Iubenda logo
Start generating

Documentation

Table of Contents

What is CCPA? CCPA Compliance Guide

CCPA stands for California Consumer Privacy Act. It came into effect on January 1, 2020, in the state of California, United States. CCPA compliance is designed to enhance privacy rights and consumer protection for California residents.

The CCPA grants various rights to California residents and regulates the actions of businesses that collect or sell personal information. However, it leaves the consequences of third-party processing of consumer data somewhat open to interpretation. This prompted an amendment to the CCPA, which has come to be known as the California Privacy Rights Act (CPRA).

Update

The California Privacy Rights Act (CPRA), which became effective in January 2023, expands on a few key elements of the existing California Consumer Privacy Act (CCPA) by further protecting consumers’ privacy. The CPRA supplements – but does not replace nor repeal – the existing framework provided by the CCPA.

In this guide, we explain everything you need to know about CCPA compliance and what you need to do to align with its requirements.

Please note: the compliance section of this guide has been updated to align with the amended version of the CCPA which is currently in force — the CPRA.

What is the CCPA?

The California Consumer Privacy Act is a comprehensive data privacy law, designed to enhance privacy rights and consumer protection for California residents.

The main purpose of CCPA is to provide individuals with greater control over their personal information and to regulate how businesses collect, use, and share that information.

As we already mentioned, the CCPA was amended to include new requirements that were left open to interpretation. In January 2023, the California Privacy Rights Act (CPRA) came into force, integrating the CCPA.

What is the difference between CCPA and CPRA?

The CPRA builds on the protections provided by the CCPA, but it introduces new requirements for businesses.

Here are a few key differences:

  • The CPRA has a broader scope than the CCPA.
  • The CPRA adds new categories of sensitive personal information, such as health data and precise geolocation.
  • The CPRA enhances consumer rights, adding the right to correct inaccurate information and the right to limit the use and disclosure of sensitive personal information.
  • The CPRA imposes additional requirements on businesses, such as the obligation to conduct regular risk assessments and to submit annual privacy audits to the California Privacy Protection Agency (CPPA).
💡

Want to learn more?


Check out CCPA vs CPRA here

What is personal information under the CCPA?

Under the scope of the California Consumer Privacy Act, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA further details that personal information can include, but is not limited to:

  • identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  • commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • biometric information;
  • internet or other electronic network activity information, including browsing history, search history, and information relating to website, application or ad interaction;
  • geolocation data;
  • audio, electronic, visual, thermal, olfactory, or similar information;
  • professional or employment-related information;
  • educational information — other than what is publicly available as defined here; or
  • any inferences drawn from information such as those mentioned above, which is used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

When does the CCPA apply?

In general, CCPA compliance is needed when BOTH of the following conditions apply:

  • you have a business; and
  • you target Californian consumers.

However, you need to make sure your business falls within the scope of the CCPA. To do that, let’s have a closer look at the key definitions.

👋 Does the CCPA apply to me?


Short on time? Take this 1-minute quiz and find out immediately!

Key definitions

📌 Consumer

Under the CCPA, a “consumer” is defined as a natural person who is a California resident.

📌 Business

Under the scope of the California Consumer Privacy Act, a “business” is defined as a for-profit organization that collects personal information of consumers, determine the purposes and method of the processing, targets Californian residents (whether or not the business is actually based in California), and meets at least one of the following requirements:

  • it has annual gross revenues exceeding twenty-five million dollars ($25,000,000); or
  • it derives 50% or more of its annual revenues from selling the personal information of consumers; or
  • it buys, receives, sells, or shares the personal information of 50,000 or more consumers annually for the business’ commercial purposes. Since IP addresses fall under what is considered personal data — and “commercial purposes” simply means to advance commercial or economic interests — it is likely that any website with at least 50k unique visits per year from California falls within this scope.

📌 Sale

Sale within the context of CCPA compliance is defined as: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration“.

📌 Valuable consideration

While the CCPA does not currently explicitly define “valuable consideration”, under Californian contract law it is defined as “[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.” (Cal. Civ. Code § 1605).

Within this context, a “valuable consideration” can be broadly interpreted as meaning all agreements where personal information is exchanged – and the transferring entity receives any benefit to which it would not be legally entitled to without the agreement.

Important

CalOPPA has not been repealed by the CCPA and still applies. This is something to take note of even if the definition of “business” above does not apply to you, as you may still need to comply with CalOPPA, or both laws may be applicable to you. Read more about CalOPPA here.

