A Simple Guide to CCPA Compliance
The California Consumer Privacy Act (CCPA) is a new privacy law that gives California residents greater control of their personal data and puts tighter restrictions on how businesses collect and process personal data. It goes into effect January 1, 2020 and includes privacy regulations for all personal data collected on California residents from January 1, 2019. Use this simple guide to find out how the CCPA applies to you and what you should do to ensure your business is compliant.
Does the CCPA Apply to My Business?
The CCPA applies to you if:
You are a for-profit company that does business in California or serves California residents, AND any of the following are true
- You make at least $25M in annual gross revenue
- You generate more than 50% of annual revenue from data sales
- Have bought, sold, and/or shared personal data on 50 thousand or more California residents, households, or devices for commercial purposes
If none of these apply to your business, you’re not required to follow the CCPA guidelines.
If the CCP Does Apply, Here’s What You Need to Know
Under the CCPA, businesses must allow California residents to opt-out of the sale of personal information.
The sale of personal information under the CCPA includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”
Data used for business purposes does not fall under the CCPA guidelines.
Businesses do not need to offer an opt-out for data collected for business purposes. Meaning, its ok to collect and use customer first party data if you aren’t selling it. Examples of businesses uses are for 1st-party uses, including contextual customization such as website cookies that remember a user’s items in a shopping cart or their billing and shipping addresses, or website analytics such as counting and verifying ad impressions.
How the CCPA defines personal information.
According to the CCPA, personal information is any sensitive or psudononymous data that can be linked back to an individual consumer or household.
Specifically, the CCPA defines personal information as “information that identifies, relates to,describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. ”
Examples may include web browsing and search history, mobile IDs, IP addresses, location data, Personally identifiable information (PII) data such as name, address, phone number, or email address, professional or employment-related information, or inferences drawn from any of the above examples that can create a profile about a consumer.
A household is anyone living under the same residence. If a consumer opts-out, all data collected across every device of all individuals within a household must be deleted and future data that is collected for sale purposes is prohibited.
The CCPA regulations cover only California residents who opt-out.
Unlike the EU’s GDPR, the CCPA is opt-in, not opt-out. As long as a person whose data is being collected hasn’t opted out, you may continue to use the data for cookie matching, programmatic advertising and targeting. Also, the law only applies to the personal data of California residents.
The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose deidentified or aggregated data.
Deidentified information involves individual records that can no longer be associated or relinked with any particular individual. For information to be considered aggregate, it must not be linked or reasonably linked to any consumer or household. If information can be linked to a device, it is not considered aggregate consumer information.
How to Offer and Fulfill Opt-Out Requests
Your website must provide an option for consumers who are California residents to opt-out of the sale of personal information. Here’s how to do it:
1. Publish a “DO NOT SELL MY PERSONAL INFORMATION” button for California residents on your homepage and any web page that collects personal information.
Online only direct-to-consumer businesses can link the button to an opt-out email address.
- The right to notice
- The right to opt-out
- The right to access
- The right to request deletion
- The right to equal services and practices
You must also disclose the following for all personal information that you’ve released, sold, disclosed or transferred for sale purposes from January 1, 2019:
- What kind of information is collected
- How it is collected
- Why it is collected
- How consumers can access, delete or deny the collection of their personal information
- How you verify consumer age and obtain minor consent. Minors must opt-in to the collection of personal information for sale purposes. Under age 13, you must obtain parental consent. For minors ages 13 – 16, you must obtain consent directly from the consumer. Minors must also be able to opt in, and later, opt out, of the sale of their PII. For more information read the National Law Review’s article, Special Rules Regarding Minors
3. Develop an internal process for making data rights actionable.
In other words, you will need to create a standard procedure for deleting data when requested by California residents. This could mean a dedicated email address for opt-out requests and detailed measures for deleting data from internal and external databases as well as communicating to third parties with whom the data has been shared.
Penalties for Noncompliance
Individuals can sue for $100 to $750 per breach or actual damages, whichever is higher. You could also be charged with a civil penalty of up to $2,500 for each unintentional breach and up to $7,500 per intentional breach.
For more information about the California Consumers Privacy Act visit https://www.caprivacy.org/
LEGAL DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions.