The California Consumer Privacy Act (CCPA) is a law passed by the state of California to give its residents the right to transparency and control over their personal information that is collected and used by businesses. It was signed into law on June 28, 2018, however, it was not effective until January 1, 2020. This means that businesses must show CCPA compliance or they could face a costly violation. The CCPA has since been amended by the California Privacy Rights Act (CPRA), which provides more comprehensive regulations. The CPRA will supersede the CCPA and be enforceable beginning January 1, 2023.
How CCPA Impacts Businesses and Consumer Privacy
The CCPA defines personal information as data that identifies, relates to, or could reasonably be linked with you or your household. For example, personal information could be as simple as an email or phone number, or more complex things like internet browsing history or records of purchased products. The CCPA goes beyond the standard U.S. privacy protections and is reflective of the European Union’s General Data Protection Regulation (GDPR). Ultimately, these changes are a wave of the future and cannot be ignored. Following these guidelines not only keeps you legal, but also encourages businesses to handle personal data responsibly. Additionally, it gives customers more control and visibility of how their personal information is processed.
The CCPA was rushed into law, as it passed only seven days after being drafted. Consequently, the CCPA was incomplete and full of gaps. As a result, the California Privacy Rights Act (CPRA) was drafted and passed into law to fill in those holes. The CCPA and CPRA are both active and effective legislation.
Who does the California Consumer Privacy Act Apply To?
The CCPA applies to specific types of for-profit businesses that handle the personal information of California residents, who fall under its protection. Nonprofits and government agencies are excluded from violations.
The for-profit businesses that do business in California and meet one of the following are liable:
- Gross annual revenue of over $25 million.
- Buy, receive, or sell the personal information of 50,000 or more California residents’ households, or devices.
- Obtain 50% or more of annual revenue from selling California residents’ personal information.
California residents have the following four privacy rights connected to the handling of personal information by businesses:
- Right to Know: Transparency on how personal information is collected and used by businesses.
- Right to Delete: Ability to delete personal records collected by a business.
- Right to Opt-Out: Can refuse permission to use personal information for sales purposes.
- Right to Non-Discrimination: Individuals under CCPA must have equal service from businesses.
What happens if you are not CCPA compliant?
Companies have 30 days to comply with the law once notified of a violation. If the issue isn’t resolved, the offending business can receive civil fines as much as $7,500 per record in violation.
However, individuals cannot sue a business for most CCPA violations unless the violation is connected to a data breach. Under CCPA regulations, individuals can sue a business for a data breach if personal information stolen contains a name combined with other personally identifiable information. Maximum personal suits can be up to $750 per incident or more if actual damages are higher.
CCPA Compliance Checklist for Websites
Now you know what the California Consumer Privacy Act is, who it applies to, and how costly it can be for those in violation. Here’s a list of ways to help keep you compliant with the CCPA law. This is not a complete list, but is directly applicable to most websites that fall under the CCPA.
- Have a “Notice of Collection”: This informs users when a website may collect information that is considered personal, and the ability to opt out of this and any option that would give permission to sell this data.
- Update Privacy Policy: Under CCPA requirements, privacy policies must include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination. A link to a privacy policy must be on the home page. If you sell personal information, you must have a link titled “Do Not Sell My Information” clearly and conspicuously placed on your homepage with a way to opt out.
- Post a Request Form: If a California resident is unable to find an answer to their questions on your privacy policy, the CCPA mandates that requests be made to the company pursuant to their rights.
- Use Toll-Free Numbers: As part of CCPA requirements, businesses must provide two methods for processing requests. One must be on the website (if it exists) and the other is a telephone number. Place your toll-free number prominently on your website and in your privacy policy.
- Review Cookies: Be aware of the cookies and tracking services that are running on your website. Whether they are your “first-party” or “third-party” cookies or tracking services, have them listed on your privacy policy and notice of collection with details on how they function. CCPA requires businesses to inform consumers before or at the point of collection of their personal data, but does not require prior, explicit cookie consent.
- Create a Method to Handle Requests: Whether requests come from a web form or a phone call, they must be documented, and processed and, when finished, the person who made the request must be notified. Remember, some changes need action within 30 to 45 days, so you cannot delay in acting on requests.
- Process Minor’s Information Appropriately: Selling and sharing the information of minors must follow special requirements, like having opt-in consent from minors between 13 and 15 years old, or from legal guardians if the minor is younger than 12. Penalties are tripled for violations of those who are minors 16 and under.
- Schedule Website Changes: Work with your tech team or web designers to implement the notice of collection, update documentation and policies, as well as other topical or code changes to reflect compliance.
- Audit Your Security: As stated earlier, hefty fines and personal lawsuits are applicable when these violations are connected to data breaches. Consult with your IT Team or network managers to revamp security that protects sensitive information from being compromised.
In addition to the tips above, consult with professional legal counsel to create a comprehensive compliance plan for your business. Beyond this, it’s important to have CCPA requests processed appropriately over the phone or through a special website form to accommodate individual needs and satisfy the law.