A Simple Guide to CCPA Compliance

The California Consumer Privacy Act (CCPA) is a new privacy law that gives California residents greater control of their personal data and puts tighter restrictions on how businesses collect and process personal data. It goes into effect January 1, 2020 and includes privacy regulations for all personal data collected on California residents  from January 1, 2019.  Use this simple guide to find out how the CCPA applies to you and what you should do to ensure your business is compliant.

Does the CCPA Apply to My Business?

The Test

Here’s a simple way to test if your business needs to follow CCPA compliance guidelines.

You’re a for-profit company that does business in California or serves California residents, and you can answer “yes” to at least one of the following questions:

• Does your business make at least $25M in annual gross revenue?
• Do you generate more than 50% of annual revenue from data sales?
• Have you bought, sold, and/or shared personal data on 50 thousand or more California residents, households, or devices for commercial purposes?

If none of these apply to your business, good news! You’re not required to follow the CCPA guidelines.

For everyone else, here’s what you should know.

If the CCP Does Apply,  Here’s What You Need to Know

Businesses must allow California residents to opt-out of the sale of personal information.

The sale of personal information under the CCPA  includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.

Data used for business purposes does not fall under the CCPA guidelines.

Businesses do not need to offer an opt-out for data collected for business purposes. In other words, you may collect and use customer first party data if you aren’t selling it. 

Examples of “business purposes” may include contextual customization, such as website cookies that remember a user’s items in a shopping cart or their billing and  shipping addresses. Another example is the use of website analytics for counting and verifying ad impressions.

What is considered “personal information” under the CCPA?

According to the CCPA, personal information is any sensitive or psudononymous data that can be linked back to an individual consumer or household.

Specifically, the CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. ”

Examples may include web browsing and search history, mobile IDs, IP addresses, location data, Personally identifiable information (PII) data  such as name, address, phone number, or email address, professional or employment-related information, or inferences drawn from any of the above examples that can create a profile about a consumer.

A household is anyone living under the same residence. If a consumer opts-out, all data collected across every device of all individuals within a household must be deleted and future data that is collected for sale purposes is prohibited.

The CCPA regulations cover only California residents who opt-out.

Unlike the EU’s GDPR, the CCPA is opt-in, not opt-out. As long as a person whose data is being collected  hasn’t opted out, you may continue to use the data for cookie matching, programmatic advertising and  targeting.  Also, the law only applies to the  personal data of California residents.

Businesses  can still collect, use, retain, sell, and disclose de-identified or aggregated data.

De-identified information involves individual records that can no longer be associated or relinked with any particular individual. For information to be considered aggregate, it must not be linked or reasonably linked to any consumer or household. If information can be linked to a device, it is not considered aggregate consumer information.

Your website must provide an option for consumers who are California residents to opt-out of the sale of personal information. Here’s how to do it:

1. Publish a “DO NOT SELL MY PERSONAL INFORMATION” button

Publish the button on your homepage and any web page that collects personal information from California residents.

Online only direct-to-consumer businesses can link the button to an opt-out email address.

For businesses not exclusively online or those that do not have direct relationships with consumers, you will need to link to an opt-out page and list a toll-free phone number. Your Privacy Policy and homepage must also link to the opt-out page.

2. Update your Privacy Policy

Your Privacy Policy must include the five California consumer rights defined under the CCPA:

1. The right to notice
2. The right to opt-out
3. The right to access
4. The right to request deletion
5. The right to equal services and practices

You must also disclose the following for all personal information that you’ve released, sold, disclosed or transferred for sale purposes from January 1, 2019:

1. What kind of information is collected
2. How it is collected
3. Why it is collected
4. How consumers can access, delete or deny the collection of their personal information
5. How you verify consumer age and obtain minor consent. Minors must opt-in to the collection of personal information for sale purposes. Under age 13, you must obtain parental consent. For minors ages 13 – 16, you must obtain consent directly from the consumer. Minors must also be able to opt in, and later, opt out, of the sale of their PII.    For more information, read the National Law Review’s article Special Rules Regarding Minors

3. Develop an internal process for making data rights actionable.

In other words, you will need to create a standard procedure for deleting data when requested by California residents. This could mean a dedicated email address for opt-out requests and detailed measures for deleting data from internal and external databases as well as communicating to third parties with whom the data has been shared.

Claims for Damages 

Individuals can sue for $100 to $750 per breach or actual damages, whichever is higher.

Civil Penalties

In addition to damages for claims filed against you, your business could  be charged with a civil penalty of up to  $2,500 for each unintentional breach and up to $7,500 per intentional breach. 

For more information about the California Consumers Privacy Act visit https://www.caprivacy.org/

LEGAL DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions.