💡 Confused about the CCPA? Here’s what you need to do:
What is the California Consumer Privacy Act (CCPA) & how do you achieve CCPA compliance? We break it down for you (without all the legalese!) in the sections below.
The CCPA is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The law became effective on January 1st, 2020, and is fully enforceable from July 1st, 2020.
The CCPA (also known as the “California GDPR”) puts in place new requirements for processing personally identifiable information, and grants Consumers additional rights, therefore, it will likely have a significant impact on both business processes and overall liability.
In general, the CCPA applies where BOTH of the following conditions apply:
Under the CCPA, a “consumer” is defined as a natural person who is a California resident.
Under the scope of the California Consumer Privacy Act, a “business” is defined as a for-profit organization that collects the personal information of consumers, determines the purposes and method of the processing, targets Californian residents (whether or not the business is actually based in California), and meets at least one of the following requirements:
Under the scope of the California Consumer Privacy Act, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA further details that personal information can include, but is not limited to:
Sale within the context of the CCPA is defined as: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration“.
While the CCPA does not currently explicitly define “valuable consideration”, under Californian contract law it is defined as “[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.” (Cal. Civ. Code § 1605).
Within this context, a “valuable consideration” can be broadly interpreted as meaning all agreements where personal information is exchanged – and the transferring entity receives any benefit to which it would not be legally entitled to without the agreement.
CalOPPA has not been repealed by the CCPA and still applies. This is something to take note of even if the definition of “business” above does not apply to you, as you may still need to comply with CalOPPA, or both laws may be applicable to you. Read more about CalOPPA here
What exactly does the CCPA require?
Under the CCPA, consumers have a right to be informed about how their information is processed at or before the point of collection.
Under the California Consumer Privacy Act you must disclose:
Under the CCPA, consumers have a right to access their personal information when verifiably requested*.
In particular, consumers have the right to access:
*Verifiably requested or a “verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify . . . to be the consumer about whom the business has collected personal information. Cal. Civ. Code § 1798.140(y)
You must provide consumers with two or more methods for submitting access requests, including at a minimum, a toll-free telephone number, and if the business maintains an internet web site, a web site address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.
Under the California Consumer Privacy Act, the right to data portability is bundled together with the right to access, under Section 1798.100 (d).
Where businesses fulfill Access requests “electronically”, it’s also required that the information be provided to the consumer in “a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance”.
Information requests must be fulfilled, free of charge, within 45 days of the consumer’s verifiable request. This time period may be further extended once by an additional 45 days, if reasonably necessary, and provided that the consumer is given notice of the extension within the first 45-day period.
The disclosures made in the fulfillment of the request should cover the 12-month period preceding the receipt of the request.
Businesses must respond through either regular mail or in an electronic format (such as email, file download, etc.). If delivered electronically, the law mandates that the information must be “portable”, i.e. delivered in a format that’s easy to use and that allows transmission of the information to another entity without hindrance.
The CCPA grants consumers the right to request the deletion of any personal information that has been collected about them. If a verifiable request for deletion is received from a consumer, you must delete the consumer’s personal information from your records and instruct any related service providers to delete the consumer’s personal information from their records.
You must provide consumers with two or more methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the business maintains an internet web site, a web site address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.
This request must be fulfilled free of charge, within 45 days of the consumer’s verifiable request. This time period may be further extended once by an additional 45 days, if reasonably necessary, and provided that the consumer is given notice of the extension within the first 45-day period.
Businesses are not required to comply with the request of deletion if the information is needed:
Under the CCPA, a consumer has the right, at any time, to tell a business which sells their personal information to third parties, that they must stop selling such personal information.
As mentioned above, under the CCPA, “sell”, “selling”, “sale”, or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or a third party, for monetary or other valuable consideration.
Two less obvious examples of what could* be considered “selling” under the CCPA are:
*Keep in mind that at this stage of implementation some factors may change as the law is further refined.
