The 2024 Ultimate CCPA Compliance Checklist: Meeting CCPA and CPRA Privacy Policies and Compliance Requirements

The California Consumer Privacy Act (CCPA) gets regular updates, which means that you need to learn about the new CCPA Regulations and adjust your data protection practices accordingly. We at Secure Privacy follow the updates day after day to ensure that our CCPA compliance solution is up-to-date and that you'll be compliant with our solution.

Here's what you need to be aware of to be compliant with the CCPA in 2024.

The 2024 CCPA compliance checklist

The CCPA was updated in 2023, first with the CPRA, and later on with the CCPA regulations. Taking all the recent novelties into account, here's what every business has to know to be CCPA-compliant.

We'll discuss the following below:

• Privacy policy
• Privacy notices
• Opt-out mechanisms
• Contracts with service providers
• Risk assessments
• Data security and cybersecurity audits
• Responding to consumer requests
• Employee training

Privacy policy

Every website must publish a privacy policy and be transparent with consumers about the privacy practices of the business. It aims to inform the consumer about how their data is handled by the website.

Each CCPA privacy policy must contain at least the following:

• The types of personal information that you collect and why you collect it (categories of personal information you collect)
• How and why you use that personal information (purposes of collecting personal information)
• If you sell consumer data, who are the third parties you share that personal information with, and for what purposes (categories of personal information sold for the last 12 months)?
• The consumer rights under the CCPA include the right to know what personal information is being collected about them, the right to have their personal information deleted, and the right to opt out of the sale of their personal information (consumer rights).
• How consumers can exercise their rights under the CCPA
• Your contact information so that consumers can reach out to you with any questions or concerns.

Read more about the CCPA privacy policy requirements.

Privacy notices

The CCPA doesn't specifically demand a cookie banner. But if you use a cookie banner, you'll meet the privacy notice requirement easily.

The CCPA mandates that businesses give clear and conspicuous privacy notices to their customers. These notices must be presented to users right when they land on your website. You have different options for these notices, and one way to display them is through a banner.

The CCPA requires four different types of privacy notices:

Notice upon the collection

Only businesses that collect personal information are required to provide notice of collection. The notice on collection under the CCPA is meant to inform consumers that you're gathering and processing their data, explaining your methods and reasons. This notice should be given at or before the time you collect their data. Given the nature of tracking technology, it's necessary to display this notice on your website as soon as a visitor arrives.

In your notice, include a link to the privacy policy. This link should direct users straight to the relevant sections of the policy with the necessary information, rather than just the start of the policy, to avoid making consumers search for what they need.

Notice on the right to opt out of the sale or sharing of personal information

Self-explanatory. Businesses that sell or share personal information must notify users and allow them to opt out of the sale or sharing of personal information.

Notice on the right to limit the use of sensitive personal information

Businesses processing sensitive personal information, like health and financial data, ethnic background, sexual orientation, and political or religious beliefs, need to let consumers restrict the use of this data. This notice serves to notify the users about that right.

Notice on financial incentives

Businesses can offer financial rewards like discounts, coupons, or loyalty programs to their customers, which involve processing personal information. When using personal data for these incentives, businesses must issue a notice about financial incentives. This notice aims to help consumers grasp the exchange between sharing their information and receiving financial benefits from the business.

Read our in-depth article about CCPA privacy notices.

Opt-out mechanisms

Consumers have the right to opt out of the processing of their personal information. You have to provide them with the following opt-out mechanisms:

• Do Not Sell or Share My Personal Information button or link. It has to be placed on your website in a visible place. You'll usually find them on the footer of the home page. It allows users to opt out of the sale or sharing of personal information.
• Limit the Use of My Sensitive Personal Information button or link. This link should take consumers to a page where they can get more information, make their choices regarding the use of their sensitive data, and limit it.
• Since the two links above may be overkill for the user experience on the website, the CCPA allows for the provision of a single link titled "My California Privacy Choices," where you'll include the "Do Not Sell My Personal Information" and the "Limit the Use of My Sensitive Personal Information" links.
• Respond to the universal opt-out mechanisms, such as the Global Privacy Control (GPC) signals. Should you receive such a signal from the consumer's browser, you should consider it to be a valid opt-out request.

Contracts with service providers

The CCPA explicitly requires businesses to have written agreements with service providers processing personal information on their behalf. The service provider must not process any data without a written agreement in place.

Therefore, this is one of the most important CCPA requirements. The agreement must contain provisions on the data categories, processing purposes, help in proving compliance, confidentiality of the processing, and other elements.

Risk assessments

Businesses involved in some processing activities must conduct risk assessments before processing. The covered activities are considered to pose a significant risk to consumers' privacy; therefore, the business has to assess the risks before getting into the processing.

The covered activities include:

• Selling or sharing personal information;
• Processing sensitive personal information;
• Using automated decision-making technology that impacts the rights of consumers;
• Processing the personal information of children younger than 16 years of age;
• Processing of personal information in the employment or contractor context;
• Processing personal information collected in publicly accessible places for tracking, and
• Processing personal information to train artificial intelligence or automated decision-making technology.

Many businesses share personal information, so many businesses will have to assess their risks before opting into that kind of data processing.

Data security and cybersecurity audits

Some companies need to perform cybersecurity audits to show they follow CCPA rules. It's not yet decided which businesses have to do this.

The suggested rules set a standard: businesses with over 50% of their income from selling or sharing personal data. There might be more criteria added later, like the size of the company, yearly earnings, or how many people's data they handle.

To confirm the cybersecurity standards used in an organization, independent professionals must conduct the audits.

These audits are part of a wider requirement for implementing reasonable security measures to ensure that consumer data is safe.

Responding to consumer requests

Consumers have several data privacy rights under the CCPA that you have to respect. These include the right to know, the right to access all or specific pieces of personal information, the right to request the deletion of their data, the right to correct data, and the right to data portability.

Businesses must comply with CCPA requests to exercise those rights. Before conforming to the requests, you need to verify the identity of the requester to prevent abuse. Upon verification, you have no choice but to comply with it. In some situations, you may be allowed to decline the request to delete their personal information.

You have to respond to the requests within 45 days of receiving them. The response must be free of charge unless it causes you significant expenses.

Employee training

You are as strong as your weakest link; therefore, you have to ensure that all your employees and contractors understand the legal requirements imposed on your company and are equipped with the knowledge to comply with them.

The CCPA explicitly requires training for personnel handling personal information. It is not a nice-to-have; it is a requirement. Conduct regular training sessions to ensure that your people know how to comply with the CCPA, and make sure it is part of your compliance strategy.

Read more about training personnel on the CCPA.

Who must comply with the CCPA checklist?

This checklist is a must for businesses to which the California Consumer Privacy Act applies. These laws apply to for-profit firms that does business in California, processes the data of California residents and:

• Have annual gross revenues in excess of $25 million,

AND

• Buys, receives, or sells the personal information of 50,000 or more California consumers, households, or devices, or
• Derives 50% or more of its annual revenues from selling consumers’ personal information.

If you recognize your business in these criteria, take this 2024 CCPA compliance checklist seriously.

 What is the penalty for not complying with California Consumer Privacy Act?

The CCPA imposes financial and civil penalties for non-compliance, ranging from USD 2,500 per unintentional violation, USD 7,500 per intentional violation, and USD 100-750 per consumer per incident for violating consumer rights.

By proactively complying with the CCPA, businesses can avoid legal and financial repercussions and build trust with consumers.