CCPA (CPRA) Compliance Requirements Checklist

Under the California Consumer Privacy Act (CCPA), businesses that collect personal data from Californians must abide by certain rules and protocols.

The CCPA was updated and expanded by the CPRA. This robust law aims to give the people of California the same protections as EU residents have under the General Data Protection Regulation (GDPR). It's one of the most wide-reaching data protection laws in the United States and it's extremely important that you understand how to comply with it.

The Act places various obligations on business owners. We'll go into these obligations in more detail in this article.

In summary, business owners must do the following to comply with the CCPA (CPRA):

• Publish a Privacy Policy that complies with CCPA (CPRA) rules and is updated at least once every 12 months
• Tell consumers more about what happens to their personal data, or personally identifiable information, when it's shared with the business
• Maintain a data inventory to track data processing history
• Notify a consumer before or at the point of data collection that the business wants permission to collect this data
• Give consumers the right to access the personal data held on them
• Explain how consumers can make a request for the business to delete their personal data (in other words, the right to be forgotten)
• Ensure that consumers know their rights under the CCPA (CPRA)
• Create a Do Not Sell My Personal Information page if you sell personal information

Although this may seem like a lot of information to process, it's more straightforward than it looks at first glance. The gist of it is that the CCPA (CPRA) attempts to balance privacy concerns with the growth of online commerce.

You'll note that all businesses that collect, store, or process personal data must publish a Privacy Policy. The good news is that, if you've already updated your Privacy Policy to bring it in line with the GDPR, then these obligations will be largely familiar to you.

The Privacy Policy is the most significant compliance requirement for businesses subject to the CCPA (CPRA). Why? Because your Privacy Policy should contain information explaining how your business complies with the other terms of the Act.

Put simply, your Privacy Policy should tell consumers:

• That you collect their personal information
• Why you collect this information
• What you plan on doing with this information
• How the consumer can refuse your access to their personal data for certain purposes
• That you won't discriminate against them if they withhold your right to use their personal data for marketing and consumer behaviour research

Before you make your CCPA (CPRA) compliance checklist, let's make sure you're clear on who the CCPA (CPRA) applies to and whether you're obligated to comply with it.

The CCPA (CPRA): Does it Apply to You?

The CCPA (CPRA) applies to for-profit businesses. This means that if you run a charity or other non-profit, the CCPA (CPRA) won't apply to you.

If you run a for-profit company, you're obligated to comply with the Act if your business:

• Receives, processes, or transfers data from 100,000 Californians or more per annum
• Your gross yearly takings exceed $25 million, or
• At least 50% of your annual revenue comes from selling or sharing data belonging to Californians

You'll see that you only need to tick one of these boxes for the Act to apply.

If you're unsure whether or not the CCPA (CPRA) applies to your business, it's a good idea simply to comply with its terms. That way, you'll also be complying with other data protection laws that likely do affect you, such as the GDPR.

Data Covered by the CCPA (CPRA)

Since the CCPA (CPRA) regulates the sale, process, and transfer of personal data, you must be clear on what falls under the scope of personally identifiable information.

The definition is really simple. If the data can be used to identify someone, either as an individual or as part of a household, then it's personal data. Examples of personal data include:

• Home address
• Names
• Passport and other official numbers
• Employment records
• Bio records such as fingerprints
• Email and IP addresses

The Act defines this in subsection (o)(1) of 1798.140:

There are, of course, exceptions to this rule.

Public Records and the CCPA (CPRA)

Information that's lawfully made publicly available is outside the scope of the CCPA (CPRA). What does this mean? Here's an example:

Say someone distributes an address book online. This is illegal, and so the exemption doesn't apply. Government census records, on the other hand, are publicly available, and so the CCPA (CPRA) doesn't apply to this information.

By now, you may be wondering something else. Who counts as a "Californian" as defined by the CCPA (CPRA)? Let's take a look.

Domicile and the CCPA (CPRA)

Only those domiciled in California have the CCPA/CPRA's protection. In terms of the Act, domicile means someone who ordinarily lives in California. Even if someone goes on holiday or leaves the state for some other temporary reason, they still call California their home.

Similarly, someone domiciled in California for a short period (for example, a year-long work placement) is covered by the CCPA (CPRA).

In practice, this is pretty straightforward. If a Californian goes on holiday to Mexico and they visit your site from Mexico, they're entitled to the Act's protection and you must handle their data responsibly.

So, you know you're obliged to comply with the CCPA (CPRA) and you're wondering how to go about it. Let's consider what the Act demands of you and how you can check your compliance standards.

The CCPA (CPRA) and Privacy

As mentioned earlier, including certain things within your Privacy Policy is key to complying with the Act, along with a few other business requirements. Let's work through the key requirements, rights and what you must do to comply.

Right to Disclosure

If you collect information about a consumer protected by the CCPA (CPRA), then you must inform the consumer of your intentions at or before the point of data collection.

So, you can either tell them about your data collection activities when they first land on your webpage, or at a specific point when you gather data. Here are examples of each.

You can either use a pop-up window or a banner to let customers know that you collect data about them.

