The California Consumer Privacy Act (CCPA) passed in 2018 following a petition by California residents requesting legal measures to protect their online privacy. The CCPA went into effect in 2020 and is one of the most extensive data privacy acts in the country. The act requires greater transparency from businesses collecting personal information from residents in California. Under the CCPA, businesses must inform consumers whether they are collecting, using, sharing, or selling personal data. They must also fulfill consumer requests to access their data, stop sharing or selling their data, stop collecting their data, or to delete all of their data.
Businesses that do not comply with the CCPA are subject to legal action from consumers as well as stiff fines based on the severity of the violation (violations found to be intentional carry much stiffer penalties). With this in mind, you must do everything that you can to achieve and maintain CCPA compliance. Fortunately, if you use our checklist, the process of determining whether you fall under the CCPA’s scope, and becoming compliant shouldn’t be that complicated.
Does CCPA Apply to You?The first thing to understand is that the CCPA is a state law, not a federal one. Many states have enacted different data privacy acts. The CCPA only concerns data that you collect from residents of the state of California. If your company does not collect data from California-based residents, then the CCPA does not apply to your business. However, if you are collecting data from California residents, then you will be legally required to abide by the CCPA’s regulations, whether or not your business is located in California.
There are a few exceptions to the law, meaning that not all businesses are required to comply. If your company doesn’t meet the criteria of a business that falls under the scope of the CCPA, then you are not legally obliged to achieve compliance.
Determine If Your Business is Covered
Three major criteria determine whether a business must achieve CCPA compliance. If your business meets any of the following criteria, then you will be legally obligated to achieve and maintain compliance.
Does your annual gross revenue amount to $25 million?
Any company that makes $25 million or more in annual revenue must achieve CCPA compliance. If you’re on the cusp of reaching a $25 million revenue but are currently below that mark, you may want to consider achieving compliance as soon as possible since you’ll likely be legally obligated to do so in the near future anyway.
Do you receive or share personal information for 50,000 or more consumers, households, or devices?
Even if your company isn’t close to reaching the $25 million annual gross revenue stamp yet, you will still be required to achieve CCPA compliance if you’re collecting the personal data of 50,000 or more consumers, households, or devices. This criterion applies even if you’re not sharing or selling the data that you’re collecting.
Is half of your annual revenue sourced from selling consumer data?
Businesses that make 50 percent or more of their annual revenue from selling user data must also achieve CCPA compliance. If this is the case, then you must comply even if you don't meet the other two criteria.
Businesses That Are Exempt
In addition to companies that do not meet any of the three criteria established by the CCPA’s guidelines, there are a few other exemptions in which you won't need to comply with CCPA's regulations. These exemptions include the following:
- Data collected outside of California - If the user was outside of California at the time the data was collected, then the CCPA's regulations do not protect that user.
- Transactional data needs - If the personal information that a company has is required to perform a contract, further an existing business relationship, or to complete a transaction, then that company is not required to delete that data on request. For example, if a California-based customer purchases a product along with a five-year warranty, then they cannot request that you delete their data until the five-year warranty has expired. However, you cannot apply this exemption to every transaction. If a consumer makes a one-time purchase and the transaction has ended, then they have the right to request the deletion of their data.
- Employee information - Employees or contractors working for your company cannot request the deletion of personal information that you’ve collected from them. However, they do have the right to find out what data you’ve obtained from them.
- Research on behalf of public interest - If a company is collecting personal information for public or peer-reviewed scientific, statistical, or historical research, they may not have to delete that information even upon request. Compliance here will be dependent on whether the research is in the public interest and whether the deletion of the personal data will hinder the study or make it impossible to complete.
- The expected internal uses - Deleting data on request may not be required if you’re using that personal data solely for internal purposes. However, you must reasonably align those purposes with maintaining consumer expectations based on their relationship with your business.
- Legal compliance - If the government requests personal information that a company has collected under the California Electronic Communications Privacy Act (CalECPA), then they do not have to delete that personal information even if they receive a verified request to do so. There are other situations in which legal obligations may supersede CCPA compliance. For example, if the government requires personal data as part of a regulatory investigation or as part of discovery in civil lawsuits.
- Security uses - Certain personal data can be exempt from deletion if you're using it to maintain server logs or for detecting and preventing security incidents (both in regards to cybersecurity and on-site security).
