A simple guide to CCPA compliance

by Amber Foster

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a new privacy law that gives California residents greater control of their personal data and puts tighter restrictions on how businesses collect and process personal data. It goes into effect January 1, 2020 and includes privacy regulations for all personal data collected on California residents from January 1, 2019. 

Use this simple guide to find out how the CCPA applies to you and what you should do to ensure your business is compliant.

Does the CCPA Apply to My Business?

The CCPA covers for-profit companies that do business in California or serve California residents. Additionally, these companies must meet one or more of the following criteria for the CCPA to apply:

  • Earn at least $25M in annual gross revenue
  • Earn more than 50% of annual revenue from data sales
  • Has bought, sold, and/or shared personal data on 50 thousand or more California residents, households, or devices for commercial purposes

If none of these apply to your business, good news. You’re not required to follow the CCPA guidelines. For everyone else, read on to learn more about compliance requirements and how to prepare your business for the big changes ahead.

If the CCPA Does Apply,  Here’s 5 Things You Need to Know

1. Under the CCPA, businesses must allow California residents to opt-out of the sale of personal information.

The sale of personal information under the CCPA  includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”

2. Data used for business purposes does not fall under the CCPA guidelines.

Businesses do not need to offer an opt-out for data collected for business purposes. Meaning, its ok to collect and use customer first party data if you aren’t selling it. Examples of businesses uses are for 1st-party uses, including contextual customization such as website cookies that remember a user’s items in a shopping cart or their billing and  shipping addresses, or website analytics such as counting and verifying ad impressions.

3. How the CCPA defines personal information.

According to the CCPA, personal information is any sensitive or psudononymous data that can be linked back to an individual consumer or household.

Specifically, the CCPA defines personal information as “information that identifies, relates to,describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. ”

Examples may include web browsing and search history, mobile IDs, IP addresses, location data, Personally identifiable information (PII) data  such as name, address, phone number, or email address, professional or employment-related information, or inferences drawn from any of the above examples that can create a profile about a consumer.

A household is anyone living under the same residence. If a consumer opts-out, all data collected across every device of all individuals within a household must be deleted and future data that is collected for sale purposes is prohibited.

4. The CCPA regulations cover only California residents who opt-out.

Unlike the EU’s GDPR, the CCPA is opt-in, not opt-out. As long as a person whose data is being collected  hasn’t opted out, you may continue to use the data for cookie matching, programmatic advertising and  targeting.  Also, the law only applies to the  personal data of California residents.

5. The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose de-identified or aggregated data.

De-identified information involves individual records that can no longer be associated or relinked with any particular individual. For information to be considered aggregate, it must not be linked or reasonably linked to any consumer or household. If information can be linked to a device, it is not considered aggregate consumer information.

Penalties for Noncompliance

Individuals can sue for $100 to $750 per breach or actual damages, whichever is higher. You could also be charged with a civil penalty of up to $2,500 for each unintentional breach and up to $7,500 per intentional breach.

CCPA Compliance Checklist

Use this simple checklist to bring your business into compliance with the CCPA.

1. Perform a comprehensive review of your data collection and management systems

Conduct an audit of your current data privacy practices, policies and procedures. Review terms of use and other customer contracts and templates to ensure there are no provisions which waive customer rights to request data. Make sure CCPA-mandated provisions are included in service agreements with vendors and service providers.

2. Make it easy for California consumers to opt-out of the sale of personal information.

Publish a “DO NOT SELL MY PERSONAL INFORMATION” page for California residents. A link to this page should be visible on your homepage and any web page that collects personal information.

Online only direct-to-consumer businesses can link to an opt-out email address. For businesses not exclusively online or those that do not have direct relationships with consumers, you will need to link to an opt-out page and list a toll-free phone number and email addresses where consumers can submit information access requests . Your Privacy Policy and homepage must also link to the opt-out page. Avoid requesting opt-in consent for one year after a California resident opts-out.

3. Update your Privacy Policy

Your Privacy Policy must include the five California consumer rights under the CCPA:

  1. The right to notice
  2. The right to opt-out
  3. The right to access
  4. The right to request deletion
  5. The right to equal services and practices

You must also provide details for all personal information that you’ve released, sold, disclosed or transferred for sale purposes from January 1, 2019, including:

  1. What kind of information is collected
  2. How it is collected
  3. Why it is collected
  4. How consumers can access, delete or deny the collection of their personal information
  5. How you verify consumer age and obtain minor consent. Minors must opt-in to the collection of personal information for sale purposes. Under age 13, you must obtain parental consent. For minors ages 13 – 16, you must obtain consent directly from the consumer. Minors must also be able to opt in, and later, opt out, of the sale of their PII. For more information read the National Law Review’s article, Special Rules Regarding Minors.

4. Develop an internal process for making data rights actionable.

You will need to create a standard procedure for deleting data when requested by California residents. This could mean a dedicated email address for opt-out requests and detailed measures for deleting data from internal and external databases as well as communicating to third parties with whom the data has been shared. Your process must be well-documented and all employees should be trained to execute these procedures.

For more information about the California Consumers Privacy Act visit https://www.caprivacy.org/

LEGAL DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions.