A Simple Guide to CCPA Compliance

The California Consumer Privacy Act (CCPA) is a new privacy law that gives California residents greater control of their personal data and puts tighter restrictions on how businesses collect and process personal data. It goes into effect January 1, 2020 and includes privacy regulations for all personal data collected on California residents  from January 1, 2019.  Use this simple guide to find out how the CCPA applies to you and what you should do to ensure your business is compliant.

Does the CCPA Apply to My Business?

The CCPA applies to you if:

You are a for-profit company that does business in California or serves California residents, AND any of the following are true 

  • You  make at least $25M in annual gross revenue
  • You generate more than 50% of annual revenue from data sales
  • Have bought, sold, and/or shared personal data on 50 thousand or more California residents, households, or devices for commercial purposes

If none of these apply to your business, you’re not required to follow the CCPA guidelines.

If the CCP Does Apply,  Here’s What You Need to Know

Under the CCPA, businesses must allow California residents to opt-out of the sale of personal information.

The sale of personal information under the CCPA  includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”

Data used for business purposes does not fall under the CCPA guidelines.

Businesses do not need to offer an opt-out for data collected for business purposes. Meaning, its ok to collect and use customer first party data if you aren’t selling it. Examples of businesses uses are for 1st-party uses, including contextual customization such as website cookies that remember a user’s items in a shopping cart or their billing and  shipping addresses, or website analytics such as counting and verifying ad impressions.

How the CCPA defines personal information.

According to the CCPA, personal information is any sensitive or psudononymous data that can be linked back to an individual consumer or household.

Specifically, the CCPA defines personal information as “information that identifies, relates to,describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. ”

Examples may include web browsing and search history, mobile IDs, IP addresses, location data, Personally identifiable information (PII) data  such as name, address, phone number, or email address, professional or employment-related information, or inferences drawn from any of the above examples that can create a profile about a consumer.

A household is anyone living under the same residence. If a consumer opts-out, all data collected across every device of all individuals within a household must be deleted and future data that is collected for sale purposes is prohibited.

The CCPA regulations cover only California residents who opt-out.

Unlike the EU’s GDPR, the CCPA is opt-in, not opt-out. As long as a person whose data is being collected  hasn’t opted out, you may continue to use the data for cookie matching, programmatic advertising and  targeting.  Also, the law only applies to the  personal data of California residents.

The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose deidentified or aggregated data.

Deidentified information involves individual records that can no longer be associated or relinked with any particular individual. For information to be considered aggregate, it must not be linked or reasonably linked to any consumer or household. If information can be linked to a device, it is not considered aggregate consumer information.

How to Offer and Fulfill Opt-Out Requests

Your website must provide an option for consumers who are California residents to opt-out of the sale of personal information. Here’s how to do it:

1.  Publish a “DO NOT SELL MY PERSONAL INFORMATION” button for California residents on your homepage and any web page that collects personal information.

Online only direct-to-consumer businesses can link the button to an opt-out email address.

For businesses not exclusively online or those that do not have direct relationships with consumers, you will need to link to an opt-out page and list a toll-free phone number. Your Privacy Policy and homepage must also link to the opt-out page.


2. Update your Privacy Policy

Your Privacy Policy must include the five California consumer rights under the CCPA:

  1. The right to notice
  2. The right to opt-out
  3. The right to access
  4. The right to request deletion
  5. The right to equal services and practices

You must also disclose the following for all personal information that you’ve released, sold, disclosed or transferred for sale purposes from January 1, 2019:

  1. What kind of information is collected
  2. How it is collected
  3. Why it is collected
  4. How consumers can access, delete or deny the collection of their personal information
  5. How you verify consumer age and obtain minor consent. Minors must opt-in to the collection of personal information for sale purposes. Under age 13, you must obtain parental consent. For minors ages 13 – 16, you must obtain consent directly from the consumer. Minors must also be able to opt in, and later, opt out, of the sale of their PII. For more information read the National Law Review’s article, Special Rules Regarding Minors

 

3. Develop an internal process for making data rights actionable.

In other words, you will need to create a standard procedure for deleting data when requested by California residents. This could mean a dedicated email address for opt-out requests and detailed measures for deleting data from internal and external databases as well as communicating to third parties with whom the data has been shared.

Penalties for Noncompliance

Individuals can sue for $100 to $750 per breach or actual damages, whichever is higher. You could also be charged with a civil penalty of up to  $2,500 for each unintentional breach and up to $7,500 per intentional breach.

For more information about the California Consumers Privacy Act visit https://www.caprivacy.org/

LEGAL DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions.  

Wingman Media, Inc.

2625 Townsgate Road, Suite 104

Westlake Village, CA 91361

Follows

© 2019 Wingman Media, Inc.

Get the Latest Insights on Media Planning & Buying

Subscribe to our email list and we'll share exclusive tips to make your media work harder.

 

You have Successfully Subscribed!

Let's Talk

Tell us about your business and how we can help.

Your form has been submitted. We will contact you shortly.

Let's Work Together

 

Tell us more about your company and how you would like to partner with us.

Your form has been submitted. We will contact you shortly.

Get On Our Vendor List

Tell us about your product or service offerings and we'll add you to our vendor list.

Success!

Share This