CCPA vs GDPR

Some have called the CCPA “the California GDPR“, so here’s how these two privacy laws actually compare:

CCPA GDPR
Enforcing body? The attorney general of the state of California, USA. National (EU member state) data protection agencies.
Who needs to comply? Any for-profit business that targets Californian consumers and either:
  • processes the personal data of at least 50K Californian consumers (IP addresses are considered personal data, so this would apply to any website with at least 50K visits from Californian consumers); or
  • makes at least 50% of its revenue from sharing Californian consumer data for any profit – monetary or otherwise; or
  • has an annual revenue of 25M or more.
Any entities (non-profit or otherwise – including NGOs, individuals, and public entities) that target EU consumers, or which are based in the EU.
What types of data are protected? Any data that relates to, or is capable of being associated with a particular consumer or household, with the exception of public government records. Any data that can lead to the identification of an individual.
Are IP addresses considered Personal Data?
Consent required before processing? Only in the case of minors and in cases of previous opt-out. Yes, unless another legal basis legitimately applies.
Must Businesses give consumers the option to opt-out or withdraw consent? Yes, must provide DNSMPI link and honor opt-out requests. Users have both the right to withdraw consent and the right to object to processing (potentially applicable even in cases where the processing is justified using a legal basis other than consent).
Protections also apply to business to business (B2B) interactions? No, CCPA protections apply to consumers only. The GDPR makes no differentiation between protections applied to B2B and B2C (business to consumer) interactions, it simply applies its protections to “data subjects”, who are defined as any “identifiable natural persons” residing in the EU.
Security requirements? The CCPA lists no specific security requirements but gives consumers the explicit right to bring suit for damages resulting from a business’ failure to implement appropriate security practices. The GDPR requires both controllers and processors to implement security methods appropriate to the particular risk involved. Security methods should be “state of the art” implying that the security methods should on par with the latest standards.
Penalties of non-compliance? Fines of up to $7500 per individual violation. The CCPA also gives consumers the right to bring suit for damages. Fines of up to EUR 20 M (22 M USD) or 4% of annual global revenue – whichever is greater, potential audits and sanctions. The GDPR also gives data subjects the right to sue if their rights were violated.
Applicable users’ Rights at a glance
Right to be informed
The right of access
The right to portability
The right to rectification ×
The right to be deleted
The right to object Somewhat covered by the right to opt-out

CCPA Consumer Rights

Under CCPA, consumers have specific rights that you must respect to achieve CCPA compliance.

The California Privacy Protection Agency has recently unveiled a new website, aimed at providing Californians with comprehensive information about their privacy rights. This online platform serves as a key resource for understanding the protections offered by the California Consumer Privacy Act (CCPA) and offers guidance on various privacy-related issues, enabling Californians to take informed actions regarding their privacy.

The right to be informed

Under the CCPA, consumers have a right to be informed about how their information is processed at or before the point of collection.

Under the California Consumer Privacy Act you must disclose:

  • the categories of personal information the business collects, sells, or shares;
  • the categories of third parties with whom the business shares personal information;
  • the categories of sources from which that information was collected;
  • the business/ commercial purpose for collecting or selling consumers’ personal information;
  • consumers rights and how to exercise them; and
  • how the consumer can object to the selling of their data, via a “Do not sell my data” link (if data is sold).

The right of access

Under the CCPA, consumers have a right to access their personal information when verifiably requested*.

In particular, consumers have the right to access:

  • the categories of the consumer’s personal information collected in the past 12 months;
  • specific pieces of information collected about them;
  • the categories of sources from which the business collected the information;
  • the purposes for collecting or selling the information;
  • the categories of third parties that the personal information is shared with;
  • the categories of personal information sold and the categories of third parties that the personal information was sold to;
  • the categories of personal information disclosed for business purposes.

*Verifiably requested or a “verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify . . . to be the consumer about whom the business has collected personal information. Cal. Civ. Code § 1798.140(y)

You must provide consumers with two or more methods for submitting access requests, including at a minimum, a toll-free telephone number, and if the business maintains an internet web site, a web site address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.

The right to portability

Under the California Consumer Privacy Act, the right to data portability is bundled together with the right to access, under Section 1798.100 (d).

Where businesses fulfill Access requests “electronically”, it’s also required that the information be provided to the consumer in “a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance”.

Information requests must be fulfilled, free of charge, within 45 days of the consumer’s verifiable request. This time period may be further extended once by an additional 45 days, if reasonably necessary, and provided that the consumer is given notice of the extension within the first 45-day period.