If you “sell” consumers’ personal information to third parties, you must disclose this fact to consumers, and must also inform them that have the right to opt-out of the sale of their personal information (as per “The right to be informed” listed above).
A consumer cannot be asked to create an account in order to opt-out. Instead, this process should be facilitated via a “Do Not Sell My Personal Information” (“DNSMPI“) link on your website or privacy notice.
If a business receives direction from a consumer not to sell the consumer’s personal information, it is prohibited from selling the personal information of that consumer unless the consumer subsequently provides express authorization for the sale of their personal information (Opt-in).
Businesses may only ask for a consumer’s authorization one more time, and only 12 months after the consumer have opted-out.
Businesses are prohibited from selling the personal information of consumers if the business has actual knowledge that the consumer is under the age of 16. In such cases, businesses may only sell the information if:
Under the CCPA, businesses are prohibited from discriminating against consumers for exercising their rights granted under the law. Prohibited forms of discrimination include:
A business may only charge or offer different prices, rates, levels, quality of goods or services in cases where that difference is reasonably related to the value provided to the consumer by the consumer’s data.
For example, a business offers a standard 30% discount on a product as an incentive to re-purchase, one month after the consumer’s initial purchase of the same product. During that time, the consumer exercises their right to deletion and requests that their personal information be deleted. In this case, because the business no longer has the consumer data which shows that the consumer previously purchased the product, they cannot reasonably offer the standard 30% discount to that particular consumer.
Businesses are prohibited from using financial incentive practices that are “unjust, unreasonable, coercive, or usurious in nature”.
Some have called the CCPA “the California GDPR”, here’s how these two privacy laws actually compare:
|Enforcing body?||The attorney general of the state of California, USA.||National (EU member state) data protection agencies.|
|Who needs to comply?||Any for-profit business that targets Californian consumers and either:
||Any entities (non-profit or otherwise – including NGOs, individuals, and public entities) that target EU consumers, or which are based in the EU.|
|What types of data are protected?||Any data that relates to, or is capable of being associated with a particular consumer or household, with the exception of public government records.||Any data that can lead to the identification of an individual.|
|Are IP addresses considered Personal Data?|
|Consent required before processing?||Only in the case of minors and in cases of previous opt-out.||Yes, unless another legal basis legitimately applies.|
|Must Businesses give consumers the option to opt-out or withdraw consent?||Yes, must provide DNSMPI link and honor opt-out requests.||Users have both the right to withdraw consent and the right to object to processing (potentially applicable even in cases where the processing is justified using a legal basis other than consent).|
|Protections also apply to business to business (B2B) interactions?||No, CCPA protections apply to consumers only.||The GDPR makes no differentiation between protections applied to B2B and B2C (business to consumer) interactions, it simply applies its protections to “data subjects”, who are defined as any “identifiable natural persons” residing in the EU.|
|Security requirements?||The CCPA lists no specific security requirements but gives consumers the explicit right to bring suit for damages resulting from a business’ failure to implement appropriate security practices.||The GDPR requires both controllers and processors to implement security methods appropriate to the particular risk involved. Security methods should be “state of the art” implying that the security methods should on par with the latest standards.|
|Penalties of non-compliance?||Fines of up to $7500 per individual violation. The CCPA also gives consumers the right to bring suit for damages.||Fines of up to EUR 20 M (22 M USD) or 4% of annual global revenue – whichever is greater, potential audits and sanctions. The GDPR also gives data subjects the right to sue if their rights were violated.|
|Applicable users’ Rights at a glance|
|Right to be informed|
|The right of access|
|The right to portability|
|The right to rectification||×|
|The right to be deleted|
|The right to object||Somewhat covered by the right to opt-out|
Consumers have the right to sue* businesses that violate the law. The associated fines will be between $100 and $750, or any higher amount related to actual damages (where larger damages can be proven).
*This only applies to the actual businesses themselves and not “service providers” acting on behalf of the business.
The state can bring charges of up to $2,500 per violation for businesses that unintentionally violate the CCPA, and fines of up to $7,500 per violation, for businesses that commit intentional violations.
