The 7 Key Steps to Making Websites CCPA Compliant and Future-Proof for CCPA 2.0

Generate beautiful cookie banners, document consent and enjoy peace of mind by meeting the CCPA requirements with the leading cookie banner solution.
ccpa compliance video cover

How It Works

semasio logo
enphase logo
ports group logo
structure stone logo
taba heights sinai logo
Excelerate 360 logo
Data Robot logo

What is CCPA?

CCPA stands for California Consumers Protection Act 2018. It is the most comprehensive data protection regulation in California and the United States.

It has been passed as a response to the GDPR and other data protection laws. It is not as comprehensive as the EU law, yet it grants consumers with more rights about their data privacy than ever.

The California government was the first ever US state to pass a data privacy law. It has been updated multiple times.

What happens to CalOPPA and other California privacy laws? Do we still have to comply with them?

Yes, you have to comply with any data protection law that is currently in force in California, and that includes CalOPPA and other laws as well.

The CCPA is not a replacement for any existing California data protection law. All of them are in effect after 1 January 2020; therefore, you’ll have to comply with every data protection regulation adopted in the state.

CCPA was meant to complement the current personal data protection, not to replace it. CalOPPA and other personal data protection laws will keep to exist, which means the requirements for your business remain. Introducing the CCPA doesn’t change anything regarding your duties to comply with other California privacy laws, such as the CalOPPA, Shine the Light, and the Privacy Rights for California Minors in the Digital World Act, as well as federal laws such as HIPAA.

What is CCPA compliance? What are the CCPA requirements?

CCPA compliance means that you meet all the compliance requirements as set out in the CCPA.

These requirements have been set by the government to improve the level of personal data protection in California. Meeting some of them is not enough to make your business compliant. You need to meet every single requirement as set out by the law.

Who does CCPA apply to?

The California Consumer Privacy Act (CCPA) applies only to businesses that meet the requirements for applicability.

It applies to every company in the world if:

  • They collect personal data of California residents, and
  • They (or their parent company or a subsidiary) exceed at least one of the following three thresholds:
    undefinedundefinedundefined

A California resident is defined by California’s Privacy law as any person who:

  •   Is in California for other than a temporary or transitory purpose, or
  •   Is domiciled in California, but is outside the state for temporary or transitory purposes.

Does CCPA apply to SME businesses?

It applies to every business that meets the applicability standards. It doesn’t matter how big the business is. California’s new privacy law is not focused on the size of your business, but whether it meets certain criteria as mentioned above.

What are the CCPA compliance requirements?

If the CCPA applies to your business, then you have to be CCPA compliant.

The requirements you need to meet include:

  • A CCPA compliant privacy policy
  • Respect of consumer rights to know, to access, to deletion, etc.
  • Provide privacy notices to consumers when they arrive on your website or app
  • Provide an opportunity to opt-out of the sales of personal information
  • Keep records of your privacy practices.

This is not an exhaustive list. The CCPA compliance requirements depend on the circumstances your business operates in and your privacy practices.

What are the fines for non-compliance with the CCPA?

Failure to comply with CCPA puts you at risk of huge fines. You can expect the Attorney General to initiate a process against you if you do not meet CCPA requirements after 30 days upon being notified about it.

This brings a risk of being fined up to $7500 per violation in case of a data breach. It means that if you violate the CCPA-guaranteed rights of 1000 users, you might receive a fine of up to $7.500.000 in total ($7500×1000 users).

Is CCPA the California version of GDPR?

No, it is not. The government of California may have used the momentum created by the introduction of the EU’s General Data Protection Regulation (GDPR) to augment the ePrivacy Directive, but the CCPA requirements are not as extensive as the GDPR cookie consent obligations.

How do you do CCPA vs GDPR comparison?

When comparing GDPR vs CCPA, several differences are obvious.

CCPA is not as comprehensive as the GDPR. The California law does not require consent for the use of cookies, does not provide as many data subject, i.e. consumer rights, does not establish a dedicated government body for enforcement, , does not contain data breach rules, etc.

In general, GDPR requires the user to opt-in for collection and processing of their data. CCPA does not require that. It only provides an opportunity to opt-out.

We are compliant with the GDPR. Does it mean that we are CCPA compliant?

No, if you comply with GDPR, it doesn’t guarantee CCPA compliance by default. Chances are you already meet some of the CCPA requirements simply by being GDPR compliant, but you still have some work to do.

