What is the CCPA?
The California Consumer Privacy Act (CCPA) is a state law that gives consumers the right to know what personal information is being collected about them, the right to delete that information, and the right to opt-out of its sale. The law applies to companies that do business in California and meet certain criteria, such as having annual revenues over $25 million or collecting personal information from 50,000 or more consumers to ensure privacy protection.
The CCPA is similar to the EU’s General Data Protection Regulation (GDPR), but some important differences exist. For example, the GDPR compliance requirements include companies getting explicit consumer consent before collecting or using their personal data, while the CCPA does not. The CCPA also gives Californians the right to sue companies for data breaches, even if they don’t suffer any financial harm due to the breach.
Who Must Comply with the CCPA?
The CCPA applies to any business that meets one or more of the following criteria:
- Has annual gross revenues in excess of $25 million.
- Buys, receives, or sells the personal information of 50,000 or more California consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
If your business falls into any of these categories, you must comply with the CCPA. failure to do so can result in fines of up to $7,500 per violation.
What are the requirements of the CCPA?
The CCPA has a number of requirements for businesses that collect, use, and store the personal information of California residents. Below is the CCPA compliance checklist:
- Disclosing to consumers, at or before the point of collection, the categories of personal information that will be collected and the purpose for which it will be used
- Giving consumers the right to know what personal information is being collected about them, how it is being used, and with whom it is being shared
- Allowing consumers to access their personal information and request that it be deleted
- Providing consumers with a way to opt out of the sale of their personal information
- Ensuring that personal information is securely stored and protected from unauthorized access or disclosure. Therefore, organizations must implement a robust cybersecurity framework to protect themselves from litigation.
- A description of the types of personal information that you collect and why you collect it (categories of information collected)
- How and why you use that personal information (purposes of collecting personal information)
- If you sell consumer data, who you share that personal information with, and for what purposes (categories of information sold)
- The consumer rights under the CCPA, including the right to know what personal information is being collected about them, the right to have their personal information deleted, and the right to opt out of the sale of their personal information (consumer rights)
- How consumers can exercise their rights under the CCPA
- Your contact information so that consumers can reach out to you with any questions or concerns
Categories of Information Collected
According to the CCPA, you must reveal a list of all the categories of personal information your business has gathered in the previous 12 months from any source.
Under the CCPA, the types of personal data you must reveal include;
- Personal identifiers; e.g., IP addresses, contact numbers, cookies, beacons
- Protected classified information; e.g., sexuality, ethnicity, gender
- Commercial data; e.g., records of services procured
- Data safeguarded against security breaches; e.g., name, password, social security number, driver’s license number, date of birth
- Personal information classifications contained in the California Customer Records Statute
- Geolocation data
- Education data
- Biometric data; i.e., fingerprints, voice recording, DNA
- Audio, electronic, thermal, and video data
- Inferences made from profiling
- Professional information
- Internet activity; e.g., browsing history, search history
- Sources of Personal Data Collection
After you list the personal information you collected last year, you must also say where you got each type of information. Examples of sources of information include;
- Consumer-provided information obtained from forms, questionnaires, and participation in online communities, among other types of a user’s interaction with a website
- Public sources of personal information such as census data, credit bureaus, and real estate records
- Cookies and web analytics
It's important to be clear and specific about where the personal information you gather comes from.
Purposes of Collecting Personal Information
Some of the reasons why businesses collect information include;
- Identification and verification
- Improving service delivery
- Customizing experiences for consumers
- Marketing and advertising
- Legal compliance
- Communicating with consumers
- Categories of Information Disclosed for Business Purposes
The CCPA requires you to list user information categories shared for business reasons in the previous year.
Section 1798.140 of the CCPA clarifies activities considered ‘business purposes.’ They include;
- Detection of security events
- Short-term uses
- Service delivery
- Testing or enhancing the quality or safety of a service
- Debugging to establish and rectify errors
- Internal research for technological development and demonstration
Furthermore, you must declare if you disclosed consumer information to a third party, which is then disclosed for business purposes on your behalf. Check out Secure Privacy’s Ultimate CCPA Guide.
Categories of information sold and purpose for selling personal information
In addition, you need to disclose the reasons why you have sold the data.
Categories of personal information shared with third parties
The CCPA-compliant business must disclose the categories of data shared in the last 12 months, the purposes for sharing it, and the third parties with whom each category of data has been shared.