While these fines might not seem particularly large in comparison to other privacy laws, do consider that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.
CCPA compliance is, similarly to compliance with other privacy laws, a multi-faceted process that involves honest review, planning and technical and legal implementation. More often than not, however, it is implementation that proves to require the most effort.
This is where iubenda comes in. Implementation can be complicated. We take the weight off your shoulders by offering powerful software solutions — backed by our international legal team — which allow you to handle even the most complex situations within a few clicks and fully customize when needed (more on our solutions and how they can help here).
Regardless of how you choose to approach the implementation process, there are still a few basic steps you’ll need to take before even getting to the implementation stage. Let’s take a look at them, as well as the rest of the implementation process, below.
Perhaps one of the most important steps is to honestly reviewing and assessing your own processes and systems.
Some questions to ask yourself here are:
Be sure to include:
Access, portability and deletion rights must be honored, at no cost to the consumer, within 45 days of receiving a verifiable request. The fulfillment period can be extended (only once) by a further 45 days if necessary, provided that the consumer is given notice of this fact.
When fulfilling access and portability requests, the information returned to the consumer must be given in an easy-to-use and easily transmittable format.
When a consumer exercises their opt-out rights (the right to say no to the sale of their data), you must comply upon receiving the request.
In cases where you are aware of the fact that the consumer is a minor under the age of 16, you must not sell their information unless explicitly authorized to do so by a parent or guardian (for minors under 13) or if explicitly authorized to do so by the minor consumer in cases where the minor is between the ages of 13-16.
The link must take the user to a page where they can opt-out of the sale of their personal information.
Where technically feasible, you are allowed to host and redirect California residents to a separate homepage with the visible DNSMPI link.
The service, quality, levels and/ or prices you charge/ offer to consumers must not be influenced by or dependent on whether or not they’ve chosen to exercise their rights. The only exceptions to this rule are in cases where the value of service or good offered relies upon the data collected about the consumer (see example above)
You may offer financial incentives (including payments) to consumers in exchange for accessing their personal information, however, you may only use financial incentives that are fair, reasonable, non-coercive and not extortionate. In all such cases, consumers must first be notified of such incentives via the homepage of your website.
Laws, like the people, needs, and ideas they serve, are often dynamic “living” things. Similarly, your own business purposes, partners and processes may shift with time.
For this reason, it’s vital that you periodically review and assess your internal processes, technical capabilities, and legal documents, and keep them up-to-date with legal requirements.
Compliance, in general, can be complicated – figuring out the right way to apply the law and to make the technical specifications work for your site and your business can be incredibly challenging.
Our solutions take the guesswork out of compliance by doing the heavy technical and legal lifting so that you can focus on growing your business.
All privacy policies generated with iubenda allow you to be compliant with the CCPA, as they contain the option to easily apply the legal standards defined by the CCPA to Californian users.
Our solution makes it easy for you to meet enhanced requirements by:
Our solution helps you to meet the CCPA requirement of informing Californian users of any selling activity upon site visit and also allows these users to opt-out (as legally required).
More specifically the Cookie Solution allows you to do the following:
💡 Learn more about how to enable these features.
As mentioned above, the CCPA grants consumers the right to opt-out. In cases where the processing is somewhat manual (i.e not related to onsite scripts such as in the case of Direct email marketing) businesses may need to manually implement the opt-out request.
Furthermore, the CCPA mandates that opted-out users may not be contacted for a minimum of 12 months after the request. For this reason it’s prudent to keep records of opt-out details such as the particular user, the date, and sub-contractors to be notified in the case of requests.
Our Consent Solution hooks onto your web-forms to let you automatically pass consumer preference details like opt-out via API to a centrally managed visual dashboard.
💡 Read more about the Consent Solution.
Our Internal Privacy Management Solution lets you accurately record relevant details necessary for fulfilling Consumer requests with precision.
The solution records:
💡 Read more about the Internal Privacy Management Solution.