The Ultimate Guide to California Consumer Privacy Act (CCPA) Compliance

The California Consumer Privacy Act of 2018 (CCPA) is a law passed by California to protect the data and privacy of its residents. CCPA isn’t a replacement for current California privacy laws, but will instead function alongside them.

According to CCPA, businesses have to be more upfront about what they collect and how it’s used. They also must get consent from minors before selling their information. Furthermore, users can now prevent businesses from selling their data.

CCPA does not mean that you can no longer sell the user information you collect, though. However, when it comes to California residents, you’ll have to jump through a few more hoops.

CCPA goes into effect on January 1, 2020, but businesses have until July 1, 2020, to fully comply. That’s not an excuse to put this off. Since enforcement actions won’t start for a few months, though, businesses have time to adapt their policies, processes, and website.

What Does CCPA Consider “Personal Data”?

Personal data is anything that describes or identifies a person or that is somehow linked to an individual or household. That includes:

• Email addresses
• Employment information
• Geolocations
• IP addresses
• Names

Technically, publicly available information is not considered personal data by CCPA. That’s such a gray area, though, and it’s best to err on the side of total compliance rather than risk it. Also, even if one user’s personal data is publicly available, that doesn’t apply to all of your other users. You still need to be compliant across-the-board.

Does CCPA Affect Your Business?

CCPA impacts your business if you collect and process data from California residents. Your business, or a parent company or subsidiary, also has to meet one or more of the following:

• Your annual gross revenue is $25 million or more
• Every year, you buy, receive or sell personal data from 50,000 or more California devices, households or residents
• A minimum of 50% of your annual revenue comes from selling California residents’ personal data

You don’t need to have a California-based business in order to meet these thresholds. California residents can visit your website regardless of where your business operates from. Businesses in other U.S. states, as well as businesses around the globe, have to consider CCPA.

The size of your business doesn’t matter, either, other than referring to the thresholds. Even solo ventures and small businesses have to align with CCPA. However, businesses that process data for 4 million or more consumers have to meet extra requirements. For example, they have stricter guidelines when it comes to record-keeping.

If you meet a threshold but you’re not collecting data (you don’t have any type of tracking tool on your website), you’re technically CCPA-compliant. On the other hand, if you are collecting info from California customers but you’re not yet meeting the thresholds, it still pays to prepare for CCPA. If your business quickly grows, you could accidentally exceed $25 million in revenue or 50,000 California residents before you’re CCPA-compliant.

How is a California Resident Defined?

According to California law, a resident is a person who:

• Is in California for something other than a temporary or transitory reason
• Lives in California, even if they’re not currently in the state due to a temporary or transitory reason

A person can live in California and not be a resident or live outside of California and still be a resident. To protect yourself, comply with CCPA if you have any reason to think a lot of your business comes from California residents.

How to Make Your Business Compliant with CCPA

To meet the requirements of CCPA, your business has to take several steps, many of which will require changing policies and processes. Here’s how to make your business compliant with CCPA:

Update your privacy policy to clarify how you collect, use, and change data

Chances are you already have a privacy policy, but it will need some work to make it CCPA-compliant. Basically, your privacy policy tells users what data you collect and what you do with it. For CCPA, you’ll have to be more transparent than before about your data practices. Here are the additions you must make to your privacy policy:

• What, why, and how you collect and process personal information
• How users can access, change, or remove their personal data that you’ve collected
• Your method for verifying the identity of a user who is making one of those requests
• How personal data is sold and how a user can opt-out of having their personal data sold

Keep in mind that these are the minimum CCPA requirements. If you feel there’s more to your data collection process that users want to know, add it.

Get consent from minors

You’ll need to get consent from minors between the ages of 13 and 16 or from parents of children under 13. You can either ask for consent right when they get to your website or before you sell their data. Either way, you cannot sell their data before getting their consent. Store all of the responses you receive, even if the user rejected consent. Aside from minors, you do not need user consent before collecting and using data. While we are on the topic of age verification, you might consider using an age verification plugin.

