Learn about the California Consumer Privacy Act (CCPA) and how to become compliant


What is CCPA?

What Does CCPA Stand For?


CCPA stands for California Consumers Protection Act 2018. It is the most recent personal data protection law passed by the State of California as a response to the increased role of personal data in contemporary business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.

The California government leads among the US states in passing laws aimed to protect the right to privacy of its residents.

What happens to CalOPPA and other California privacy laws from 2020? Will I still have to comply with them?


CCPA is not a replacement for any existing California privacy law. All of them are expected to be into effect after 1 January 2020; therefore, you’ll have to comply with them all. CCPA was meant to complement the current personal data protection, not to replace it. CalOPPA and other personal data protection laws will continue to exist, which means the obligations to meet the stipulated requirements for your business still remain. Introducing the CCPA doesn’t change anything regarding your duties to comply with other California privacy laws, such as the CalOPPA, Shine the Light, and the Privacy Rights for California Minors in the Digital World Act.

What is the difference between CalOPPA and CCPA?


CalOPPA and CCPA share certain similarities, but they have differences as well.

    1. Privacy policy. If you include information on how, what, and why you collect and process personal information, you’ll satisfy requirements in both CalOPPA and CCPA. However, they have some differences.
      • CalOPPA requires providing information in your privacy policy relating to:
        • How the website responds to Do Not Track signals
        • The effective date of the privacy policy
        • How you’ll inform your users on any changes in the privacy policy
      • CCPA requires the following in your privacy policy:
          • Information about the selling of your users’ information and how to opt out from the process
          • Methods of verification of the identity of the person who requests access, change or erasure of data
          • Methods for submitting such requests. 
          • Who the law applies to.

        CalOPPA applies to businesses based in California and businesses based outside the state that have collected personal information of at least one California resident.

    2. Prior consent. CalOPPA doesn’t require prior consent in any case. CCPA requires obtaining prior consent from minors before selling their personal data. If they are 13-16 years old you have to obtain consent by them. If they are younger than that, you have to obtain prior consent by their parents or guardians.>
    3. Do Not Sell My Personal Data. CalOPPA doesn’t mention anything about selling of personal data. CCPA requires including a “Do Not Sell My Personal Data” link on your home page. If a user clicks on that link, it means that you are not allowed to sell their data.<

Who does CCPA apply to?


The CCPA applies to every company in the world if:

  1. They collect personal data of California residents
  2. They (or their parent company or a subsidiary) exceed at least one of the three thresholds:
    • Annual gross revenues of at least $25 million
    • Obtains personal information of at least 50,000 California residents, households, and /or devices per year
    • At least 50% of their annual revenue is generated from selling California residents’ personal information

A California resident is defined by the California laws as any person who:

  •     Is in California for other than a temporary or transitory purpose
  •     Is domiciled in California, but is outside the state for temporary or transitory purposes

Does CCPA apply to SME businesses?


It doesn’t matter how small or big your business is. CCPA is not focused at the size of your business, but whether it meets certain criteria as mentioned above.

What are the penalties for non-compliance?


Non-compliance with the CCPA puts you at risk of huge fines. You can expect the Attorney General to initiate a civil case against you if you remain non-compliant after 30 days upon being notified about it. This brings a risk of being fined up to $7500 per violation.

It means that if you violate the CCPA-guaranteed rights of 1000 users, you might receive a fine of up to $7.500.000 in total ($7500×1000 users).

Is CCPA the California version of the GDPR?


No, it is not. The government of California may have used the momentum created by the introduction of GDPR, but the CCPA is not as extensive as the GDPR. The GDPR shares similarities with other privacy laws introduced recently, but they have substantial differences.

These differences include the entities they cover, information required in privacy policies, prior consent, and sales of personal information. For more information read this article.

We are GDPR-compliant. Does it mean that we are CCPA-compliant as well?


No, being GDPR compliant doesn’t mean that you are CCPA compliant by default. Chances are you already meet some of the CCPA requirements simply by meeting the GDPR ones, but you still have some work to do. You’ll have to make adjustments in your privacy policy, include a “Do Not Sell My Personal Information” link on your home page, establish methods for requests for access, change, and erasure of data, establish a method for verification of the identity of the person making a data-related request, and establish a method for obtaining prior consent by minors before selling their personal data.

What is personal data according to the CCPA?


CCPA defines personal data as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This law differs from others by including household information in the scope of the definition of personal data.

Personal information may include but is not limited to names, email address, biometric data, IP address, Internet of Things information, geolocation data, professional or employment information, and other information.

Publicly available information is not considered personal information under the CCPA.

What should a CCPA-compliant privacy policy contain?


If you collect and process users’ personal information, ensure your privacy policy include but is not limited to:

  •     What kind of information you collect and process
  •     Why do you collect and process information
  •     How do you collect and process information
  •     How users can request access, change, move, or deletion of their personal data
  •     The method for verifying the identity of the person who submits a request
  •     Sales of users’ personal data and how they can opt out of the selling of their data

Do I need to obtain prior consent before collecting and processing users’ data?