Unlike the EU ePrivacy Directive and the General Data Protection Regulation (GDPR), you’ll have to make adjustments to your privacy policy. You need to include a “Do Not Sell My Personal Information” link on your home page, establish methods for requests for access, change, and erasure of users’ data, establish a method for verification of the identity of the person making a data-related request, and establish a method for obtaining prior CCPA cookie consent from minors similar to GDPR consent before selling their personal data.

Simply put, you need to address the differences between the GDPR and the CCPA.

What is a CCPA service provider?

A CCPA service provider is what a data processor is according to the GDPR - the entity processing data on someone else’s behalf based on their instructions.

For example, your email marketing provider helps you collect email addresses and process them. They are your CCPA service provider.

Although CCPA contains a number of service provider exceptions, it prescribes some duties that service providers must abide by.

What is personal information under the CCPA?

Personal information under the CCPA is any information that could identify, describe, or be linked, directly or indirectly, with a particular consumer or household. 

Unlike other data protection laws, the CCPA involves households in the definition of personal information.

Personal information may include but is not limited to name, email address, biometric data, IP address, Internet of Things information, geolocation data, professional or employment information, and other information.

Publicly available information is not considered personal information.

What should a CCPA-compliant privacy policy contain?

A Privacy policy is explicitly required by the CalOPPA and indirectly by the CCPA. If CCPA applies to your business, then certainly CalOPPA applies as well.

When you combine the requirements from both laws, you’ll understand that your privacy policy should be written in plain language and contain at least the following:

  • What kind of information you collect and process
  • Why do you collect and process information
  • How do you collect and process information
  • How users can request access, change, move, or deletion of their personal data
  • The method for verifying the identity of the person who submits a request
  • Sales of users’ personal data and how they can opt-out of the selling of their data
  • Information on financial incentives where providing personal information is involved.

Do I need to obtain the user's consent before using cookies to collect and process their personal data for CCPA compliance?

No, you don’t need to obtain their consent. Unlike many other laws worldwide, obtaining user’s consent for the use of cookies and other tracking technologies is not required for CCPA compliance.

Can we sell our users’ personal information freely?

The CCPA doesn’t prevent you from selling your users’ data, but it obliges you to allow them to opt-out of their personal information being used for a business purpose. This means that you have to include a “Do Not Sell My Personal Information” link on your website’s homepage to comply with CCPA. Anyone who wants to opt-out of sales of their personal data can click on the link and ban you from selling their personal information. You have to make this process as easy and simple as possible. That’s why you are not allowed to require users to create an account in order to opt-out.

For 13-16 year old minors, you have to obtain prior CCPA cookie consent before selling their data. For minors younger than 13, you have to obtain consent from their parents or guardians.

You are free to sell the personal information of any user who has not opted out or minors’ personal information from whom you have obtained prior consent under the CCPA..

What is CCPA 2.0?

Officially known as the California Privacy Rights Act (CPRA), CCPA 2.0 builds upon and amends the California Consumer Protection Act (CCPA), and in the process, expanding the privacy rights of California residents.

When does CCPA come into effect?

Although some of the changes to the current CCPA will be enforced immediately, most will not take effect until Jan 1, 2023, and apply only to personal information collected after January 1, 2022.

It is hugely important to start your CCPA 2.0 compliance efforts in advance to avoid penalties for violations.

Who needs to comply with the CCPA 2.0?

The businesses that need to comply with the CCPA need to comply with the CCPA 2.0 as well. The only difference in the applicability requirements is that one of the thresholds has been updated - the threshold of 50.000 California residents or households from whom the business collects data has been moved up to 100.000 residents or households.

What changes does the CCPA 2.0 bring?

The CPRA will introduce several changes to the current CCPA setup in the form of minor revisions, new concepts, and expansion of California consumers’ rights. 

CCPA 2.0 changes include; 

  • New regulations for a category of personal information known as “sensitive data’’
  • A new definition of consent that introduces GDPR-like requirements 
  • A new definition for ‘sharing’ personal information 
  • Clarifications on the definition of a business under the CCPA
  • Changes to CCPA service provider requirements 
  • New disclosure requirements
  • An update to users’ right of action under CCPA
  • The California Privacy Protection Agency
  • Removal of the 30-day cure period
  • Extension of CCPA’s employee data and business-to-business data exemptions

What is sensitive data under the CCPA?

CCPA 2.0 introduces a new subcategory of personal data referred to as “Sensitive Personal Information".

