What is CCPA & how do you become compliant? We break it down for you (without all the legalese!) in the sections below.
The California Consumer Privacy Act (CCPA) is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The law is set to become effective on January 1st, 2020, and to become fully enforceable on July 1st, 2020.
The CCPA puts in place new requirements for processing personally identifiable information, and grants Consumers additional rights, therefore, it will likely have a significant impact on both business processes and overall liability.
When does the CCPA apply?
In general, the CCPA applies where BOTH of the following conditions apply:
- You have a business; and
- you target Californian consumers.
Under the CCPA, a “consumer” is defined as a natural person who is a California resident.
Under the scope of the CCPA, a “business” is defined as a for-profit organization that collects the personal information of consumers, determines the purposes and method of the processing, targets Californian residents (whether or not the business is actually based in California), and meets at least one of the following requirements:
- it has annual gross revenues exceeding twenty-five million dollars ($25,000,000); or
- it derives 50 percent or more of its annual revenues from selling* the personal information of consumers; or
- it buys, receives, sells, or shares the personal information of 50,000 or more consumers annually for the business’ commercial purposes. Since IP addresses fall under what is considered personal data — and “commercial purposes” simply means to advance commercial or economic interests — it is likely that any website with at least 50k unique visits per year from California falls within this scope.
Under the scope of the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA further details that personal information can include, but is not limited to:
- identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- biometric information;
- internet or other electronic network activity information, including browsing history, search history, and information relating to website, application or ad interaction;
- geolocation data;
- audio, electronic, visual, thermal, olfactory, or similar information;
- professional or employment-related information;
- educational information — other than what is publicly available as defined here; or
- any inferences drawn from information such as those mentioned above, which is used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Sale within the context of the CCPA is defined as: ‘selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
What is a “valuable consideration” under the CCPA?
While the CCPA does not currently explicitly define “valuable consideration”, under Californian contract law it is defined as “[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.” (Cal. Civ. Code § 1605).
Within this context, a “valuable consideration” can be broadly interpreted as meaning all agreements where personal information is exchanged – and the transferring entity receives any benefit to which it would not be legally entitled to without the agreement.
CalOPPA has not been repealed by the CCPA and still applies. This is something to take note of even if the definition of “business” above does not apply to you, as you may still need to comply with CalOPPA, or both laws may be applicable to you. Read more about CalOPPA here
Rights of the consumer under the CCPA
What exactly does the CCPA require?
The right to be informed
Under the CCPA, consumers have a right to be informed about how their information is processed at or before the point of collection.
Under CCPA you must disclose:
- the categories of personal information the business collects, sells, or shares;
- the categories of third parties with whom the business shares personal information;
- the categories of sources from which that information was collected;
- the business/ commercial purpose for collecting or selling consumers’ personal information;
- consumers rights and how to exercise them; and
- how the consumer can object to the selling of their data, via a “Do not sell my data” link (if data is sold).
The right of access
Under the CCPA, consumers have a right to access their personal information when verifiably requested*.
In particular, consumers have the right to access:
- the categories of the consumer’s personal information collected in the past 12 months;
- specific pieces of information collected about them;
- the categories of sources from which the business collected the information;
- the purposes for collecting or selling the information;
- the categories of third parties that the personal information is shared with;
- the categories of personal information sold and the categories of third parties that the personal information was sold to;
- the categories of personal information disclosed for business purposes.
*Verifiably requested or a “verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify . . . to be the consumer about whom the business has collected personal information. Cal. Civ. Code § 1798.140(y)
You must provide consumers with two or more methods for submitting access requests, including at a minimum, a toll-free telephone number, and if the business maintains an internet web site, a web site address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.
The right to portability
Under the CCPA, the right to data portability is bundled together with the right to access, under Section 1798.100 (d).
Where businesses fulfill Access requests “electronically”, it’s also required that the information be provided to the consumer in “a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance”.
Information requests must be fulfilled, free of charge, within 45 days of the consumer’s verifiable request. This time period may be further extended once by an additional 45 days, if reasonably necessary, and provided that the consumer is given notice of the extension within the first 45-day period.
The disclosures made in the fulfillment of the request should cover the 12-month period preceding the receipt of the request.
Delivery format: Businesses must respond through either regular mail or in an electronic format (such as email, file download, etc.). If delivered electronically, the law mandates that the information must be “portable”, i.e. delivered in a format that’s easy to use and that allows transmission of the information to another entity without hindrance.
Exceptions and limits:
- Consumers are allowed a maximum of 2 requests over a period of 12 months.
- Single one-time instances of processing are excluded if the information is not sold or retained by the business or used to otherwise re-identify the person.
- No response is necessary if the business has not actually collected information on the consumer in question.
The right to to be deleted
The CCPA grants consumers the right to request the deletion of any personal information that has been collected about them. If a verifiable request for deletion is received from a consumer, you must delete the consumer’s personal information from your records and instruct any related service providers to delete the consumer’s personal information from their records.