Here's an example of a banner from Women's Best. It tells customers that the company uses cookies to collect visitor information. You can then click on the Privacy Policy link to learn more about what data is collected before you proceed any further:

If you send out a newsletter or want to sign people up for your mailing list, it's a good idea to highlight two things at the point of collection: firstly, that you're collecting data, and secondly, that the customer should read your Privacy Policy before proceeding.

Forbes includes a link to its Privacy Policy when it collects email addresses and a statement letting subscribers know that by signing up they're giving consent to the Policy:

Right to Access

Consumers have the right to request you provide them with the following information in a "readily usable" format, free of charge and within 45 days from their request (with an additional 45 day extension period available when necessary):

• What categories of personal information you collect
• What specific pieces of personal information you have about that specific consumer
• What categories of sources you get your personal information from
• What your commercial purpose is for the collecting or selling of personal information
• What categories of third parties you disclose personal information to

Businesses only have to honor a customer's access request twice a year. This reduces the administrative burden on the business. Make sure you provide a method for users to exercise this right, such as your contact information in multiple formats.

Your Contact Information

You should tell customers where they can find out more about your Privacy Policy and CCPA (CPRA) compliance, as well as contact you to exercise their rights (like mentioned in the previous section). You must give a minimum of a toll-free telephone number and online contact details.

VANS, for example, leaves a link to its contact details within the Privacy Policy. When you click on that link, it takes you to a page with a toll-free number and a contact form:

Right to be Forgotten

Everyone has the right to ask a business to delete their personal information. This right is only subject to very limited exceptions. You can, for example, hold onto data to complete a client's order or to fulfil some other legal obligation.

Abercrombie & Fitch tells its customers how they can access their own personal information and how to have an account cancelled, effectively removing it:

The "Do Not Sell My Information" Page

If you sell your visitors' personal information, you must give these consumers the opportunity to opt out of this sale. This is in line with the principle that everyone has control over what happens to their personal data.

If you sell information, you must provide a web page that gives people the option to "opt out" of having their information sold. You should link to this web page in your Privacy Policy. It's also good practice to put a link on your landing page or at the footer of your website.

If you don't sell personal information, you don't have to comply with this part of the CCPA (CPRA), but here is what compliance looks like.

Coca-Cola makes it explicitly clear how visitors can opt out of information selling. A clause about disclosing personal information includes a link to its Do Not Sell My Personal Information page:

It also includes a link to the Do Not Sell My Personal Information page in the website's footer:

When clicking on the link provided, customers are redirected to a section of the Privacy Policy that instructs them to click a "Contact U"s button to exercise a number of privacy rights, including the right to object to having data sold or shared:

As of writing this article, still before the CCPA (CPRA) enforcement deadline, you'll see that Coca-Cola makes note that they're working on some sort of other mode of making privacy rights requests, but in the interim in provides a convenient way to directly contact the company.

Right to Opt Out of Marketing

Every customer must be made aware if a business sells their data to third parties, or if uses personal data for marketing purposes. Every customer has the right to opt out of this usage.

Gymshark clearly sets out who the company shares personal data with so that its users will be able to manage these details better:

Right to Fair Treatment

You can't discriminate against a customer for opting out of marketing or any other personal data sharing. The Act takes a fairly hard line on this, explicitly prohibiting the following but making a note that this list isn't at all exhaustive:

• Denying the customer access to goods or services
• Charging different rates or prices for goods or services, including through the use of discounts or benefits, or by imposing penalties
• Providing a different level or quality of goods or services to the consumers depending on opt-out or opt-in status
• Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services by opting out

Access to Your Privacy Policy

It should be noted that with all these responsibilities comes one other - you must make your Privacy Policy visible to site visitors. You can use a pop-up or a banner to draw attention to your Privacy Policy, as shown above, and you can link to the Policy in your header or footer.

You can also include it in appropriate spots like a checkout page, sign-up page and anywhere else a user will be asked to share personal information or finalize a transaction with you.

For more information and tips, read our article on where to place your Privacy Policy on your website and within your mobile apps.

Mandatory Periodical Privacy Policy Updates

To comply with the Act, you must update your Privacy Policy every 12 months. That way, customers know if you're now collecting, selling, processing, or otherwise handling data differently than before,or if you're gathering more information than before.

If you revise your Privacy Policy and update it in a material way, meaning you make a substantive change to how you collect, process, or share personal information, you must clearly share that your Privacy Policy has been updated.

Here is an example from Strong Strong Friends. A Privacy Policy clause explains that the company periodically updates its Privacy Policy and that changes are effective from when they're posted on the site. Readers can refer to the Policy's "last modified" date to see when changes were last made:

Conclusion

Although Privacy Policies are nothing new, you must ensure that yours adheres to the CCPA (CPRA) if the Act applies to your business.

Here's a simple checklist to run through for business CCPA (CPRA) compliance:

• Create a Privacy Policy
• Include in that Privacy Policy a list of the rights that a customer has
• Tell customers:
  • You collect personal data
  • What personal data is
  • How you process and collect this data
  • Why you collect the data
  • They have the right to opt out of marketing
  • They can contact you for further information
• Make sure your Privacy Policy is clear and easy to understand
• Explain how you keep track of personal data and maintain a clear record of the information you have
• If a customer reaches out to you to amend or delete their information, answer their request as promptly as you can
• Put a link to this Privacy Policy somewhere where customers can easily find it