Allow users to change their information

Part of CCPA is giving California users the ability to access, change, move, or delete their personal data. You have to create a method for users to submit these types of requests, and one of those methods has to be a toll-free number. You can then add a contact form to your website or provide an email or mailing address.

Verify the user’s identity when they make a request

Once users get in touch to change their information, you need a way to verify that they’re who they say they are. You can’t ask for proof of identification via a government-issued document, like a driver’s license. Instead, you can use the same type of authentication you used when the person submitted their data. You can also try to verify their identity by asking them to confirm information they’ve provided in the past.

If the business cannot verify the user’s identity, they should comply as best they can. For example, let’s say a user wants their information deleted, but the business can’t verify the user’s identity. Instead of deleting their information, they retain it but let the user opt-out of having their information sold. If there is no way to comply, the business can deny the request.

Add a “Do Not Sell My Personal Information” link to your homepage

You’ll need to place a “Do Not Sell My Personal Information” link to a noticeable spot on your website’s homepage. This if for users to click if they want to prevent you from selling their personal data. The process for opting out of selling user data has to be as simple and easy as possible. The business has to respond to opt-out requests, too. According to the official CCPA fact sheet, “…businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.”

Also, you cannot require people to create an account so they can opt-out. While some businesses may want to require an account as a means of identifying the user, CCPA prevents this as a prerequisite for opting out. If the user already has an account and that’s how you’re able to verify their identity, that’s fine.

Keep records of exchanges with customers

Businesses have to keep records of all user requests, and they also must record and save their responses to users. Maintain your records for a minimum of 24 months; to be safer, hold onto them indefinitely.

Don’t discriminate based on privacy requests

CCPA says that businesses can’t discriminate against users if they exercise their privacy rights. That means that if a user says you cannot sell their data, you can’t deny them services or adjust their pricing in retaliation.

It’s possible that a business will offer an incentive to people who allow for the sale of their data. In this case, you have to disclose details of the incentive, including how you calculate the value of the personal data.

Penalties for Not Complying with CCPA

If you’re not in compliance with CCPA by July 1, 2020, the Attorney General will notify you. You’ll have 30 days to respond and get up-to-speed with compliance. If you don’t comply within those 30 days, you could have a civil case brought against you. From there, you could be fined $7,500 per violation, which means per California user. For example, if you collect data from 2,000 California residents, you may be fined $7,500 x 2,000, which is a total of $15,000,000. That’s a bill you’ll definitely want to avoid!

The Differences Between CCPA and GDPR

While CCPA guidelines sound similar to GDPR’s, the two have key differences. Even if your business is currently GDPR-compliant, that doesn’t mean it’ll automatically be CCPA-compliant. You may meet some CCPA guidelines, but not all of them. Some of the CCPA guidelines that may exceed GDPR are:

• Adding a “Do Not Sell My Personal Information” link on the homepage
• Creating a method for users to request changes to or removal of their information
• Identifying the person’s identity when they make that type of request
• Getting consent from minors before selling their information

While you may have some of the process already set up for GDPR, you’ll want to double-check that your methods also comply with CCPA. There are small, but important, differences between the two. For example, under CCPA, you have to show the categories of personal information that you’ve sold over a 12-month period; this isn’t a requirement of GDPR. On the other side, CCPA doesn’t have the cookies consent requirement that GDPR has.

Final Thoughts

Your first step is to assess if your business has to be compliant with CCPA as of January 1, 2020. Or, consider if your business will grow to the point where it will need to be compliant in the future. If so, it’s best to get everything in place now so you don’t have to scramble later on and risk getting fined. Exactly how you set up your website to comply with CCPA depends on your current processes and your workforce. You may automate as much as possible or, if you don’t expect too many changes or removal requests, you can have a few employees who reply directly to users.

If you don’t have a privacy policy yet, this is a great opportunity to write one, whether or not you’re concerned with CCPA. Check out our article about How to Create a Privacy Policy for Your Website.

Featured Image via Sammby / shutterstock.com