The California Consumer Privacy Act (CCPA) took effect in 2020. This means that if you are a company that somehow interacts with California residents’ personal data, it’s time for your business to iron out your CCPA compliance strategies. Otherwise, you are at risk of being fined from $2500 up to $7500 for each violation of the law.
But it is not only about the fines anymore; it is customer trust and your business’s reputation that is at stake now. The data privacy scandal involving Facebook harvesting data for Cambridge Analytica that broke two years ago was the last straw that forced all companies who collect users’ data to disclose how their data will be used. Now, carelessness in handling personal information can turn into a life sentence for many businesses, both reputation-wise and compliance-wise.
In this article, we will clarify the following:
- What is CCPA? What are the CCPA requirements?
- What kind of data does CCPA protect?
- Who has to comply with CCPA?
- What are the main points of your CCPA compliance checklist?
Let’s dive in!
Table of Contents
What is CCPA?
The California Consumer Privacy Act (CCPA), or as people call it, the California data privacy law, is the law created to protect Californian consumers’ personal data and make sure they have maximum control over it.
What is personal information? According to the CCPA, personal information is anything that can be related or linked to, associated with, or used to describe a consumer or a household.
Personal information includes but is not limited to:
- Login and password
- IP address
- Phone Number
- GPS data
- Health and biometric information
- Work-related information like job title or experience
The fines businesses face in noncompliance start from $2500 for accidental violation and can get as high as $7500 for intentional infringement (if you have been notified about the violation but haven’t fixed it).
Businesses fall under this law as data objects and are obligated to:
- Explain why they gather information from the data subjects and how they will use it;
- Get consent from the data subject for collecting, storing, or using information;
- Make sure that information is stored securely;
- Make sure that information is available by demand and can be easily deleted if necessary.
These rules are created to ensure that people who visit your website, shop in your online store, or subscribe to your email newsletter are aware of how you use their data and assure that you won’t use it in a way they didn’t sign up for.
Who Must Comply With CCPA?
The CCPA protects California residents – people who live in California permanently or domiciled there but are temporarily outside of the state. This law applies to all for-profit organizations of any size, located in any country, which interferes with data of California residents and meets at least one of the following criteria:
- Have over 50000 customers from California per year;
- Cookie more than 140 unique California web users every day;
- Garner at least 50% of their annual revenue from selling data belonging to Californians;
- Make an annual total revenue of $25 million or more.
Do you still need to be compliant with CCPA if you’re already GDPR compliant?
For those who aren’t acquainted with this law, the General Data Protection Regulation (GDPR) is the core digital privacy legislation and the most extensive data privacy protection law regarding EU citizens’ data. For details, check out our article about GDPR.
Many people think of the GDPR as a broader version of CCPA. Even though GDPR can be seen as a more extensive version of CCPA, they have a few fundamental differences:
- CCPA is targeted towards protecting the personal information of Californians, while GDPR protects the personal data of EU residents and other data subjects
- GDPR presents six legal grounds for processing and selling personal information, whereas CCPA doesn’t let you process and sell personal information if a user opted out of having their personal data sold
- CCPA protects consumers in particular, whereas GDPR protects data subjects, including employees, suppliers, and/or partners.
These differences illustrate the important point:
Being compliant with GDPR doesn’t automatically make you compliant with CCPA.
You’ve probably covered some basic CCPA requirements by being GDPR compliant. But plenty of unique demands are inherent to CCPA exclusively, so there is still work to do.
Here are the steps to take to align your company with the CCPA.
CCPA Compliance Checklist
CCPA requirements are actually not that difficult to meet. Here is what you need to do:
- What categories of information you collect from visitors and users (e.g., name, email, address, etc.)
- What types of information don’t collect (e.g., information from children under 15, etc.)
- Why you collect it (e.g., to contact customers, to ship products, etc.)
- What happens with the data after it has been collected
- What consumer rights users have under the CCPA
- Whether the data is being sold to third parties or not, and if yes, then for what purpose. If you sell information, include a link to a “Do Not Sell My Personal Information” page (read about this below).
2. If you sell or share personal information, create a “Do Not Sell My Personal Information” page.
If you sell or transfer users’ information to third parties, you must provide users with the ability to opt out. This is what the “Do Not Sell My Personal Information” page is for. You can name this page with something less bold yet similar in meaning.
The Do-Not-Sell rule includes not only selling but any operation that involves transferring, releasing, disclosing, making available, and, generally speaking, giving away customers’ personal information. On this page, you have to provide users with the opportunity to opt-out of the sale of their data; for example, they can tick a checkbox near the “I forbid to sell my information” statement. After users opt out, it is your responsibility to make sure that their information won’t be sold or shared.
The Tomy John brand has linked the “Do not sell my personal information” page in the footer.
3. Create a CCPA compliant cookie consent notification.
Notify a customer that you are about to or are at the point of collecting information, and ask permission to do that. It looks like a simple cookie notification you’ve probably seen many times before.
The CCPA compliant cookie notification must display five things:
- The button that states the consumer’s agreement with using all cookies
- The button that allows using particular cookies
- Checkboxes with the types of cookies that your website can collect
Example of the GDPR/CCPA compliant cookie notification
4. A link/button/checkbox allows users to request access and/or delete the personal information you hold about them.
The user’s ability to access or delete personal information from your site is vital for your CCPA compliance. You can provide them with this possibility on the “Do Not Sell My Personal Information” page, like in the example below.
After a user has opted for their information being deleted/restricted from processing/sent to them, it’s on you to make sure it will be done within 45 days after the request, free of charge.
For that, you need to:
- Keep information organized and easily accessible
- Know all the categories of personal information you have on customers
- Know where you store the data and keep it secure
- Create a strong identity verification. This will ensure that the user who has requested access to the information is really who they claim to be and that no fraudulent activity is taking place
- Know how to erase the information and make sure that it is really deleted from all databases
5. Ensure that data is securely stored.
As long as you keep the customer’s personal data, its security lies on your shoulders. Cybercriminals can access the data and steal it, sell it on the darknet (or elsewhere), or use it to bring harm in any form to the data subjects. Having cybersecurity measures in place is a must to make your business CCPA compliant.
Here are the security measures to have in place:
- Antivirus software
- Up-to-date software like operating systems
- Ransomware protection for cloud management platforms like G Suite and Office 365
- Software for monitoring risky third-party apps and control whether access is granted to users’ personal data or business data
- Encrypted cloud-to-cloud backup of all important data
- Domain activities monitoring like abnormal data downloads and sharing
- Data audit to reduce insider threats
For small-to-medium businesses that don’t have a security department yet, and for enterprises that need to close their security gaps in the cloud, we recommend using the all-in-one cloud cybersecurity tool SpinOne. It will ensure your compliance in terms of data security.
6. Information depicting how users can exercise their consumer rights
Include the following:
- Contact information. You should give at least two ways by which a user can contact you, including a phone number, email address, social media, physical address, etc.
- Information about what, exactly, the user can request. For example, they can have you delete, modify, or provide information.
- An explanation that only a user him/herself or a person authorized to act on their behalf can make a request related to personal information.
- An explanation about how often and in what form a user can request personal information. For example, “A user can make a request four times within a 12-month period; the request must provide the following information…”.
Making your business compliant with CCPA is all about providing your customers with full control over the personal data they share with you. When you keep that in mind, complying with CCPA becomes a piece of cake.
However, remember that CCPA doesn’t override other compliance regulations that might apply to your business, so make sure you cover all bases. For more information, check out our articles on GDPR compliance, HIPPA compliance, and SOX compliance.