It consists of a user’s:

  • Racial or ethnic background
  • Religious beliefs 
  • Union membership
  • Contents of email or text messages
  • Genetic information
  • Sexual orientation
  • Account login, financial account, debit or credit card, alongside any other necessary security or access code, password, or credentials that facilitate access to an account
  • Specific geolocation

Trusted by 10,000+
Brands Across Industries & Regulations

Outrider

www.outrider.ai/

Outrider is a VC-backed company, which automates yard operations for logistics hubs. They use tech and automation to eliminate manual tasks that are hazardous and repetitive while improving enterprise safety and efficiency.

Outrider website

Kinecta Bank

www.kinecta.org/

Kinecta is banking done differently. They have been operating in California for more than 80 years and offer almost every type of financial service. Kinecta runs Secure Privacy on a number of their web properties providing transparency and clarity around CCPA compliance.

Kinecta Bank website

Spanish Broadcasting System (SBS)

www.spanishbroadcasting.com/

Spanish Broadcasting System (SBS) is one of the largest radio station owners and operators in the United States. SBS is invested in television and internet properties and owns the internet portal LaMusica.com among others.

Spanish Broadcasting System website

Benefits with the
Secure Privacy CCPA module

puzzle piece

Easy to install. Highly Automated CCPA Solution.

chart

Reduce Legal Risks and Avoid Future Costs.

shield

Build Trust with Customers, Employees and Partners.

How do I Make a Website

CCPA compliant?

Powerful Features
to Scan, Collect & Document Consent

Do Not Sell Link and buttons

'Do Not Sell' Link and buttons

Customizable ‘Do Not Sell My Personal Data’ widgets, buttons and links. Enable your visitors to opt-out from having their personal data sold.

data request form

Data Request Forms

Control with Visitor Preference Center. Provide granular CCPA controls to your customers and visitors.

cookie scanning

Website Scanning

Document consent automatically. Document op-in and opt-outs of cookie consent with a fully automated CCPA solution.

privacy policy generator dashboard

Privacy Policy & Cookie Declaration

Automated Cookie declaration and privacy policy generator. Provide transparency to your visitors with updated policies.

Preference Center dashboard

Preference Center

Control with Visitor Preference Center. Provide granular CCPA controls to your customers and visitors.

Consent Documentation dashboard

Consent Documentation

Document consent automatically. Document op-in and opt-outs of cookie consent with a fully automated CCPA solution.

Toll-Free Number banner

Toll-Free Number

Add a Toll-Free number to your website (paid add-on)

Automated Cookie Blocking feature

Automated Cookie Blocking

Auto-Blocking automates the process of setting your cookies, scripts, and tags to respond to the preference selected by site visitors.

international data privacy laws

Future-proof for Other Regulations

Modular architecture that supports CCPA, GDPR, LGPD and new regulations.

Prices that scales with Your growth
Powerful Enterprise Features at Your Fingertips.

For small business

If you're a small business or start-up, this is the choice for you. Get started today with an easy-to-use cookie consent solution.

from

9€

Sign up

for enterprise business

For mid-sized, enterprises and customers with custom requirements.

  • Custom requirements
  • Volume Discount
dan secure privacy ceo

Get LIVE DEMO

Book a Demo with us
to learn how Secure Privacy can help you and your business

Frequently Asked Questions about CCPA

What is CCPA?

CCPA stands for California Consumers Protection Act 2018. It is the most comprehensive data protection regulation in California and the United States.

It has been passed as a response to the GDPR and other data protection laws. It is not as comprehensive as the EU law, yet it grants consumers with more rights about their data privacy than ever.

The California government was the first ever US state to pass a data privacy law. It has been updated multiple times.

What happens to CalOPPA and other California privacy laws? Do we still have to comply with them?

Yes, you have to comply with any data protection law that is currently in force in California, and that includes CalOPPA and other laws as well.

The CCPA is not a replacement for any existing California data protection law. All of them are in effect after 1 January 2020; therefore, you’ll have to comply with every data protection regulation adopted in the state.

CCPA was meant to complement the current personal data protection, not to replace it. CalOPPA and other personal data protection laws will keep to exist, which means the requirements for your business remain. Introducing the CCPA doesn’t change anything regarding your duties to comply with other California privacy laws, such as the CalOPPA, Shine the Light, and the Privacy Rights for California Minors in the Digital World Act, as well as federal laws such as HIPAA.

secure privacy dashboard

Agencies / Resellers

Learn more