The disclosures made in the fulfillment of the request should cover the 12-month period preceding the receipt of the request.

Delivery format

Businesses must respond through either regular mail or in an electronic format (such as email, file download, etc.). If delivered electronically, the law mandates that the information must be “portable”, i.e. delivered in a format that’s easy to use and that allows transmission of the information to another entity without hindrance.

Exceptions and limits
  • Consumers are allowed a maximum of 2 requests over a period of 12 months.
  • Single one-time instances of processing are excluded if the information is not sold or retained by the business or used to otherwise re-identify the person.
  • No response is necessary if the business has not actually collected information on the consumer in question.

The right to be deleted

The CCPA grants consumers the right to request the deletion of any personal information that has been collected about them. If a verifiable request for deletion is received from a consumer, you must delete the consumer’s personal information from your records and instruct any related service providers to delete the consumer’s personal information from their records.

You must provide consumers with two or more methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the business maintains an internet website, a website address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.

This request must be fulfilled free of charge, within 45 days of the consumer’s verifiable request. This time period may be further extended once by an additional 45 days, if reasonably necessary, and provided that the consumer is given notice of the extension within the first 45-day period.

Exceptions and limits

Businesses are not required to comply with the request of deletion if the information is needed:

  • to complete the transaction that the personal information was collected for;
  • for the provision of a good or a service requested by the consumer, or to otherwise carry out an agreement between the business and the consumer;
  • to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
  • to debug to identify and repair errors;
  • to exercise of free speech, or exercise another consumer’s right to free speech;
  • to comply with the California Electronic Communications Privacy Act (CalECPA);
  • for public or peer-reviewed scientific, historical, or statistical research in the public interest;
  • in order to comply with a legal obligation;
  • to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
  • for solely internal use in a lawful manner compatible with the context in which the consumer provided the information.

The right to opt-out

The right to say no to the sale of their data

Under the CCPA, a consumer has the right, at any time, to tell a business which sells their personal information to third parties, that they must stop selling such personal information.

What is a sale under the California Consumer Privacy Act and how do you “sell” personal information?

As mentioned above, under the CCPA, “sell”, “selling”, “sale”, or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or a third party, for monetary or other valuable consideration.

Two less obvious examples of what could* be considered “selling” under the CCPA are:

  • sharing user data with ad networks, and other third-parties in order to display targeted advertising for a benefit including revenue; or even
  • using 3rd-party analytics program for retargeting or otherwise generating a user-profile for selling to the consumer.

*Keep in mind that at this stage of implementation some factors may change as the law is further refined.

If you “sell” consumers’ personal information to third parties, you must disclose this fact to consumers, and must also inform them that have the right to opt-out of the sale of their personal information (as per “The right to be informed” listed above).

A consumer cannot be asked to create an account in order to opt-out. Instead, this process should be facilitated via a “Do Not Sell My Personal Information” (“DNSMPI“) link on your website or privacy notice.

If a business receives direction from a consumer not to sell the consumer’s personal information, it is prohibited from selling the personal information of that consumer unless the consumer subsequently provides express authorization for the sale of their personal information (Opt-in).

Businesses may only ask for a consumer’s authorization one more time, and only 12 months after the consumer have opted-out.

The right to opt-in

Prior consent for minors

Businesses are prohibited from selling the personal information of consumers if the business has actual knowledge that the consumer is under the age of 16. In such cases, businesses may only sell the information if:

  • the consumer is between 13 and 16 and has opted-in; or
  • the consumer is less than 13 years of age and the consumer’s parent or guardian has opted-in on the consumer’s behalf.

The right to not be discriminated against

Even if the consumer exercises their privacy rights

To achieve CCPA compliance, businesses are prohibited from discriminating against consumers for exercising their rights granted under the law. Prohibited forms of discrimination include:

  • Denying goods or services to the consumer.
  • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
  • Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title.
  • Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
Exceptions and limits
    • A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. In such cases, such financial incentives must be disclosed to users via the homepage of your website and within your privacy policy.

      Businesses are prohibited from using financial incentive practices that are “unjust, unreasonable, coercive, or usurious in nature”.

    CCPA Fines and Penalties

    Consumers have the right to sue* businesses that violate the law. The associated fines will be between $100 and $750, or any higher amount related to actual damages (where larger damages can be proven).
    *This only applies to the actual businesses themselves and not “service providers” acting on behalf of the business.

    The state can bring charges of up to $2,500 per violation for businesses that unintentionally violate the CCPA, and fines of up to $7,500 per violation, for businesses that commit intentional violations.