Information on the Use of Sensitive Personal Information
You must inform users whether you disclose their sensitive personal information to third parties. Such information includes racial or ethnic origin, health data, financial data, etc.
Businesses are exempt from this requirement only if they disclose the data for any of the following purposes:
- Performance of a contract with the consumer and services related to such contract
- Prevention of security incidents
- Fraud prevention
- Physical safety of natural persons
- Short-term use for non-personalized advertising purposes, as long as the data is not used to build a profile of the consumer
- To verify and maintain the quality and safety of products, or
- To collect or process sensitive personal information where the collection or processing is not for the purpose of inferring characteristics about a consumer.
Should the business process consumers’ sensitive data for other purposes, it must allow consumers to limit the use of their sensitive data.
California’s data privacy law establishes an opt-in obligation for children between 13 and 16 years old. Minors in this age group must opt-in to the sale of their personal data.
Moreover, the CCPA requires your business to get the consent of a parent or a guardian before selling the information of a minor below the age of 13 years.
This requirement is very important if your target market includes children, but it applies to any business that knows the age of a minor.
Statement about children’s personal information processing
The business must explicitly state if they knowingly collect and process children’s personal information.
Consumer Rights and Requests
- Access their personal information
- Delete their personal information (the right to deletion)
- Correct their personal information
- Opt out of the sale or sharing of data or limit the use of sensitive data
- Not be discriminated against for exercising their privileges under the CCPA
- The right of access
Also, ensure your users know that you will respond to their request within 45 days, as the CCPA requires.
You must give the consumer at least two ways to get this information: a toll-free phone number and a website address.
However, if your business operates exclusively online and has a direct relationship with a consumer, you must only provide an email address for submitting requests.
You must also ensure that your policy informs users of their right to delete their personal information and explains how they can make this request, including how their identity would be verified.
You need to provide a way through which consumers can exercise this right.
The business also must explain to consumers how they can implement Global Privacy Controls (GPC) or a similar mechanism that sends opt-out preferences to websites.
‘Do Not Sell My Personal Information’ Link
However, your business is exempt from meeting this obligation if you do not sell personal data.
‘Limit the Use of My Personal Information’ Link
However, your business is exempt from meeting this obligation if you do not specialize in selling personal data.
Protection from Discrimination
The CCPA makes it clear that consumers should not be treated unfairly just because they are using their legal rights.
Because of this, you must make sure to tell users that they won't be treated badly if they use their rights under the CCPA.
Schedule a call with us today and get expert guidance on our solution and how we can support your CCPA compliance journey.
Check out Secure Privacy’s GDPR and CCPA Compliance features for Publishers.
Tips for CCPA Compliance
To avoid CCPA non-compliance, you can do a few key things to ensure your organization is on the right track. Here are some tips for staying compliant:
1. Understand the requirements: The first step to compliance is understanding businesses’ CCPA requirements. Make sure you know the ins and outs of the law so you can take the necessary steps to comply.
4. Keep records updated: Maintaining accurate customer data records is important for compliance. You should have a system for tracking the data collected, used, and deleted. This will help you respond quickly to any consumer requests.
5. Be prepared for audits: The CCPA gives the attorney general’s office the right to audit businesses for compliance. Be sure you have all the necessary documentation and records to pass an audit with flying colors.
Although CCPA doesn’t require an audit, you must constantly monitor data security and CCPA security measures to avoid fines if you’re ever under investigation. The only way to ensure daily CCPA compliance is through automation. Check out Secure Privacy’s solutions that fit your needs.
Learn about Secure Privacy's CCPA Certification.
EU Digital Markets Act (DMA): What Businesses Must Know
Explore the European Union's Digital Markets Act (DMA) and its impact on tech giants, gatekeepers, and SMEs. Uncover key provisions, designated companies, and the relevance of compliance for small to medium-sized enterprises.
- Europe GDPR
- Data Protection
The Complete Guide to WordPress GDPR Compliance: Make Your Wordpress Site is Compliant
Learn about the General Data Protection Regulation (GDPR) and its significance for WordPress websites. Discover essential steps, potential consequences of non-compliance, and effective cookie management strategies to ensure GDPR compliance.
- Europe GDPR
Understanding the Utah Consumer Privacy Act (UCPA): A Comprehensive Overview of the New Consumer Privacy Law
Learn about the Utah Consumer Privacy Act (UCPA), its impact on businesses operating in Utah or targeting Utah customers, compliance requirements, consumer rights, data security measures, and penalties for non-compliance.