Iubenda logo

Documentation

Table of Contents

How to Apply CCPA Standards for Californian Consumers within the Generator

💡 Confused about the CCPA? Here’s what you need to do:

  1. Check if CCPA applies to you via our quiz
  2. Read our full guide on what CCPA is about
  3. Create or update your privacy policy to include all necessary CCPA provisions (this guide)
  4. Add a notice of collection and “Do not sell” link to all your pages

The California Consumer Privacy Act (CCPA) is the new privacy regulation out of California, United States, and it went into effect on 1st January 2020. All privacy policies generated with iubenda are compliant with the CCPA, as they contain the option to easily apply the legal standards defined by the CCPA to Californian users.

When using this option, the CCPA related text and provisions will then be added to the documents you generate and only apply to users who you are required to offer the rights to. Additionally, when the CCPA option is enabled, the generator indicates which services are considered a sale under the CCPA’s definition.

About the CCPA

The CCPA applies to for-profit businesses that target or could potentially have Californian customers, and that meet any one of the following conditions:

  • it processes (buy, sell, receive, share) personally identifiable information of at least 50k Californians per year.– Since IP addresses are considered personal information, this likely applies to any website with at least 50k unique visits per year from California; or
  • it makes at least half of it’s yearly revenue from sharing consumers’ personal information (IP addresses are considered personal information) with third parties. This can include things like using Analytics or retargeting for ads; or
  • the business has gross annual revenues exceeding twenty-five million dollars ($25,000,000).

More on the CCPA here.

How to activate the CCPA Text

If you are a for-profit business that potentially has users based in California, United States, we strongly suggest that you enable the CCPA text in the Privacy policy generator.

You can find the switch here:

  • log in to your privacy policy admin area
  • enter the editing of your privacy policy, which can be found via Dashboard, then click on your policy and go to Edit from the privacy policy section
  • under the heading “Apply CCPA standards to Californian Users” select Enable
Enable CCPA disclosures for Californian users

The CCPA text option is disabled by default. This allows you to consider your specific case and choose accordingly.

How to activate/modify a Service’s declaration of sale within the generator

As mentioned above, once the CCPA standards are enabled in the generator, the solution will also indicate and highlight services that may be considered to be a sale under the CCPA’s definition – as consumers must be able to identify and opt-out of these services.

To enable this option, simply make sure that you’ve enabled CCPA standards using the directions in the section above and the declaration will then be activated by default. In the services panel, whenever you add a service that could be considered a sale, the following checkbox will be made available. If the service has fields that require customization, you will see the checkbox within the usual customization screen (which typically appears after adding that service).

In cases where the service doesn’t require further customization, you’ll need to enter the edit screen in order to access the CCPA ‘sale’ checkbox. To do this (or to modify the CCPA sales checkbox after saving) simply click on the edit icon (pencil-shaped) and uncheck/check the option as need.

Once enabled, your policy will display a section that informs readers that a sale is happening, that they have the right to opt-out and will likely also give several options to do so. The current opt-out options given within the privacy policy are opt-out via links or via getting in touch.

If you deselect the pre-checked “consider as sale …” checkboxes or the generator determines that no sale is happening (based on the services you selected when creating your policy), your privacy policy will display a small statement to that effect.

Caution

As the definition of a sale is a bit complicated under the CCPA, we’ve put defaults in place leaning towards “sale” being activated. However we strongly suggest double-checking against your situation by determining whether a specific activity is to be considered a sale or by consulting with a legal professional.

For an in-depth look at the CCPA definition of a sale, how we apply sale defaults in the generator, and “sale exceptions”, read the guide here.

Important note regarding the personal information of minors

If your processing activities constitute as sale (as mentioned above) under the CCPA, and this processing potentially includes the personal information of minors, you will need to make some additional disclosures by selecting from the following services within the generator.

  1. No collection of personal information from minors to 16 – you do not knowledgeably collect personal information of consumers who are below the age of 16. The service to add to the privacy policy is called “CCPA: Collection of personal information about minors
  2. For minors between 13-16 – you do collect personal information of consumer between 13 and 16 and won’t sell their data unless those consumers have opted-in. The service to add to the privacy policy is called “CCPA: Collection of personal information about consumers aged 13 to 16
  3. Minors below 13 – you collect personal information of a consumer below 13 and won’t sell their data unless their parents or guardians have opted-in on behalf of those minors. The service to add to the privacy policy is called “CCPA: Collection of personal information about consumers below the age of 13

Please note that 2) and 3) are not mutually exclusive, they can be used at the same time. Additionally, be sure to review your processes to ensure that you meet CCPA requirements regarding minors.

Additional CCPA Requirements

Toll-free number indication

If you run a business that doesn’t operate exclusively online and has a direct relationship with the user, then you must indicate “two or more designated methods” for submitting CCPA requests. One of these methods must be a toll-free telephone number. You can easily add this information via the “Owner field” within the generator.

Update your privacy policy every 12 months

The CCPA also requires the following:

  • You must display the date the privacy policy was last updated. – iubenda puts that date in the footer of the privacy policy;
  • Information in the Privacy Policy or Policies must be updated at least every 12 months. – If changes are made during this period to a privacy policy, iubenda automatically updates the date in the footer of the policy. However, if no changes were made within the last twelve months, you can (recommended) force-update the date of the privacy policy as an indication to the user that the information is up to date.

What changes have been made to the policy text?

In addition to the above information, you can find a summary of the changes introduced to meet CCPA requirements here.

CCPA policy additions

  • plain-language clauses as recommended under US law;
  • a section that holds the bulk of CCPA-relevant disclosures:
    • outlining the purposes of processing,
    • outlining the sources of the data collection,
    • outlining the particular categories of personal information collected over the last 12 months,
    • which informs users of their rights under the CCPA and how those rights can be exercised,
    • which details how and when exercised rights will be honored,
    • informing consumers on how they can opt-out;
  • information added to the privacy policy highlighting the services that constitute a sale under the CCPA;
  • information added to the privacy policy regarding what category of personal information a particular activity belongs to; and
  • any other CCPA terminology and definitions.

Once activated and saved within the generator, your embedded privacy policy is automatically updated with the CCPA text  – no need to re-integrate the code on your site!

Want to learn more about the CCPA and its full requirements? Read the How to Comply section of our detailed CCPA guide.

See also