No, unlike many other privacy laws, the CCPA doesn’t require obtaining prior consent for collecting and processing your users’ data.

Can we sell our user’s personal data freely?


The CCPA doesn’t prevent you from selling your users’ personal data, but it obliges you to allow them to opt-out of selling it. This means that you have to include a “Do Not Sell My Personal Information” link on your website’s homepage. Anyone who wants to opt out of sales of their personal data can click on the link and ban you from selling their personal information. You have to make this process as easy and simple as possible. That’s why you are not allowed to require users to create an account in order to opt out.

For 13-16 year old minors, you have to obtain prior consent before selling their data. For minors younger than 13, you have to obtain consent from their parents or guardians.

You are free to sell the personal information of any user who has not opted out or minors’ personal information from whom you have obtained prior consent pursuant to the CCPA.

How do I Make a Website CCPA compliant?


CCPA contains clear and precise requirements that your business needs to meet in case this law applies to you. These requirements include:

  • Updating your privacy policy with information on how, why and what personal information you collect and process.
  • Updating your privacy policy with information on how your users can request access, change, or erasure of their personal data that you have collected.
  • Introducing a method for verification of the identity of the person making such requests.
  • Introducing a “Do Not Sell My Personal Information” link on your home page. It will serve your users to prohibit the selling of their personal data from your side.
  • Obtaining a prior consent from minors 13-16 years old before selling their personal data. For minors younger than 13 you have to obtain a prior consent by their parents.

Is our website affected by CCPA?


CCPA affects your website if you collect and process data of California residents and exceed at least one of the following thresholds:

  • Annual gross revenues of at least $25 million
  • Obtains personal information of at least 50,000 California residents, households, and /or devices per year
  • At least 50% of your annual revenue is generated from the sales of California residents’ personal information

Anyone can visit your website, including California residents. Therefore, if you exceed or may soon exceed any of the thresholds listed above and you use any type of tracking tools, it is better to be CCPA-compliant.

Have you prepared data maps of California residents?


Data map, or data inventory, is a process of figuring out what type of information you collect, why you do it, where it is held, with whom it is shared, how it is transferred, and other questions related to the data collection and use you conduct regularly.

CCPA requirements mean that you need to conduct a data mapping of your users from California. It is not clearly required by the CCPA, but it is a good practice that minimizes the risks associated with users’ data.

Does your privacy policy meet the requirements?


A privacy policy is a document which explains what you do with their data. It may also provide them with information on their privacy rights.

CCPA requires being transparent about your data-usage practices, which is best done through your privacy policy. To make it CCPA-compliant, you need to update it by adding the following:

  •     What kind of information you collect and process
  •     Why do you collect and process information
  •     How do you collect and process information
  •     The methods to request access, change, move, or deletion of their personal data
  •     The method for verifying the identity of the person who submits a request
  •     Sales of users’ personal data and how they can opt out of the selling of their data

This will make you CCPA-compliant, but feel free to go a step further with transparency if you want to. Just don’t go below the required minimum.

Are you obtaining prior consent from minors?


CCPA requires obtaining prior consent from minors before selling their personal information. If they are 13-16 years old, you have to obtain it from them. If they are younger, it is necessary to obtain it from their parents or guardians.

You may ask for consent whenever a minor California resident comes to your website and keep it, or ask for it right before selling their data. However, do not sell their data without their consent. It is a breach of their privacy rights and you’ll be fined.

Do you have evidence of valid consent?


Ensure that you keep each and every consent obtained from minors and their parents. It is a good practice to keep documentation of everyone who has given or rejected consent.

Have you made it easy for your users to opt out of the selling of their personal information?


CCPA doesn’t prevent you from selling your users’ information, except for minors (from whom you have to obtain a valid consent).

However, if your users don’t want their data sold, they can ban you from selling it. CCPA requires businesses to provide users with a mean to opt out. You have to include a “Do Not Sell My Personal Information” link on a noticeable place on the homepage of your website. You are not allowed to sell personal information of users who have clicked the link.

Can users contact you easily about their personal information?


CCPA grants your California users a right to access the personal data you’ve collected from them; they can request changes to the information, move it somewhere else, or delete it. You have a duty to provide means for submitting such requests.

CCPA requires making available two or more designated methods to your consumers for making any requests related to exercising of their data protection rights. At a minimum, you have to provide a web address to your website and a toll-free telephone number. Feel free to add an email address, a mailing address, an online contact form, or other methods in addition to these two methods.

How do you identify the users who make data-related requests?


CCPA requires establishing a method for identifying the users that make data-related requests to you. You have to ensure that the person who submits the request is really the one they request something about. That’s why you have to set up a system for verifying their identity. It is for your own good.