If you have already complied with the EU’s General Data Protection Regulation (GDPR), you will need less effort because some of the CCPA’s obligations are similar to the GDPR.
- 12-month updates
- ‘Do Not Sell My Personal Information’ link
- Categories of information collected
- Categories of personal information sold
- Children’s opt-in
- Consumer Rights
In this case, most businesses prefer to have a link at the website’s footer since it is the customary location of a company’s legal policies.
‘Do Not Sell my Personal Information’ Link
However, if you do not specialize in selling personal data, your business is exempted from meeting this obligation.
Categories of Information Collected
According to the CCPA, you must reveal a list of all the categories of personal information that your business has gathered in the previous 12 months from any source.
Under the CCPA, the types of personal data you must reveal include;
- Personal identifiers; e.g IP addresses, contact number, cookies, beacons
- Protected classified information; e.g sexuality, ethnicity, gender
- Commercial data; e.g records of services procured
- Data safeguarded against security breaches; e.g name, password, social security number, driver’s license number, date of birth
- Personal information classifications contained in the California Customer Records statute
- Geolocation data
- Education data
- Biometric data; i.e fingerprints, voice recording, DNA
- Audio, electronic, thermal, and video data
- Inferences made from profiling
- Professional information
- Internet activity; e.g browsing history, search history
- Sources of Personal Data Collection
Once you provide the classes of personal information you have gathered in the past year, you must also disclose the sources of every category of data. Examples of sources of information include;
- Consumer-provided information obtained from forms, questionnaires, participation in online communities among other types of a user’s interaction with a website
- Public sources of personal information such as census data, credit bureaus, and real estate records
- Cookies and web analytics
It is important to be detailed and specific when revealing the sources of the personal information you collect.
- Purposes of Collecting Personal Information
Some of the reasons why businesses collect information include;
- Identification and verification
- Improving service delivery
- Customizing experiences for consumers
- Marketing and advertising
- Legal compliance
- Communicating with consumers
- Categories of Information Disclosed for Business Purposes
The CCPA requires you to list the categories of user information that have been shared of business reasons in the previous year.
Section 1798.140 of the CCPA clarifies activities that are considered ‘business purposes.’ They include;
- Detection of security events
- Short-term uses
- Service delivery
- Testing or enhancing the quality or safety of a service
- Debugging to establish and rectify errors
- Internal research for technological development and demonstration
Furthermore, you must declare if you disclosed consumer information to a third-party, which is then disclosed for business purposes on your behalf.
Categories of Information Sold
California’s data privacy law establishes an opt-in obligation for children between the age of 13 and 16 years old. Minors in this age group must opt-in to the sale of their personal data.
Moreover, the CCPA requires your business to get the consent of a parent or a guardian before selling the information of a minor aged below 13 years.
If your target market involves children, this requirement is extremely, crucial although it applies to any enterprise that has actual knowledge of the minor’s age.
- Access their personal information
- Delete their personal information
- Not be discriminated against for exercising their privileges under the CCPA
- The Right of Access
Additionally, ensure to make your users aware that you will address their request within 45 days because this is a requirement under the CCPA.
You must make available two or more designated methods for the consumer to request this information, including, at a minimum, a toll-free telephone number and a website address.
However, if your business operates online exclusively and has a direct relationship with a consumer, you are only required to provide an email address for submitting requests.
- The Right to Deletion
Ensure that your policy advises users of their right to delete their personal information and explain how the user is able to make this request.
You need to provide a way through which consumers can exercise this right.
- Protection from Discrimination
The CCPA makes it clear that the consumers must not be subjected to prejudice for exercising their privileges under the law.
For this reason, you need to ensure that you inform users that they will not be discriminated against for exercising their rights under the CCPA.
Schedule a call with us today and get expert guidance on our solution and how we can support your CCPA compliance journey.
Get all your questions or concerns answered with our detailed CCPA summary
Get your free CCPA e-book delivered instantly into your inbox.
Read more on the subject:
Want to try
Get your free cookie banner up and running today!
That also interest you
Data Subject Access Requests: Do's and Don’ts in Handling GDPR DSARs
Data Subject Access Requests (DSARs) are one of the less-talked-about GDPR requirements, but failure to handle them correctly could land your company in trouble.
ePrivacy Regulation vs GDPR: 4 Key Differences
The ePrivacy Regulation was set to come into force alongside the GDPR on May 25, 2018, but delays in the approval phase meant its implementation was delayed.
EDPB Guidelines on Targeting Social Media Users: 4 Quick Compliance Tips
EDPB guidelines on targeting social media users published in September 2020 bring new GDPR compliance obligations that social media service providers and targeters need to adopt.