to Opt-Out of the Sales or Sharing of Personal Information Requirements

Not all businesses sell personal information. Those who do so must notify users and allow them to opt out of the sale or sharing of personal information.

You must provide this notice at the time of collection of consumers’ data. It must include:

• A description of the right to opt-out of the sales or sharing of personal information
• The interactive online form through which the consumer can submit the opt-out request, or an offline method for submitting a request if the company does not have a website
• Instructions for any other method of opting out, if available

The notice must also contain a “Do Not Sell My Personal Information” link. The notice of the consumer's right to opt-out should be placed on the web page to which they are directed after clicking such a link.

Instead of a link to opt-out, the business can choose to offer an alternative opt-out link where the consumer could limit the use of sensitive data as well as opt-out of the sale or sharing of their data.

On top of that, businesses are now obliged to honor opt-out preference signals received by users’ browsers. The most notable example of such a signal is the Global Privacy Control (GPC).

For personal information collected via mobile apps, such as the settings menu, the notice can be placed within the app.

CCPA Notice of Right to Limit the Use of Sensitive Personal Information

Businesses that process sensitive personal information, such as health data, financial data, ethnic origin, sexual life, political and religious views, and so on, must allow consumers to limit the use of such personal information.

The notice must contain a “Limit the Use of My Sensitive Personal Information” link, which leads to a page where the consumer can learn more about it and make their choice.

Instead of a link to limit, the business can choose to offer an alternative opt-out link where the consumer could limit the use of sensitive data as well as opt-out of the sale or sharing of their data.

CCPA Notice on Financial Incentives Requirements

Businesses may provide financial incentives to customers in the form of discounts, coupons, loyalty programs, and so on. These financial incentive programs require the processing of personal information. If you process personal data for this purpose, you must provide consumers with a notice on financial incentives.

The notice of financial incentive's purpose is to assist consumers in understanding the tradeoff between providing their information and the financial incentive you provide.

This notice must also be served at the time of data collection. Businesses that operate online can include a separate section in their privacy policies dedicated to financial incentive programs to comply with this requirement.

You can collect the consumers’ data for this purpose as long as you have informed them about the program in the privacy policy.

Adding a privacy policy to your website with Secure Privacy is a breeze. Adding a privacy policy button on your website is equally easy. And if you use Magento and need Magento cookie compliance with a privacy policy, or you use Hubspot, we’ve got you covered.

Standard Rules for Privacy Notices

In addition to these requirements, all privacy notices must meet the following criteria:

• They have to be written in plain, straightforward language, free of technical jargon
• They have to be readable even on smaller screens
• The format of the notice has to draw consumer’s attention
• They have to be written in languages that the consumers understand (if the website is in English and Spanish, a notice in English and Spanish will suffice)
• They have to be accessible to people with disabilities (i.e., Web Content Accessibility Guidelines).

Consequences for Non-Compliant Notices

Not showing notices or showing non-compliant notices is a violation of the law that can result in penalties.

The maximum penalty for CCPA or CPRA violations is $7,500 per violation per consumer. The fine can be reduced but not increased.

Furthermore, one consumer equals one violation. If you fail to show the notice to 1,000 consumers, that is equivalent to 1,000 violations. 1,000 violations multiplied by $7,500 equals $7,500,000. As a result, the fines can get quite hefty quickly.

Businesses, on the other hand, have 30 days under the CCPA to correct the violation. The CPRA does not allow a correction period.

Read more about CPRA requirements.

Recently The California Privacy Protection Agency (CPPA) issued draft regulations on risk assessment and cybersecurity audits under the CCPA (California Consumer Privacy Act). Learn about CCPA Risk Assessments.

How to Comply with Secure Privacy

Secure Privacy has created a CCPA-compliant privacy notice solution that is easy to integrate into websites that must follow the law. Our privacy notices will be compliant with the CPRA once it goes into effect. Check out Secure Privacy's Ultimate CCPA Guide.