A Simple Guide to CCPA Compliance
The California Consumer Privacy Act (CCPA) is a new privacy law that gives California residents greater control of their personal data and puts tighter restrictions on how businesses collect and process personal data. It goes into effect January 1, 2020 and includes privacy regulations for all personal data collected on California residents from January 1, 2019. Use this simple guide to find out how the CCPA applies to you and what you should do to ensure your business is compliant.
Does the CCPA Apply to My Business?
Here’s a simple way to test if your business needs to follow CCPA compliance guidelines.
You’re a for-profit company that does business in California or serves California residents, and you can answer “yes” to at least one of the following questions:
- Does your business make at least $25M in annual gross revenue?
- Do you generate more than 50% of annual revenue from data sales?
- Have you bought, sold, and/or shared personal data on 50 thousand or more California residents, households, or devices for commercial purposes?
If none of these apply to your business, good news! You’re not required to follow the CCPA guidelines.
For everyone else, here’s what you should know.
If the CCP Does Apply, Here’s What You Need to Know
Businesses must allow California residents to opt-out of the sale of personal information.
The sale of personal information under the CCPA includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.
Data used for business purposes does not fall under the CCPA guidelines.
Businesses do not need to offer an opt-out for data collected for business purposes. In other words, you may collect and use customer first party data if you aren’t selling it.
Examples of “business purposes” may include contextual customization, such as website cookies that remember a user’s items in a shopping cart or their billing and shipping addresses. Another example is the use of website analytics for counting and verifying ad impressions.
What is considered “personal information” under the CCPA?
According to the CCPA, personal information is any sensitive or psudononymous data that can be linked back to an individual consumer or household.
Specifically, the CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. ”
Examples may include web browsing and search history, mobile IDs, IP addresses, location data, Personally identifiable information (PII) data such as name, address, phone number, or email address, professional or employment-related information, or inferences drawn from any of the above examples that can create a profile about a consumer.
A household is anyone living under the same residence. If a consumer opts-out, all data collected across every device of all individuals within a household must be deleted and future data that is collected for sale purposes is prohibited.
The CCPA regulations cover only California residents who opt-out.
Unlike the EU’s GDPR, the CCPA is opt-in, not opt-out. As long as a person whose data is being collected hasn’t opted out, you may continue to use the data for cookie matching, programmatic advertising and targeting. Also, the law only applies to the personal data of California residents.
Businesses can still collect, use, retain, sell, and disclose de-identified or aggregated data.
De-identified information involves individual records that can no longer be associated or relinked with any particular individual. For information to be considered aggregate, it must not be linked or reasonably linked to any consumer or household. If information can be linked to a device, it is not considered aggregate consumer information.
How to Offer and Fulfill Opt-Out Requests
Your website must provide an option for consumers who are California residents to opt-out of the sale of personal information. Here’s how to do it:
1. Publish a “DO NOT SELL MY PERSONAL INFORMATION” button
Publish the button on your homepage and any web page that collects personal information from California residents.
Online only direct-to-consumer businesses can link the button to an opt-out email address.
- The right to notice
- The right to opt-out
- The right to access
- The right to request deletion
- The right to equal services and practices
You must also disclose the following for all personal information that you’ve released, sold, disclosed or transferred for sale purposes from January 1, 2019:
- What kind of information is collected
- How it is collected
- Why it is collected
- How consumers can access, delete or deny the collection of their personal information
- How you verify consumer age and obtain minor consent. Minors must opt-in to the collection of personal information for sale purposes. Under age 13, you must obtain parental consent. For minors ages 13 – 16, you must obtain consent directly from the consumer. Minors must also be able to opt in, and later, opt out, of the sale of their PII. For more information, read the National Law Review’s article Special Rules Regarding Minors
3. Develop an internal process for making data rights actionable.
In other words, you will need to create a standard procedure for deleting data when requested by California residents. This could mean a dedicated email address for opt-out requests and detailed measures for deleting data from internal and external databases as well as communicating to third parties with whom the data has been shared.
Penalties for Non-Compliance
Claims for Damages
In addition to damages for claims filed against you, your business could be charged with a civil penalty of up to $2,500 for each unintentional breach and up to $7,500 per intentional breach.
For more information about the California Consumers Privacy Act visit https://www.caprivacy.org/
LEGAL DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions.