Compliance

Navigating CCPA Requirements: How to Ensure Compliance and Protect Your Business

navigating-ccpa-requirements

If your business is subject to the California Consumer Privacy Act (CCPA), observing the CCPA requirements is essential to avoid substantial financial penalties and damages to your business's reputation.

The CCPA is a groundbreaking law that aims to make California consumers true owners of their personal information by imposing strict data protection standards on businesses.

Among other responsibilities, businesses must become more transparent with how they use personal information, allow consumers to opt-out of the sale of their data, and observe several privacy rights.

In this article, we'll discuss everything you need to know about the CCPA, including who it applies to, its key requirements, practical insights for compliance, penalties for non-compliance, and more. Let's get started.

California Consumer Privacy Act (CCPA) Overview

The CCPA is a comprehensive privacy law that was enacted in June 2018 and took effect on January 1, 2020. It was later amended by the California Privacy Rights Act(CPRA), which came into force on January 1, 2023.

The CCPA serves as a privacy protection template, inspiring a nationwide campaign to safeguard consumers' personal information. It basically aims to give California residents similar protections as EU residents have under the General Data Protection Regulation (GDPR). As a result, the CCPA has earned monikers like “California GDPR” and “GDPR-lite.”

In short, the CCPA:

  • Applies data protection duties to businesses that collect, use, and share the personal information of California residents
  • Requires businesses to observe the principles of transparency and accountability when managing personal information
  • Provides California residents with several privacy rights over their personal information
  • Imposes stringent penalties on non-compliant businesses

As an applicable business, observing the CCPA requirements not only helps you avoid the consequences of non-compliance but also strengthens your relationship with consumers by demonstrating a commitment to protecting their privacy.

Who Does the CCPA Apply To?

The CCPA has an extraterritorial scope despite being a state privacy law. This means businesses don't have to be based in California (or even the U.S.) to be covered by the law.

The CCPA applies to for-profit entities anywhere in the world that "do business" in California or collect the personal information of California’s residents. If this sounds like your business, keep reading; there’s one more criterion to consider.

In addition to the stipulations above, business that meet one or more of the CCPA’s thresholds will be subject to the law:

Gross annual revenue is over $25 million.Annually buys, sells, receives, or shares the personal information of at least 100,000 California consumers or households.Derives 50% or more of annual revenue from selling or sharing California consumers' personal information.

It’s important first to understand what type of information the CCPA protects before going deeper into its requirements.

Personal Information Under the CCPA

The CCPA primarily exists to protect the personal information of California residents. However, this term has a much broader meaning than it does in its literal sense.

Personal information according to the CCPA means:

"any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

The CCPA obviously intends to make this definition as inclusive as possible. To provide some context, the CCPA outlines several examples of personal information, including but not restricted to the following:

  • Names/Nicknames/Usernames
  • Postal addresses
  • Email addresses
  • Social security numbers
  • Passport numbers
  • Drivers license number
  • Internet data (e.g., IP address)

It’s important to note that personal information doesn't include publicly available information under the CCPA.

Sensitive Personal Information Under the CCPA (CPRA)

Thanks to the CPRA’s amendment, a specific subset of personal information has been introduced known as "Sensitive Personal Information (SPI)." This class of information is protected by stricter regulations due to its more delicate nature.

Examples of SPI include data that reveals any of the following:

  1. Health data
  2. Sex life or sexual orientation
  3. Financial information (e.g., debit and credit card numbers)
  4. Race or ethnicity
  5. Religious or philosophical beliefs
  6. Content of mail, email, and text messages
  7. Precise geolocation
  8. Biometric information
  9. Genetic information

California Consumer Privacy Act (CCPA) vs. California Privacy Rights Act (CPRA)

The CPRA is an updated version of the CCPA that was approved by California voters in November 2020 and came into force on January 1, 2023.

Informally referred to as CCPA 2.0, the CPRA builds on the CCPA's privacy protections and creates additional obligations for applicable businesses.

The most significant changes the CPRA applies to the CCPA are as follows:

  • Creation of the California Privacy Protection Agency (CPPA): The CPRA establishes the CPPA, a new regulatory body responsible for enforcing California's privacy laws. This agency will have the authority to investigate and impose administrative fines on non-compliant businesses.
  • New Data Processing Requirements: The CPRA requires businesses to implement data minimization and purpose limitation principles when processing personal information. This means businesses can only collect and use personal information for specific, limited purposes and must delete it once it's no longer needed.
  • Introduction of "Sensitive Personal Information": The CPRA expands the definition of personal information to include sensitive personal information (SPI), as mentioned earlier. Due to its delicate nature, businesses must provide additional disclosures and obtain explicit consent before collecting and processing SPI.
  • Additional Consumer Rights: The CPRA has added several new consumer rights, including the right to rectification, the right to access information about and opt-out of automated decision-making technology, and the right to limit the use and disclosure of SPI.

CCPA Enforcement and Penalties

The CPPA is primarily responsible for overseeing CCPA enforcement. However, the California Office of the Attorney General (OAG) may also bring a civil action.

In light of the CPRA’s amendments, the 30-day cure period within which businesses could rectify an alleged violation under the CCPA no longer applies. Instead, businesses may be fined immediately for violations or given a specified cure period, depending on the CPPA’s or OAG’s discretion.

Non-compliant businesses may face CCPA fines of up to $2,500 for each negligent violation and $7,500 for each intentional violation or for violations concerning a child below the age of 16.

One distinctive feature that sets the CCPA apart from other privacy laws is that it allows for a private right of action in certain instances. Essentially, a consumer can file a private lawsuit against a business and receive up to $750 in damages for each data breach arising from the business’s negligence.

It’s also worth noting that CCPA violations can result in reputational damages for businesses. As consumers become more privacy-conscious, they are more likely to patronize businesses that are dedicated to protecting their personal information. In contrast, businesses that violate modern privacy standards may face negative publicity and a loss of trust among consumers.

California Consumer Privacy Act (CCPA) Requirements

CCPA compliance requirements revolve around four broad concepts: access, consumer control, data protection, and non-discrimination. But what exactly do these concepts entail? And how can businesses put them to practice?

To answer this, we need to examine consumers' rights under the CCPA. Let’s briefly take a look:

  • Right to know: Consumers have the right to know what personal information businesses have collected about them and how that information has been used and shared. Businesses must provide this information to consumers upon request.
  • Right to deletion: Consumers can request that businesses delete their personal information. Businesses must comply with these requests unless there are legal reasons why the information must be retained.
  • Right to access: Consumers can request that businesses provide them with a copy of their personal information in a portable format. This right is an extension of the right to know.
  • Right to opt-out: Consumers have the right to opt-out of the sale of their personal information, and businesses must provide a clear and conspicuous opt-out mechanism on their websites.
  • Right to opt-in (for minors): Consumers under the age of 16 must opt-in to the sale of their personal information, and parents or guardians must opt-in on behalf of children under the age of 13.
  • Right to non-discrimination: Consumers have the right to be treated equally, whether or not they exercise their privacy rights under the CCPA. In other words, businesses must refrain from charging higher prices or providing lesser quality goods or services to consumers who opt-out of the sale of their information.

Compliance Strategies for CCPA Requirements

In light of the CCPA requirements above, we’ve compiled a comprehensive CCPA compliance checklist to help you fulfill your legal responsibilities accordingly.

It's important to note that not all these requirements may apply depending on key factors, such as the specific type of data your business collects and whether or not you sell consumers' personal information.

Conduct a Comprehensive Personal Information Audit

Your first course of action should be to conduct a company-wide personal information audit.

This activity helps pinpoint all data flows within and outside your business, enabling you to adjust processes where necessary and provide accurate disclosures of your data processing practices.

For instance, businesses typically carry out data-driven operations such as:

  • Collecting personal information through cookies, integrated analytics software, web forms, social media, etc.
  • Storing personal information on web servers, hard drives, paper files, etc.
  • Sharing personal information with business partners, advertising agencies, payment processors, etc.

These types of activities must be closely monitored and properly documented to ensure CCPA compliance. After all, you can't comply with the rules if you aren’t aware of every aspect of data processing under your control.

Provide a CCPA-Compliant Privacy Policy

Once again, the CCPA is big on transparency. To comply, businesses must provide relevant disclosures about consumers' personal information, and the best place to present this information is within a Privacy Policy. If you already have a Privacy Policy, you'll likely need to update it to reflect the CCPA's required disclosures.

You must also update your Privacy Policy every 12 months to account for any changes in your data processing practices. Your CCPA-compliant Privacy Policy should at least contain the following clauses:

  • What categories of personal information you’ve collected in the past 12 months
  • How you obtained each category of information
  • Why you collected each category of information
  • How you used personal information
  • How you shared or disclosed each category of information, and with whom
  • What rights consumers have under the CCPA (CPRA)
  • How consumers can exercise their CCPA (CPRA) rights
  • Whether or not you sell or share personal information for commercial purposes
  • Your contact information to receive consumer requests

Make sure to display this policy conspicuously on your business website/app to enable easy access. Typical locations include website footers, account registration forms, checkout pages, in-app menus, etc.

Honor Consumer Access and Deletion Requests

As mentioned earlier, the CCPA grants California consumers several privacy rights, including the right to access and deletion.

If you receive a verifiable access request from a consumer, you must respond promptly within 45 days of receiving the request. You can extend this period by another 45 days if it’s "reasonably necessary."

In terms of the disclosure, you must provide the following information from the past 12 months in a "readily usable" format and free of charge:

  • The categories of personal information your business has collected about the consumer
  • The specific pieces of personal information you have about the consumer
  • The categories of sources from which you obtained that information (e.g., web forms, cookies, etc.)
  • The business or commercial purpose(s) for which you collected the consumer’s personal information
  • The categories of third parties you share personal information with

Thankfully, the CCPA recognizes how burdensome this may be and only mandates that businesses comply with a consumer's access request twice a year.

Consumers can also request that you permanently delete their personal information from your records. However, this right only applies in limited circumstances. For instance, you don’t have to honor a consumer's CCPA right to deletion if you need to hold the consumer’s personal information to fulfill a legal obligation.

