CCPA Compliance Requirements Checklist
The California Consumer Privacy Act (CCPA) comes into force. Under the terms of this Act, businesses that collects personal data from Californians must abide by certain rules and protocols.
The CCPA aims to give the people of California the same protections as EU residents have under the General Data Protection Regulation (GDPR). It's one of the most wide-reaching data protection laws in the United States and it's extremely important that you understand how to comply with it.
- 1. The CCPA: Does it Apply to You?
- 2. Data Covered by the CCPA
- 2.1. Public Records and the CCPA
- 2.2. Domicile and the CCPA
- 3. The CCPA and Privacy
- 3.1. Right to Disclosure
- 3.2. Right to Access
- 3.3. Your Contact Information
- 3.4. Right to be Forgotten
- 3.5. The "Do Not Sell My Information" Page
- 3.6. Right to Opt Out of Marketing
- 3.7. Right to Fair Treatment
- 4. Conclusion
The Act places various obligations on business owners. We'll go into these obligations in more detail, but in summary, business owners must:
- Tell consumers more about what happens to their personal data, or personally identifiable information, when it's shared with the business
- Maintain a data inventory to track data processing history
- Notify a consumer before or at the point of data collection that the business wants permission to collect this data
- Give consumers the right to access the personal data held on them
- Explain how consumers can make a request for the business to delete their personal data (in other words, the right to be forgotten)
- Ensure that consumers know their rights under the CCPA
- Create a Do Not Sell My Personal Information page if you sell personal information
Although this may seem like a lot of information to process, it's more straightforward than it looks at first glance. The gist of it is that the CCPA attempts to balance privacy concerns with the growth of online commerce.
- That you collect their personal information
- Why you collect this information
- What you plan on doing with this information
- How the consumer can refuse your access to their personal data for certain purposes
- That you won't discriminate against them if they withhold your right to use their personal data for marketing and consumer behaviour research
Before you make your CCPA compliance checklist, let's make sure you're clear on who the CCPA applies to and whether you're obligated to comply with it.
The CCPA: Does it Apply to You?
The CCPA applies to for-profit businesses. This means that if you run a charity or other non-profit, the CCPA won't apply to you.
If you run a for-profit company, you're obligated to comply with the Act if your business:
- Receives, processes, or transfers data from over 50,000 Californians per annum
- Your gross yearly takings exceed $25 million, or
- At least 50% of your annual revenue comes from selling data belonging to Californians
You'll see that you only need to tick one of these boxes for the Act to apply. So, for example, if you only have a revenue of $10 million per year, but 55,000 of your consumers or site visitors are Californian, you must comply with the Act.
If you're unsure whether or not the CCPA applies to your business, it's a good idea simply to comply with its terms. That way, you'll also be complying with other data protection laws that likely do affect you, such as the GDPR.
Data Covered by the CCPA
Since the CCPA regulates the sale, process, and transfer of personal data, you must be clear on what falls under the scope of personally identifiable information.
The definition is really simple. If the data can be used to identify someone, either as an individual or as part of a household, then it's personal data. Examples of personal data include:
- Home address
- Passport and other official numbers
- Employment records
- Bio records such as fingerprints
- Email and IP addresses
The Act defines this in subsection (o)(1) of 1798.140:
The Act then goes on to provide a non-exhaustive list of what is included in its definition of personal information:
There are, of course, exceptions to this rule.
Public Records and the CCPA
Information that's lawfully made publicly available is outside the scope of the CCPA. What does this mean? Here's an example:
Say someone distributes an address book online. This is illegal, and so the exemption doesn't apply. Government census records, on the other hand, are publicly available, and so the CCPA doesn't apply to this information.
By now, you may be wondering something else. Who counts as a "Californian" as defined by the CCPA? Let's take a look.
Domicile and the CCPA
Only those domiciled in California have the CCPA's protection. In terms of the Act, domicile means someone who ordinarily lives in California. Even if someone goes on holiday or leaves the state for some other temporary reason, they still call California their home.
Similarly, someone domiciled in California for a short period (for example, a year-long work placement) is covered by the CCPA.
In practice, this is pretty straightforward. If a Californian goes on holiday to Mexico and they visit your site from Mexico, they're entitled to the Act's protection and you must handle their data responsibly.
So, you know you're obliged to comply with the CCPA and you're wondering how to go about it. Let's consider what the Act demands of you and how you can check your compliance standards.
The CCPA and Privacy
Right to Disclosure
If you collect information about a consumer protected by the CCPA, then you must inform the consumer of your intentions at or before the point of data collection.
So, you can either tell them about your data collection activities when they first land on your webpage, or at a specific point when you gather data. Here are examples of each.
You can either use a pop-up window or a banner to let customers know that you collect data about them.
Right to Access
Consumers have the right to request you provide them with the following information in a "readily usable" format, free of charge and within 45 days from their request (with an additional 45 day extension period available when necessary):
- What categories of personal information you collect
- What specific pieces of personal information you have about that specific consumer
- What categories of sources you get your personal information from
- What your commercial purpose is for the collecting or selling of personal information
- What categories of third parties you disclose personal information to
Businesses only have to honor a customer's access request twice a year. This reduces the administrative burden on the business. Make sure you provide a method for users to exercise this right, such as your contact information in multiple formats.
Your Contact Information
Right to be Forgotten
Everyone has the right to ask a business to delete their personal information. This right is only subject to very limited exceptions. You can, for example, hold onto data to complete a client's order or to fulfil some other legal obligation.
Abercrombie & Fitch tells its customers how they can access their own personal information and how to have an account cancelled, effectively removing it:
The "Do Not Sell My Information" Page
If you sell your visitors' personal information, you must give these consumers the opportunity to opt out of this sale. This is in line with the principle that everyone has control over what happens to their personal data.
If you don't sell personal information, you don't have to comply with this part of the CCPA, but here is what compliance looks like.
Coca-Cola makes it explicitly clear how visitors can opt out of information selling. A clause about disclosing personal information includes a link to its Do Not Sell My Personal Information page:
It also includes a link to the Do Not Sell My Personal Information page in the website's footer:
As of writing this article, still before the CCPA enforcement deadline, you'll see that Coca-Cola makes note that they're working on some sort of other mode of making privacy rights requests, but in the interim in provides a convenient way to directly contact the company.
Right to Opt Out of Marketing
Every customer must be made aware if a business sells their data to third parties, or if uses personal data for marketing purposes. Every customer has the right to opt out of this usage.
Gymshark clearly sets out who the company shares personal data with so that its users will be able to manage these details better:
Right to Fair Treatment
You can't discriminate against a customer for opting out of marketing or any other personal data sharing. The Act takes a fairly hard line on this, explicitly prohibiting the following but making a note that this list isn't at all exhaustive:
- Denying the customer access to goods or services
- Charging different rates or prices for goods or services, including through the use of discounts or benefits, or by imposing penalties
- Providing a different level or quality of goods or services to the consumers depending on opt-out or opt-in status
- Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services by opting out
You can also include it in appropriate spots like a checkout page, sign-up page and anywhere else a user will be asked to share personal information or finalize a transaction with you.
Although Privacy Policies are nothing new, you must ensure that yours adheres to the new CCPA if the Act applies to your business.
Here's a simple checklist to run through for business CCPA compliance:
- Tell customers:
- You collect personal data
- What personal data is
- How you process and collect this data
- Why you collect the data
- They have the right to opt out of marketing
- They can contact you for further information
- Explain how you keep track of personal data and maintain a clear record of the information you have
- If a customer reaches out to you to amend or delete their information, answer their request as promptly as you can