You must provide consumers with two or more methods for submitting access requests, including, at a minimum, a toll-free telephone number, and if the business maintains an internet web site, a web site address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.
This request must be fulfilled free of charge, within 45 days of the consumer’s verifiable request. This time period may be further extended once by an additional 45 days, if reasonably necessary, and provided that the consumer is given notice of the extension within the first 45-day period.
Exceptions and limits:
Businesses are not required to comply with the request of deletion if the information is needed:
- to complete the transaction that the personal information was collected for;
- for the provision of a good or a service requested by the consumer, or to otherwise carry out an agreement between the business and the consumer;
- to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
- to debug to identify and repair errors;
- to exercise of free speech, or exercise another consumer’s right to free speech;
- to comply with the California Electronic Communications Privacy Act (CalECPA);
- for public or peer-reviewed scientific, historical, or statistical research in the public interest;
- in order to comply with a legal obligation;
- to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
- for solely internal use in a lawful manner compatible with the context in which the consumer provided the information.
The right to opt-out (the right to say no to the sale of their data)
Under the CCPA, a consumer has the right, at any time, to tell a business which sells their personal information to third parties, that they must stop selling such personal information.
What is a sale under the CCPA and how do you “sell” personal information?
As mentioned above, under the CCPA, “sell”, “selling”, “sale”, or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or a third party, for monetary or other valuable consideration.
Two less obvious examples of what could* be considered “selling” under the CCPA are:
- sharing user data with ad networks, and other third-parties in order to display targeted advertising for a benefit including revenue; or even
- using 3rd-party analytics program for retargeting or otherwise generating a user-profile for selling to the consumer.
*Keep in mind that at this stage of implementation some factors may change as the law is further refined.
If you “sell” consumers’ personal information to third parties, you must disclose this fact to consumers, and must also inform them that have the right to opt-out of the sale of their personal information (as per “The right to be informed” listed above).
A consumer cannot be asked to create an account in order to opt-out. Instead, this process should be facilitated via a “Do Not Sell My Personal Information” (“DNSMPI“) link on your website or privacy notice.
If a business receives direction from a consumer not to sell the consumer’s personal information, it is prohibited from selling the personal information of that consumer unless the consumer subsequently provides express authorization for the sale of their personal information (Opt-in).
Businesses may only ask for a consumer’s authorization one more time, and only 12 months after the consumer have opted-out.
The right to opt-in (prior consent for minors)
Businesses are prohibited from selling the personal information of consumers if the business has actual knowledge that the consumer is under the age of 16. In such cases, businesses may only sell the information if:
- the consumer is between 13 and 16 and has opted-in; or
- the consumer is less than 13 years of age and the consumer’s parent or guardian has opted-in on the consumer’s behalf.
The right to not be discriminated against (even if the consumer exercises their privacy rights)
Under the CCPA, businesses are prohibited from discriminating against consumers for exercising their rights granted under the law. Prohibited forms of discrimination include:
- Denying goods or services to the consumer.
- Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
- Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title.
- Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
Exceptions and limits:
- A business may only charge or offer different prices, rates, levels, quality of goods or services in cases where that difference is reasonably related to the value provided to the consumer by the consumer’s data.
For example, a business offers a standard 30% discount on a product as an incentive to re-purchase, one month after the consumer’s initial purchase of the same product. During that time, the consumer exercises their right to deletion and requests that their personal information be deleted. In this case, because the business no longer has the consumer data which shows that the consumer previously purchased the product, they cannot reasonably offer the standard 30% discount to that particular consumer.
Businesses are prohibited from using financial incentive practices that are “unjust, unreasonable, coercive, or usurious in nature“.
CCPA vs the GDPR (at a glance)
||The attorney general of the state of California, USA.
||National (EU member state) data protection agencies.
|Who needs to comply?
||Any for-profit business that targets Californian consumers and either:
- processes the personal data of at least 50K Californian consumers (IP addresses are considered personal data, so this would apply to any website with at least 50K visits from Californian consumers); or
- makes at least 50% of its revenue from sharing Californian consumer data for any profit – monetary or otherwise; or
- has an annual revenue of 25M or more.
|Any entities (non-profit or otherwise – including NGOs, individuals, and public entities) that target EU consumers, or which are based in the EU.
|What types of data are protected?
||Any data that relates to, or is capable of being associated with a particular consumer or household, with the exception of public government records.
||Any data that can lead to the identification of an individual.
|Are IP addresses considered Personal Data?
|Consent required before processing?
||Only in the case of minors and in cases of previous opt-out.
||Yes, unless another legal basis legitimately applies.
|Must Businesses give consumers the option to opt-out or withdraw consent?
||Yes, must provide DNSMPI link and honor opt-out requests.
||Users have both the right to withdraw consent and the right to object to processing (potentially applicable even in cases where the processing is justified using a legal basis other than consent).
|Protections also apply to business to business (B2B) interactions?
||No, CCPA protections apply to consumers only.
