The California Consumer Privacy Act (CCPA) is the new privacy regulation out of California, United States, and it goes into effect on 1st January 2020. All privacy policies generated with iubenda are compliant with the CCPA, as they contain the option to easily apply the legal standards defined by the CCPA to Californian users.
When using this option, the CCPA related text and provisions will then be added to do documents you generate and only apply to users who you are required to offer the rights to. Additionally, when the CCPA option is enabled, the generator indicates which services are considered a sale under the CCPA’s definition.
About the CCPA
The CCPA applies to for-profit businesses that target or could potentially have Californian customers, and that meet any one of the following conditions:
it processes (buy, sell, receive, share) personally identifiable information of at least 50k Californians per year.– Since IP addresses are considered personal information, this likely applies to any website with at least 50k unique visits per year from California; or
it makes at least half of it’s yearly revenue from sharing consumers’ personal information (IP addresses are considered personal information) with third parties. This can include things like using Analytics or retargeting for ads; or
the business has gross annual revenues exceeding twenty-five million dollars ($25,000,000).
You can find the switch here:
under the heading “Apply CCPA standards to Californian Users” select Enable
The CCPA text is option is disabled by default. This allows you to consider your specific case and choose accordingly.
How to activate/modify a Service’s declaration of sale within the generator
As mentioned above, once the CCPA standards are enabled in the generator, the solution will also indicate and highlight services that may be considered to be a sale under the CCPA’s definition – as consumers must be able to identify and opt-out of these services.
To enable this option, simply make sure that you’ve enabled CCPA standards using the directions in the section above and the declaration will then be activated by default. In the services panel, whenever you add a service that could be considered a sale, the following checkbox will be displayed:
To modify after saving, simply click on the edit icon (pencil-shaped) and uncheck/check the option as need.
As the definition of a sale is a bit complicated under the CCPA, we’ve put defaults in place leaning towards “sale” being activated. However we strongly suggest double-checking against your situation by determining whether a specific activity is to be considered a sale or by consulting with a legal professional.
For an in-depth look at the CCPA definition of a sale, how we apply sale defaults in the generator, and “sale exceptions”, read the guide here.
Important note regarding the personal information of minors
If your processing activities constitute as sale (as mentioned above) under the CCPA, and this processing potentially includes the personal information of minors, you will need to make some additional disclosures by selecting from the following services within the generator.
Please note that 2) and 3) are not mutually exclusive, they can be used at the same time. Additionally, be sure to review your processes to ensure that you meet CCPA requirements regarding minors.
Additional CCPA Requirements
Toll-free number indication
If you run a business that doesn’t operate exclusively online and has a direct relationship with the user, then you must indicate “two or more designated methods” for submitting CCPA requests. One of these methods must be a toll-free telephone number. You can easily add this information via the “Owner field” within the generator.
The CCPA also requires the following:
What changes have been made to the policy text?
In addition to the above information, you can find a summary of the changes introduced to meet CCPA requirements here.
CCPA policy additions
plain-language clauses as recommended under US law;
a section that holds the bulk of CCPA-relevant disclosures:
outlining the purposes of processing,
outlining the sources of the data collection,
outlining the particular categories of personal information collected over the last 12 months,
which informs users of their rights under the CCPA and how those rights can be exercised,
which details how and when exercised rights will be honored,
informing consumers on how they can opt-out;
any other CCPA terminology and definitions.
Want to learn more about the CCPA and its full requirements? Read the How to Comply section of our detailed CCPA guide.