Is Your Business Compliant?
Once you’ve determined if your business meets one of the three criteria outlined by the CCPA, identify whether your company is currently compliant. There are three essential components to compliance.
- You need to be transparent about your data collection activities.
- You must provide consumers with a way to submit a request to access their data, delete their data, or opt-out of sharing or selling their data.
- You need to make sure that you can fulfill consumer data privacy requests. To do this, your data must be organized and accessible, and you must train your employees to execute consumer data privacy requests properly.
These steps should help you to determine if you’re currently CCPA compliant and what you should do to achieve compliance if you aren’t.
Take Stock of Your Data
Many businesses collect personal consumer data from a variety of different data sources; unfortunately, many companies don’t organize their data effectively. Poor organization can make it challenging to trace all of the data that you’ve collected on one consumer, and you may have a difficult time fulfilling a data privacy request. Data mapping allows you to take proper stock of your data and makes it much easier to track personal consumer data and to fulfill deletion requests.
Do you have your data of California consumers mapped or inventoried?
Update Your Policies and Notices
Although the CCPA does not require you to ask consent to collect data (unless the user is aged 16 or under), you are required to be transparent about whether you’re collecting personal information and what you’re doing with it. To be transparent (and compliant), you will have to update the following website policies and notices:
Reassure users that the data you’re collecting from them is secure and that you will maintain their confidentiality. If you can’t do this, there’s no reason why users won’t request that you delete their information. Reassure your users by posting a detailed security policy on your website that’s easy for users to read and understand.
Can you assure your consumers of confidentiality and integrity?
If you’re selling or sharing personal information with third parties, make sure that your third-party agreements are standardized and breach-proof. Your agreements must explicitly state what type of information you’re selling (such as the categories of personal information) and what they’re using it for (a third party cannot turn around and resell the data you sold to them).
Are your agreements with third-party entities standardized and breach-proof?
Set Accessibility Procedures in Place
Not only are you required to fulfill data privacy requests from consumers, but you must give them an easy way to make those requests. You can do this by providing users with a web-form they can fill out as well a phone number that they can call. Besides making sure that you have data-mapped all of the personal information you’ve collected, you will also need to train employees to handle requests properly. You only have 45 days to fulfill a request once you receive it.
Before fulfilling a data privacy request, you will need to verify that the personal information belongs to the user who sent the request. Finally, make sure that if the request is for data deletion, that the data in question isn’t exempt from the CCPA.
Can you execute access or deletion requests accurately and seamlessly?
Can you respond to consumers in a timely manner?
Can you correctly determine the eligibility of the requesting consumer?
Are you able to evaluate what exceptions are available to your company in any and all instances?
Enable a Verification Process
You don’t want to make it easy for someone to request access to personal information that’s not theirs. Such instances can lead to credit card fraud or identity theft. To prevent problems like these, you will need to implement a verification process that authenticates data privacy requests. There are lots of verification tools out there that you can use that enable a variety of verification solutions, such as through email verification, multiple-choice questions, or verification based on personal information, to name a few examples.
Can consumers verify their identities?
Create an Opt-Out Button or Link
If you’re selling or sharing consumer information, create an opt-out button or link. This makes it easy for consumers to easily request that you stop selling or sharing their personal data.
Does your site provide consumers to opt-out of sharing their information through a button or link?
Get Consent From Minors
As previously mentioned, you do not need consent to collect data from users if they are over the age of 16. However, if the user is between the age of 13 and 16, then you are required to ask for permission to collect their information. For users under the age of 13, you must request permission from their parents.
Do you have a method set in place for getting consent from parents of children who are 13 years old or younger?
Do you have a method set in place for getting consent from minors aged 13 to 16?
Systematically Plan Your Conformance
The CCPA is extensive in its regulation of data transparency and use. Even though it might seem like quite a challenge to achieve compliance, it shouldn't be difficult if you approach the process through systematic planning and implementation. Understanding what CCPA entails is the first step. Using our compliance checklist is the second step. Through the use of our checklist, you should have no trouble reaching CCPA compliance step-by-step -- and to maintain your compliance once you've achieved it.
Need to make updates to your website to be CCPA compliant? Consult with us today, let’s start a partnership.