||The GDPR makes no differentiation between protections applied to B2B and B2C (business to consumer) interactions, it simply applies its protections to “data subjects”, who are defined as any “identifiable natural persons” residing in the EU.
||The CCPA lists no specific security requirements but gives consumers the explicit right to bring suit for damages resulting from a business’ failure to implement appropriate security practices.
||The GDPR requires both controllers and processors to implement security methods appropriate to the particular risk involved. Security methods should be “state of the art” implying that the security methods should on par with the latest standards.
|Penalties of non-compliance?
||Fines of up to $7500 per individual violation. The CCPA also gives consumers the right to bring suit for damages.
||Fines of up to EUR 20 M (22 M USD) or 4% of annual global revenue – whichever is greater, potential audits and sanctions. The GDPR also gives data subjects the right to sue if their rights were violated.
|Applicable users’ Rights at a glance
|Right to be informed
|The right of access
|The right to portability
|The right to rectification
|The right to to be deleted
|The right to object
||Somewhat covered by the right to opt-out
CONSEQUENCES OF NON-COMPLIANCE
Consumers have the right to sue* businesses that violate the law. The associated fines will be between $100 and $750, or any higher amount related to actual damages (where larger damages can be proven).
*This only applies to the actual businesses themselves and not “service providers” acting on behalf of the business.
The state can bring charges of up to $2,500 per violation for businesses that unintentionally violate the CCPA, and fines of up to $7,500 per violation, for businesses that commit intentional violations.
Note: While these fines might not seem particularly large in comparison to other privacy laws, do consider that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.
How to Comply with the CCPA
Compliance with the CCPA is, similarly to compliance with other privacy laws, a multi-faceted process that involves honest review, planning and technical and legal implementation. More often than not, however, it is implementation that proves to require the most effort.
This is where iubenda comes in. Implementation can be complicated. We take the weight off your shoulders by offering powerful software solutions — backed by our international legal team — which allow you to handle even the most complex situations within a few clicks and fully customize when needed. (More on our solutions and how they can help here).
Regardless of how you choose to approach the implementation process, there are still a few basic steps you’ll need to take before even getting to the implementation stage. Let’s take a look at them, as well as the rest of the implementation process, below.
Assess and review
Perhaps one of the most important steps is to honestly reviewing and assessing your own processes and systems.
Some questions to ask yourself here are:
- What categories of personal data do I collect and which categories of third-parties do I share this data with?
- Which sources do I collect this information from and what are their categories (e.g. analytics)?
- What are the reasons or purposes of my data collection?
- What are the CCPA consumer rights that apply to my processing activities?
- Am I technically equipped to fulfill consumer rights related requests such as deletion and access requests?
- How do I keep track of when such requests were fulfilled?
- Am I keeping track of all the service providers that access consumers’ personal information on my behalf?
- Can I reliably contact these parties to fulfill things like deletion requests?
- Do I maintain reliable records of the information and the categories of personal information I collect for each consumer?
- Do I have available onsite, the documents needed to make legally required disclosures?
- Which exceptions reasonably and honestly apply to my scenario?
Make required disclosures
Be sure to include:
- the categories of personal information that you’ve collected, sold or shared in the past 12 months;
- the categories of third parties that you have and/or may share the personal information with;
- the categories of sources from which you collect consumers’ personal information;
- the business/ commercial purpose for collecting or selling the consumer’s personal information;
- the applicable consumers’ rights and they can be exercised
Honor exercised consumer rights
Access, portability and deletion rights must be honored, at no cost to the consumer, within 45 days of receiving a verifiable request. The fulfillment period can be extended (only once) by a further 45 days if necessary, provided that the consumer is given notice of this fact.
When fulfilling access and portability requests, the information returned to the consumer must be given in an easy-to-use and easily transmittable format.
When a consumer exercises their opt-out rights (the right to say no to the sale of their data), you must comply upon receiving the request. In cases where you are aware of the fact that the consumer is a minor under the age of 16, you must not sell their information unless explicitly authorized to do so by a parent or guardian (for minors under 13) or if explicitly authorized to do so by the minor consumer in cases where the minor is between the ages of 13-16.
Add a DNSMPI link to your website
Where technically feasible, you are allowed to host and redirect California residents to a separate homepage with the visible DNSMPI link.
Do not discriminate against consumers exercising their rights
The service, quality, levels and/ or prices you charge/ offer to consumers must not be influenced by or dependent on whether or not they’ve chosen to exercise their rights. The only exceptions to this rule are in cases where the value of service or good offered relies upon the data collected about the consumer (see example above)
You may offer financial incentives (including payments) to consumers in exchange for accessing their personal information, however, you may only use financial incentives that are fair, reasonable, non-coercive and not extortionate. In all such cases, consumers must first be notified of such incentives via the homepage of your website.
Periodically review your processes
Laws, like the people, needs, and ideas they serve, are often dynamic “living” things. Similarly, your own business purposes, partners and processes may shift with time. For this reason, it’s vital that you periodically review and assess your internal processes, technical capabilities, and legal documents, and keep them up-to-date with legal requirements.