    While these fines might not seem particularly large in comparison to other privacy laws, do consider that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.

    CCPA compliance – How to make your site/app compliant

    CCPA compliance is, similarly to compliance with other privacy laws, a multi-faceted process that involves honest review, planning and technical and legal implementation.

    Regardless of how you choose to approach the implementation process, there are still a few basic steps you’ll need to take before even getting to the implementation stage. Let’s take a look at them, as well as the rest of the implementation process, below.

    (This compliance section has been updated to align with the amended version of the CCPA which is currently in force — the CPRA.)

    Perhaps one of the most important steps for CCPA compliance is to honestly review and assess your own processes and systems.

    Some questions to ask yourself here are:

    • What categories of personal data do I collect and which categories of third parties do I share this data with?
    • Which sources do I collect this information from and what are their categories (e.g., analytics)?
    • What are the reasons or purposes of my data collection?
    • What are the CCPA consumer rights that apply to my processing activities?
    • Am I technically equipped to fulfill consumer rights-related requests such as deletion and access requests?
      • How do I keep track of when such requests were fulfilled?
      • Am I keeping track of all the service providers that access consumers’ personal information on my behalf?
      • Can I reliably contact these parties to fulfill things like deletion requests?
      • Do I maintain reliable records of the information and the categories of personal information I collect for each consumer?
    • Do I have available onsite the documents needed to make legally required disclosures?
    • Which exceptions reasonably and honestly apply to my scenario?

    The service, quality, levels and/ or prices you charge/ offer to consumers must not be influenced by or dependent on whether or not they’ve chosen to exercise their rights. The only exceptions to this rule are in cases where the value of service or good offered relies upon the data collected about the consumer (see example above).

    You may offer financial incentives (including payments) to consumers in exchange for accessing their personal information, however, you may only use financial incentives that are fair, reasonable, non-coercive and not extortionate. In all such cases, consumers must first be notified of such incentives via the homepage of your website.

    As a requirement under the consumer’s right to opt-out, you must provide an easily accessible, clear and conspicuous “Do Not Sell My Personal Information” (“DNSMPI”) link on your website’s homepage and within your privacy policy (with the appropriate disclosures of the associated consumer right).

    The link must take the user to a page where they can opt-out of the sale of their personal information.

    Where technically feasible, you are allowed to host and redirect California residents to a separate homepage with the visible DNSMPI link.

    Access, portability and deletion rights must be honored, at no cost to the consumer, within 45 days of receiving a verifiable request. The fulfillment period can be extended (only once) by a further 45 days if necessary, provided that the consumer is given notice of this fact.

    When fulfilling access and portability requests, the information returned to the consumer must be given in an easy-to-use and easily transmittable format.

    When a consumer exercises their opt-out rights (the right to say no to the sale of their data), you must comply upon receiving the request.

    In cases where you are aware of the fact that the consumer is a minor under the age of 16, you must not sell their information unless explicitly authorized to do so by a parent or guardian (for minors under 13) or if explicitly authorized to do so by the minor consumer in cases where the minor is between the ages of 13-16.

    Implementation can be complicated. This is where iubenda comes in: we take the weight off your shoulders by offering powerful software solutions — backed by our international legal team — which allow you to handle even the most complex situations within a few clicks and fully customize when needed.

    How can iubenda help you Comply?

    CCPA / CPRA Compliance in no time

    Our 360° solutions crafted by our expert legal team and help to keep you covered with minimal effort.

    Get Compliant in Minutes

    Get a CPRA-compliant Privacy Policy, customizable based on 1800+ clauses and available in 11 languages.

    Add a Privacy Controls widget to your site allowing California users to opt-out from processing.

    Among the few providers compatible with GPP & GPC, making it easier to honor these opt-out requests.

    Automatically store user preferences and document CPRA opt-outs.

    Laws, like the people, needs, and ideas they serve, are often dynamic “living” things. Similarly, your own business purposes, partners and processes may shift with time.

    For this reason, it’s vital that you periodically review and assess your internal processes, technical capabilities, and legal documents, and keep them up-to-date with legal requirements.

    How iubenda can help you with CCPA compliance

    Our solutions take the guesswork out of CCPA compliance by doing the heavy technical and legal lifting so that you can focus on growing your business.

    (This compliance section has been updated to align with the amended version of the CCPA which is currently in force — the CPRA.)

    See it in action 👇

     

    Make your site CCPA compliant in minutes

    Start generating

    See also