The California Consumer Privacy Act (CCPA) took effect in early 2020. It imposes several important requirements on large businesses and those which handle or sell a lot of personal data, including many businesses from outside the state of California.
Here's what you need to know and do when it comes to getting compliant with the CCPA.
- 1. Does the CCPA Apply to Me?
- 2. When Does the CCPA Take Effect?
- 3. Consumer Rights Under the CCPA
- 4. Penalties For Violating the CCPA
- 5. What You Must Do to Comply With the CCPA
- 5.1. Create an Opt-Out Page
- 5.2. Promote the Opt-Out Page
- 5.3. Organize Your Data
- 5.4. Give Notification & Update Privacy Policies
- 5.5. Deal with Requests
- 5.6. Assure You are Not Discriminating
- 5.7. Deal with Complaints
- 6. Summary
- 6.1. Need to know:
- 6.2. Need to do:
Does the CCPA Apply to Me?
Despite the name, you don't have to be either legally or physically based in California to be affected by the CCPA. Instead it applies to businesses that serve residents of California (including through online businesses) and meet one of three criteria:
- The business has annual revenues of at least $25 million. (It doesn't matter how much of this comes from California.)
- The business processes personal data covering more than 50,000 consumers, households or devices. (Again, this isn't limited to people in California.)
- The business gets more than half its annual revenues from selling personal data.
There are key exemptions for financial companies, credit reporting agencies, and healthcare providers and insurers. In each case the exemptions apply if the company is already covered by a yrelevant federal data security law.
When Does the CCPA Take Effect?
The CCPA took legal effect on the 1st of January 2020. The Attorney General plans to begin enforcing the law beginning in July of 2020.
It is possible this enforcement could include dealing with violations that took place between January and June 2020, so it is not safe to hold off compliance until this point.
Another reason to err on the side of caution is that the November 2020 state elections may include a ballot initiative that proposes strengthening the measures of CCPA.
Consumer Rights Under the CCPA
The CCPA explicitly states that the law is designed to uphold five rights for Californian consumers. You should always bear these in mind when taking steps to comply with CCPA. The way the law is written means it is highly likely regulators and courts will use these rights as guiding principles when ruling on any dispute or ambiguity about the precise measures CCPA requires.
The five consumer rights are:
- To know what personal information an organization collects about them
- To know whether their personal information is disclosed or sold and, if so, to whom
- To refuse to allow their personal information to be sold
- To access the personal information a company has collected about them
- To be able to exercise these rights without losing access to services or being charged a higher price
Penalties For Violating the CCPA
If you fail to meet the requirements of the CCPA, the Attorney General can give you 30 days to rectify the violation. If you fail to do so, you face a fine of up to $7,500 per violation.
Individuals can also report violations to the Attorney General and ask them to take action. If the Attorney General chooses not to do so, the individual can pursue legal action themselves.
If you don't adequately secure personal data and then suffer a breach, each person whose data is breached can take civil action against you. If their case is proven, the court can make you pay damages with a minimum of $100 per consumer and a maximum of $750 per consumer, or the actual financial damages, whichever is greater. Note that the $100 to $750 figures still apply even if the customers can't prove they suffered any financial damages.
What You Must Do to Comply With the CCPA
To make sure you comply with CCPA, both now and in the future, you'll need to complete the following steps.
Create an Opt-Out Page
CCPA explicitly states that you must create a web page that lets users opt out of you selling their personal information. You can't force a user to create an account in order to use this opt-out page.
The page could have an online form for opting out but could also list contact details for where to send an opt-out request. You must provide a toll-free number for consumers to opt out by phone.
This example from Datalove explains the procedures for, and consequences of, opting out of data sharing:
Users are informed that by completing the form and confirming via email confirmation, the company and any of its marketing partners won't be able to use the data and that it will be purged from the system.
Your opt-out page doesn't have to be so all-or-nothing. Instead of limiting any information being used at all, you can make it so that you just agree to not sell the information but can still use it yourself for legitimate, necessary purposes.
Promote the Opt-Out Page
You must include a link to the opt-out page from your site's home page. This link must have the title "Do Not Sell My Personal Information."
You must also include the link in any Privacy Policy on your site and in any section on your site that specifically details the user's privacy rights under California law.
Note that while it's fine for the home page to just have the link, the Privacy Policy must give context to the link by explaining that the user has a legal right to opt out of their data being sold.
This example from Really Simple Plugins shows a compliant home page link:
Datalove includes information about its opt-out option in its Privacy Policy in a longer, more informative clause that lets users know the effects of opting out and how to do so:
Organize Your Data
The CCPA gives users the right to know what data you have collected about them, disclosed or sold in the past 12 months, which may include a period before the CCPA takes effect. You should audit and review your data collection and organization to make certain that you can easily gather together the data you have about any individual.
