Learn about the California Consumer Privacy Act (CCPA) and how to become compliant


What is CCPA?

What Does CCPA Stand For?


CCPA stands for California Consumers Protection Act 2018. It is the most recent cookie law passed by the State of California as a response to the increased role of personal data in contemporary business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.

The California government set the precedent among states in the US in passing laws aimed at protecting consumer privacy.

What happens to CalOPPA and other California privacy laws from 2020? Will I still have to comply with them?


California Consumer Protection Act (CCPA) is not a replacement for any existing California data protection law. All of them are expected to be in effect after 1 January 2020; therefore, you’ll have to comply with every data protection regulation adopted in the state. CCPA was meant to complement the current personal data protection, not to replace it. CalOPPA and other personal data protection laws will continue to exist, which means the obligations to meet the stipulated requirements for your business still remain. Introducing the CCPA doesn’t change anything regarding your duties to comply with other California privacy laws, such as the CalOPPA, Shine the Light, and the Privacy Rights for California Minors in the Digital World Act.

What is the difference between CalOPPA and CCPA?


CalOPPA and CCPA share certain similarities, but they have differences as well.

    1. Privacy policy. If you include information on how, what, and why you collect and process personal data, you’ll satisfy requirements in both CalOPPA and CCPA. However, they have some differences.
      • CalOPPA requires providing information in your privacy policy relating to:
        • How the website responds to Do Not Track signals
        • The effective date of the privacy policy
        • How you’ll inform your users on any changes in the privacy policy
      • CCPA requires the following in your privacy policy:
          • Information about the selling of your users’ data and how to opt-out from the process
          • Method of ensuring a verifiable consumer request for access, change or erasure of data
          • Methods for submitting such requests. 
          • Who the privacy law applies to.

        CalOPPA applies to businesses based in California and businesses based outside the state that have collected personal information of at least one California resident.

    2. Prior consent. CalOPPA doesn’t require prior user consent in any case. CCPA requires obtaining prior consent from minors before selling their personal data. If they are 13-16 years old you have to obtain consent from them. If they are younger than that, you have to obtain prior CCPA cookie consent from their parents or guardians.>
    3. Do Not Sell My Personal Data. CalOPPA doesn’t mention anything about the selling of personal data. CCPA requires including a “Do Not Sell My Personal Data” link on your home page. If a user clicks on that link, it means that you are not allowed to sell their personal information.<

Who does CCPA apply to?


The California Consumer Privacy Act (CCPA) applies to every company in the world if:

  1. They collect personal data of California residents
  2. They (or their parent company or a subsidiary) exceed at least one of the three thresholds:
    • Annual gross revenues of at least $25 million
    • Obtains personal information of at least 50,000 California residents, households, and /or devices per year
    • At least 50% of their annual revenue is generated from selling California residents’ personal data

A California resident is defined by California’s Privacy law as any person who:

  •     Is in California for other than a temporary or transitory purpose
  •     Is domiciled in California, but is outside the state for temporary or transitory purposes

Does CCPA apply to SME businesses?


It doesn’t matter how small or big your business is. California’s new privacy law is not focused on the size of your business, but whether it meets certain criteria as mentioned above.

What are the penalties for non-compliance?


Failure to comply with CCPA puts you at risk of huge fines. You can expect the Attorney General to initiate a civil case against you if you do not meet CCPA requirements after 30 days upon being notified about it. This brings a risk of being fined up to $7500 per violation in case of a data breach.

It means that if you violate the CCPA-guaranteed rights of 1000 users, you might receive a fine of up to $7.500.000 in total ($7500×1000 users).

Is CCPA the California version of the GDPR?


No, it is not. The government of California may have used the momentum created by the introduction of EU’s General Data  Protection Regulation (GDPR) to augment the ePrivacy Directive, but the CCPA requirements are not as extensive as the GDPR cookie consent obligations. The GDPR shares similarities with other data privacy laws introduced recently, but they have substantial differences.

These differences include the entities they cover, information required in privacy policies, prior consent, and sales of personal information. For more information read this article.

We are GDPR-compliant. Does it mean that we are CCPA-compliant as well?


No, if you comply with GDPR, it doesn’t guarantee CCPA compliance by default. Chances are you already meet some of the CCPA requirements simply by being GDPR compliant, but you still have some work to do. Unlike the EU ePrivacy Directive and the General Data Protection Regulation (GDPR), you’ll have to make adjustments in your privacy policy. You need to include a “Do Not Sell My Personal Information” link on your home page, establish methods for requests for access, change, and erasure of users’ data, establish a method for verification of the identity of the person making a data-related request, and establish a method for obtaining prior CCPA cookie consent from minors similar to GDPR consent before selling their personal data.

What is personal data according to the CCPA?


The definition of ‘personal data’ under the CCPPA explicitly states that it is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This law differs from GDPR, ePrivacy Directive, and privacy laws by including household information in the scope of what personal information entails.

Personal information may include but is not limited to name, email address, biometric data, IP address, Internet of Things information, geolocation data, professional or employment information, and other information.

Publicly available information is not considered personal information under the GDPR & CCPA.

What should a CCPA compliant privacy policy contain?


