The California Consumer Privacy Act (CCPA) applies to for-profit businesses collecting or processing the data of California residents – even if they’re out of state. Since California has the largest economy in the USA, the legislation has impacted businesses across the country and beyond since it came into force on January 1 2020.
CCPA Compliance Requirements
The CCPA requirements aims to give Californian consumers more control over how their data is used, for example by having the right to know when their personal information is being collected, access their data, correct it, request its deletion and opt out of allowing data to be sold on to third parties.
What should you be doing to ensure you comply with the CCPA? Here’s a handy step-by-step guide to compliance.
How to Comply with CCPA - Step-by-step
1. Check if CCPA applies to your business
The CCPA applies to anyone collecting data on Californian citizens, subject to a few criteria. The activity has to be carried out for profit (although non-profit organizations can be caught by the rules if they’re owned or controlled by a for-profit business).
Even if you are a for-profit organization, you’ll be exempt from the law if you meet three criteria:
- Annual gross revenues over $35 million
- Receive or disclose data on over 50,000 California residents each year
- Generate 50% or more annual revenue from selling data about California residents
2. Understand the definition of personal data
‘Personal information’ is defined within the law and it’s important you know what information falls within the legal definition.
The definition states that personal information is that which: ‘Identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or house.’
Personal information collected includes obvious data such as name, address and social security number but it can also include less obvious categories of data such as usernames, IP address and browsing or purchase history.
3. Audit your data systems
Your systems need to be able to identify California residents, manage their data in accordance with the law and store their data in a way that means it can be accessed if they request its disclosure, deletion or amendment in accordance with the law.
Your data inventory system must identify and classify data correctly, maintain proof of user consent to cookies and data collection. In most cases, you will need a cookie policy on your website.
You will also need a privacy policy tracking system to show which version was in place at the time consent was given. It should also record the types of data that are sold, shared with third parties or used for marketing purposes.
4. Understand what your obligations are under CCPA
There are five key consumer rights under the CCPA:
- The right to know how a business collects and sells your information
- The right to access data that is held about you and how it is used
- The right to delete your personal information, subject to some exemptions
- The right to opt out of personal information being sold on
- The right not to be discriminated against for exercising CCPA rights
Once you understand these rights, you can build a system for compliance with the law. Our handy CCPA compliance checklist might help you understand what you need to do.
5. Update your privacy policy
The CCPA requires businesses to have a privacy policy that sets out the rights of consumers, how data access requests can be submitted and the categories of personal information the company has collected within the previous 12 months.
Alongside a strong privacy policy, you also need to ensure that all individuals who handle consumer data in your company are fully trained so they do so safely and securely. This should be refreshed around once a year. Ensuring your cybersecurity is robust is also an important protection.
6. Implement permission and access controls
Your site should be configured to allow Californian citizens to exercise their CCPA rights, such as being notified of what data is collected and processed, opting out of data being collected and sold, and being told how data will be used. Make sure you meet the CCPA opt out requirements for your website based on consumer requests.
7. Create a procedure for fulfilling consumer rights requests
How would a consumer go about requesting their data from you under CCPA? You need a system for fulfilling consumer rights requests:
- How do consumers file a request? Is this by a dedicated email, phone line, online form? You need to offer two or more request mechanisms. Does your website and other materials give clear information about how to find this?
- How will you verify requests? You can’t just hand out data to anyone who asks – you need to be able to confirm the identity of the person making the request. You might need to use a third-party verification service or another secure verification method.
- Providing data records – these should cover the 12 months prior to the request and the information should be provided in a suitable format, free of charge and within 45 days of the request being made.
- Storing request records – details of data requests should be stored for 24 months to demonstrate compliance and assist in the event of a dispute. Consumers may only file two requests in a 12 month period, so records can help keep count and avoid fulfilling requests that exceed this.
8. Maintenance and compliance
Setting up a CCPA-compliant system is not the end of the story – you should be planning regular reviews of your approach to ensure you’re following best practice. This includes regular staff training, reviewing your privacy policy annually, checking to see if you are retaining data unnecessarily and watching out for legal changes or precedents.
CCPA and GDPR similar?
The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) represent two of the most comprehensive and influential privacy regulations in today’s digital landscape.
Both share the common goal of empowering individuals with greater control over their personal data while imposing strict obligations on organizations that collect, process, and store such information.
The CCPA, which primarily addresses the rights of California residents, shares several similarities with the GDPR, such as granting individuals the right to access, delete, and opt-out of the sale of their personal data. However, the GDPR goes further, introducing additional rights like data portability and the “right to be forgotten.”
While the CCPA and GDPR differ in scope and jurisdiction, they both reflect a growing global awareness of the importance of data privacy and the need for robust regulatory frameworks to protect individuals’ rights in the digital age.
Let CookieHub help
If you need help ensuring your website cookies are CCPA-compliant, contact CookieHub. We can help you manage your cookies within CCPA compliance requirements, while also providing a smooth and seamless experience for your customers.