As part of this review, it may be worth deleting any data which is no longer necessary for your operations or may no longer be accurate.
The CCPA lists 11 categories of personal information. You will need to organize your data so that you can quickly identify which data (if any) falls into each category. The categories are defined as follows in section 1798.140:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers
(B) Any categories of personal information described in subdivision (e) of Section 1798.80 (This is part of California law from before the CCPA and covers "any information that identifies, relates to, describes, or is capable of being associated with, a particular individual." It doesn't cover information that's available in public records.)
(C) Characteristics of protected classifications under California or federal law
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
(E) Biometric information
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement
(G) Geolocation data
(H) Audio, electronic, visual, thermal, olfactory, or similar information
(I) Professional or employment-related information
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
Give Notification & Update Privacy Policies
Once the CCPA takes effect, you will need to inform users of the personal information you collect about them, either before or at the point of collection.
You must inform them of two things:
- Which of the 11 categories the information you are collecting falls into, and
- What purpose/s you will use the information for
The CCPA also says you must publish a specific list of information on your website. This must be located:
- In your Privacy Policy if you have one
- In the section of your website covering California privacy rights if you have one
- Somewhere else on your site if neither of the first two apply
This list of information must include:
- Details of consumer rights under the CCPA
- Contact details or methods for exercising those rights
- Which, if any, of the 11 categories apply to personal information you've collected about any consumers in the past 12 months
- Which, if any, of the 11 categories apply to personal information you've sold in the past 12 months
- Which, if any, of the 11 categories apply to personal information you've disclosed in the past 12 months
You must update this information at least once every 12 months.
This example from Techbuyer shows an efficient way to display the details of the 11 categories and how they apply:
This example from NVA informs consumers of some of their rights under the CCPA:
Deal with Requests
Make sure you have procedures in place to promptly deal with consumer requests for the data you have collected about them and/or sold or disclosed for business purposes. This may involve designating a specific staff member to take responsibility for responding.
When you respond to such a request you must answer five questions:
- What categories of information have you collected, sold or disclosed?
- What was the source or sources of the information?
- Why did you collect, sell or disclose the information?
- Who, if anyone, have you shared the information with?
- What specific information have you collected about the consumer?
Remember that you may need to verify an individual's identity before responding to a data request. Any information you collect to carry out this verification must only be used for this verification, so it's best not to retain it.
Your response must cover all data in the 12 months before you received the request. Your response must be in writing (including electronically) and usually be sent within 45 days of the request. You can extend this to 90 days if necessary but you must inform the consumer you are doing so before the initial 45-day deadline expires.
This example from JAMS covers both how to make a request and how the business will respond:
Assure You are Not Discriminating
Review your procedures to make sure you do not discriminate against consumers who exercise their CCPA rights. For example, check that you do not restrict access to services to people who've opted out of their data being sold.
Note that the CCPA does have an exemption that lets you charge different prices or offer different services based on what personal data a customer provides, but the differences must directly reflect the value of this data. The interpretation of this exemption has yet to be tested in practice, so you should seek expert legal advice before relying on it.
Deal with Complaints
Make sure you have procedures in place to deal with any complaints of alleged violations of the CCPA, particularly from the Attorney General. You will normally only have 30 days to rectify any violation before you could face legal action with significant financial penalties.
Your procedures must allow you to quickly but accurately confirm whether the alleged violation is accurate and, if so, how you can make things right.
Summary
Let's recap what you need to understand and do to comply with CCPA:
Need to know:
- The CCPA applies to large companies, those which handle a lot of personal data, and those which make most of their money selling personal data
- It doesn't matter whether the company is legally or physically based in California, just whether it serves customers in the state (including online)
- The law took effect on 1 January 2020. Enforcement may not start until July, but data requests can cover the past 12 months so companies need to get ready to comply immediately
- The CCPA is based on upholding five consumer rights regarding personal information, which is defined very broadly
- Violations could lead to court action brought by the Attorney General or individuals, with potentially expensive penalties
Need to do:
- Create a web page where users can opt out of their personal information being sold
- Promote this page with links on your home page and privacy policy marked "Do Not Sell My Personal Information"
- Organize your data so that you know which of 11 CCPA-defined categories it falls into and to which individuals it relates
- Make sure you notify individuals about what personal information you are collecting and how you'll use it
- Update your Privacy Policy to cover CCPA consumer rights and how to exercise them, plus lists of the categories of personal information you've collected, sold and disclosed (one list for each) in the past 12 months
- Establish procedures for responding to data access requests, usually within 45 days
- Check you aren't breaching the CCPA by discriminating against consumers who exercise their privacy rights
- Establish procedures for dealing with any complaints about alleged violations