If you collect and process users’ personal information, ensure your privacy policy include but is not limited to:

  •     What kind of information you collect and process
  •     Why do you collect and process information
  •     How do you collect and process information
  •     How users can request access, change, move, or deletion of their personal data
  •     The method for verifying the identity of the person who submits a request
  •     Sales of users’ personal data and how they can opt-out of the selling of their data

Do I need to obtain prior consent before collecting and processing users’ data?


No, unlike many other consumer data protection regulations, this cookie law doesn’t require obtaining prior CCPA cookie consent for collecting and processing your users’ data.

Can we sell our user’s personal data freely?


The CCPA doesn’t prevent you from selling your users’ data, but it obliges you to allow them to opt-out of their personal information being used for a business purpose. This means that you have to include a “Do Not Sell My Personal Information” link on your website’s homepage to comply with CCPA. Anyone who wants to opt-out of sales of their personal data can click on the link and ban you from selling their personal information. You have to make this process as easy and simple as possible. That’s why you are not allowed to require users to create an account in order to opt-out.

For 13-16 year old minors, you have to obtain prior CCPA cookie consent before selling their data. For minors younger than 13, you have to obtain consent from their parents or guardians.

You are free to sell the personal information of any user who has not opted out or minors’ personal information from whom you have obtained prior consent pursuant to the CCPA.

How do I Make a Website CCPA compliant?


CCPA contains clear and precise compliance requirements that your business needs to meet in case this law applies to you. Therefore, compliance with CCPA requires:

  • Updating your privacy policy with information on how, why and what personal information you collect and process.
  • Updating your privacy policy with information on how your users can request access, change, or erasure of their personal data that you have collected.
  • Introducing a method for verification of the identity of the person making such requests.
  • Introducing a “Do Not Sell My Personal Information” link on your home page. It will serve your users to prohibit the selling of their personal data from your side.
  • Obtaining prior consent from minors 13-16 years old before selling their personal data. For minors younger than 13 you have to obtain prior consent by their parents.

Is our website affected by CCPA?


CCPA affects your website if you collect and process data of California residents and exceed at least one of the following thresholds:

  • Annual gross revenues of at least $25 million
  • Obtains personal information of at least 50,000 California residents, households, and /or devices per year
  • At least 50% of your annual revenue is generated from the sales of California residents’ personal data

Anyone can visit your website, including California consumers. Therefore, if you exceed or may soon exceed any of the thresholds listed above and you use any type of tracking tool, it is better to be CCPA compliant.

Have you prepared data maps of California residents?


Data map, or data inventory, is a process of figuring out what type of information you collect, why you do it, where it is held, with whom it is shared, how it is transferred, and other questions related to the data collection and use you conduct regularly.

CCPA requirements mean that you need to conduct a data mapping of your California consumers. It is not clearly required by the California Consumer Privacy Act, but it is a good practice that minimizes the risks associated with users’ data.

Does your privacy policy meet the requirements?


A privacy policy is a document that explains what you do with users’ data. It may also provide them with information on their consumer privacy rights.

CCPA requires being transparent about your data-usage practices, which is best done through your privacy policy. To ensure it is CCPA compliant, you need to update it by adding the following:

  •     What kind of information you collect and process
  •     Why do you collect and process information
  •     How do you collect and process information
  •     The methods to request access, change, move, or deletion of their personal data
  •     The method for verifying the identity of the person who submits a request
  •     Sales of users’ personal data and how they can opt-out of the selling of their data

This will ensure compliance with CCPA, but feel free to go a step further with transparency if you want to. Just don’t go below the required minimum.

Are you obtaining prior consent from minors?


CCPA requires obtaining prior cookie consent from minors before selling their personal information. If they are 13-16 years old, you have to obtain it from them. If they are younger, it is necessary to obtain it from their parents or guardians.

You may ask for consent whenever a minor California resident comes to your website and keep it, or ask for it right before selling their personal data. However, do not sell their data without their consent. It is a breach of their consumer privacy rights and you’ll be fined.

Do you have evidence of valid consent?


For effective consent management, ensure that you keep each and every CCPA cookie consent obtained from minors and their parents. It is a good practice to keep documentation of everyone who has given or rejected consent for the placement of different types of cookies.

Have you made it easy for your users to opt-out of the selling of their personal information?


CCPA doesn’t prevent you from selling your users’ information, except for minors (from whom you have to obtain a valid consent).

However, if your users don’t want their data sold, they can ban you from selling it. This California data protection regulation requires businesses to provide users with a means to opt out. You have to include a “Do Not Sell My Personal Information” link on a noticeable place on the homepage of your website. You are not allowed to sell personal information of users who have clicked the link.

Can users contact you easily about their personal information?


The California Consumer Privacy Act (CCPA) grants your California users a right to access the personal data you’ve collected from them; they can request changes to the information, move it somewhere else, or delete it. You have a duty to provide a means for submitting such requests. 

CCPA requires making available two or more designated methods to your consumers for making any requests related to exercising of their data protection rights. At a minimum, you have to provide a web address to your website and a toll-free telephone number. Feel free to add an email address, a mailing address, an online contact form, or other methods in addition to these two methods.

How do you identify the users who make data-related requests?


CCPA requires establishing a method for identifying the users that make data-related requests to you. You have to ensure that the person who submits the request is really the one they request something about. That’s why you have to set up a system to guarantee verifiable consumer requests. It is for your own good.