In practice, you can honor both access and deletion requests by setting up a Data Subject Access Request form on your website. You’ll also need to provide additional methods for users to exercise their rights, such as publicly displaying your contact information in different formats.

Create a “Do Not Sell or Share My Personal Information” Page

Businesses that sell consumers' personal information are subject to additional requirements under the CCPA (CPRA).

According to the CCPA, a sale refers to:

"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration."

Thanks to the CPRA's amendments, businesses that "share" personal information will also fall under this category. Effectively, if you sell or share personal information, you must provide a way for consumers to exercise their CCPA opt-out right.

To do this, the CCPA (CPRA) recommends setting up a page that explains opt-out instructions and providing a link to this page that clearly reads "Do Not Sell or Share My Personal Information."

Your CCPA do not sell link must be prominently displayed in key areas of your website, especially in your footer section and within your Privacy Policy.

Here’s an example from Ernest & Young:

Ernest & Young website footer with Do not sell or share link highlighted

If you use or disclose Sensitive Personal Information (SPI), the CPRA requires you to provide a second link that reads "Limit the Use of My Sensitive Personal Information."

For both links, make sure to use a prominent, easily readable font on both mobile and desktop versions of your website.

Implement Adequate Data Security Measures

Businesses must observe the CCPA’s security requirements by protecting consumers' personal information from unauthorized access, disclosure, and data breaches. In particular, businesses must employ effective industry-standard security measures such as firewalls, two-factor authentication, staff training, HTTPS, data encryption, etc.

It's not enough to simply install data security systems; you must also audit your data flows regularly, evaluate the effectiveness of security safeguards with which you protect data, and adjust processes accordingly to maximize protection.

Remember that consumers can bring civil action against your business if a data breach occurs due to your negligence in protecting their personal information.

For example, here’s how PayPal concisely explains how it will protect personal information in its possession:

PayPal Privacy Statement: How do we protect your personal information clause

Provide a “Notice at Collection”

The CCPA (CPRA) mandates that businesses must provide a "Notice at Collection" to consumers before or at the point of collecting their personal information. California's Attorney General has specified the following requirements for this notice:

  • Specify the categories of personal information you collect from consumers.
  • Provide clear and specific purposes for collecting each category of information.
  • Clarify how long you intend to retain personal information
  • Provide a link to your "Do Not Sell or Share My Personal Information" page if applicable.
  • Provide a link to your Privacy Policy for a more comprehensive description of your business's privacy practices.

You can choose to insert this notice within your Privacy Policy or host it on a separate webpage as per your preference.

Here’s a great example from AGCO presenting its Notice at Collection on a separate webpage with links to all necessary disclosures:

AGCO CCPA Notice at Collection

Aside from being a CCPA requirement, a Notice at Collection also helps promote transparency and trust with your consumers.

CCPA FAQs

Does the CCPA (CPRA) support Global Privacy Control (GPC)?

Yes, it does. Global Privacy Control (GPC) is a 'stop selling or sharing my data switch' available as a browser extension and on most modern internet browsers like Mozilla Firefox, Brave, and DuckDuckGo.

GPC allows consumers to opt-out of the sale or sharing of their personal information at the browser level. This way, consumers don't have to submit opt-out requests on multiple websites or devices. Applicable businesses must honor GPC signals as a valid consumer request to stop the sale or sharing of personal information under the CCPA (CPRA).

Does the CCPA (CPRA) cover the use of cookies and similar trackers?

Yes, the CCPA (CPRA) does cover the use of cookies and similar trackers. This is because cookies and similar trackers are known for collecting certain user data that can be classified as personal information under the CCPA. Consequently, businesses that employ these trackers and are subject to the CCPA must comply with all relevant requirements.

For more information, check out our Cookie Consent solution.

Can a consumer submit a request using an authorized agent?

Yes. A consumer can authorize another individual to submit a CCPA request on their behalf. Consumers may also delegate the submission of their request to a business entity registered with the California Secretary of State.

Can a business sell a child’s personal information?

Businesses are only permitted to sell a child's personal information if the child provides express consent ("opt-in") and is under the age of 16. For a child under the age of 13, that child's parent or legal guardian must give their express consent for the sale to be legal.

Are there any specific exemptions under the CCPA (CPRA)?

In general, the CCPA doesn’t apply to government agencies and nonprofit organizations. Additionally, the CCPA (CPRA) specifically exempts certain types of information from its coverage, including publicly available information (e.g., professional licenses and public property records), certain medical information, and consumer credit reporting information.

Conclusion

Navigating your CCPA compliance requirements may appear daunting at first, especially for small businesses with limited resources. Fortunately, it’s not as complex as it seems once you have all the right tools. And that's where we come in!

At Captain Compliance, our CCPA compliance solution and superheroes will help put you on the fast track to fulfill your responsibilities.

From setting up DSAR forms and valid opt-out mechanisms to educating you on the best compliance measures, we have all the tools and insights you need to stay ahead of legal liability under the CCPA.

Ready to become CCPA-compliant and avoid stringent penalties? Get in touch today!