The California Consumer Privacy Act (CCPA) has wide implications for how businesses may collect, process, and share personal data.
Specifically, there are occasions where you'll need someone's express consent before you can gather their personal details or process them in any way. This usually concerns the "sale" of personal data, including data belonging to minors.
But before we get into the details, let's briefly touch on what the CCPA is, how it works, and who must comply with its terms.
- 1. The CCPA
- 1.1. "Personal Data"
- 1.2. The Rights of the Individual
- 1.3. Who the CCPA Applies to
- 1.4. "Consent"
- 2. Complying With the CCPA
- 3. CCPA Consent Requirements
- 4. Selling Personal Information Under the CCPA
- 5. Do Not Sell My Personal Information: Opt Out Rules
- 6. Selling Information About Minors: Opt In Rules
- 6.1. Use Age Verification
- 6.2. Data Limitation
- 7. Penalties For Non-Compliance
- 8. Conclusion
The CCPA came into force on January 1, 2020. It regulates how businesses treat personal and sensitive information belonging to Californians.
Here's a summary of the key points.
The CCPA controls what businesses may do with "personal data." The Act defines personal data fairly broadly in Section 1798.140:
Let's unpack this.
- Personal data isn't just information you could use to identify a single person. It's also data you could use to identify a particular household.
- If you can use information to draw an inference about someone or their behavior, personality, or preferences, it's also personal data.
If in doubt, it's always safer to assume something's personal data than not.
The Rights of the Individual
Under the CCPA, people have the right to:
- Know what categories of personal information businesses collect from them, and why
- Understand if a business plans on sharing their data with third parties, or selling it
- Refuse to let businesses sell their personal information to third parties
- Ask businesses to delete their data
- Request portable copies of the data held on them
In short, the CCPA helps people control who they share personal data with, but it also allows businesses to continue collecting data for commercial or other legitimate business purposes.
Who the CCPA Applies to
The CCPA protects Californian consumers, as per Section 17984.140(C)(7)(g):
To be clear, this means any resident of California buying goods or services i.e. acting as a consumer.
For the most part, consent isn't much of an issue in the CCPA. It's normally ok to collect, use, and process a Californian consumer's data without their consent. We'll cover the exceptions in more detail in a moment, but for now, just know that:
- There are some occasions when you must get an individual's informed consent before sharing their personal data, and
- People are free to withdraw their consent at any time (and you can't discriminate against them if they do).
Complying With the CCPA
That's what the CCPA is, but who must comply? Well, the rules are simple. You must comply with the CCPA if you:
- Are a for-profit company
- Collect personal information from California residents, and
- Decide how that data should be used
It's irrelevant whether you're based in California or not. If you transact with Californian residents, the Act may apply to you.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
I say "may" because there's no need to comply unless one of the following additional criteria applies:
- You earn 50% or more in profit through selling consumer data
- You sell or buy data belonging to 50,000+ individuals
- Your gross income exceeds $25 million
This is all defined in Section 1798.140(C):
So, for example, if your gross income is $24 million, and you only sell or buy data belonging to 10,000 individuals, and only 10% of your profits come from selling consumer data, the CCPA doesn't apply.
CCPA Consent Requirements
As mentioned, there are only a few occasions when you need someone's consent to process their personal data under the CCPA.
So, when do consent requirements arise?
Mainly, on one occasion: When you plan on selling someone's personal data.
Selling Personal Information Under the CCPA
First, let's be clear on what a "sale" is under the CCPA.
As we can see from Section 1798.140, a "sale" essentially covers any situation where you share any piece of information with a third party in exchange for something of value, financial or otherwise:
You could be "selling" personal data if, for example, you share data with third parties to produce personalized ad campaigns. For businesses, then, this means that there's a good chance you could be selling data within the meaning of the CCPA.
To be clear, there are some exceptions to the rule. You're not selling personal data if:
- You're informing a third party that the consumer doesn't want their information sold
- The consumer asks you to share their data with a third party
- You use the data for a reasonable business purpose which is compatible with why you gathered the information originally
"Reasonable business purpose" isn't well-defined, but it seems similar to the "legitimate interest" exception under the GDPR. So, if you can show you're using the data in a way the consumer would reasonably expect, it's probably not a sale.
In short, if there's any chance you're selling someone's data within the Act's meaning, it's best to proceed as if you are, which means following the CCPA's "opt out" rules.
Let's break them down.
Do Not Sell My Personal Information: Opt Out Rules
The main rule is this: Although the Act allows you to share personal data with third parties, every Californian (over the age of 16) has the right to opt out i.e. they can stop you selling their personal data.
To comply with this right, and to ensure you have someone's consent to selling their personal information, you must do three things.
- Treat all consumers fairly, even if they do opt out. You can't discriminate against them.
Let's unpack all of this further.
There's no set format for what a "Do Not Sell" page should look like, but according to Section 1798.135, it must contain three things.
- Information regarding your data selling policies
- A process for how users may opt out
- Contact details so that people can ask you for more information before they make a decision
Check out this example from Walmart. There's a "Do Not Sell" link at the bottom of the main page along with other important links:
Here's another example from Levi's. You'll find a link called "CA Do Not Sell My Personal Information" in the footer:
When you click the link, a box pops up directing consumers to contact Levi's for more information, or submit a request:
Always use a "Do Not Sell" link if you sell personal information, or if there's even a chance you might do so.
- If you sell personal data
- How customers can opt out, and
- Where they can contact you for more information
Clause 3 of this section explains that Walmart may sell data within the meaning of the CCPA, and gives people clear instructions for opting out:
Contact details are also included:
You can say something like, "We do not sell your personal information to any third party." Here's an example from Gymshark:
However, you must be sure you're not actually selling data before you do this. Otherwise, it's best to use a "Do Not Sell" page.
Selling Information About Minors: Opt In Rules
When it comes to under-16s, the position's a little different.
In short, children must opt in before you can sell or share their personal data with any third party. You can't knowingly sell or share data belonging to under-16s unless:
- The child, aged 13 or over, consents, or
- If the child's under 13, a parent consents
This is set out in Section 1798.120(c):
So, rather than opting out, minors must opt in. How do you ensure you're not knowingly sharing personal data belonging to a minor, though?
Well, there are a few things you can do (technically, these tips apply to gathering personal data from kids more generally, but they work equally well for CCPA consent compliance).
Use Age Verification
Do you think under-16s use your website? It might be best to verify users' ages before they can use your website e.g. open an account or buy goods. You can then, ideally, separate data belonging to minors from data belonging to adults and avoid selling it to third parties.
Here's an example of a possible age verification technique from the Disney Store:
If your website is aimed at under-13s, this is probably the better approach.
Alternatively, you can limit what information you collect from kids to reduce the risk of gathering data you can't sell without permission.
PBS Kids, for example, doesn't let children share personal data in their usernames:
- You don't knowingly sell data belonging to under-16s (or under-13s), and
- If someone has reason to believe you have data belonging to a minor, they can contact you to ensure it's deleted.
As you can see, it's a balancing act. While you should take reasonable steps to verify someone's age, the steps you take must be proportionate.
Where possible, try to avoid selling minors' data to avoid falling short of the Act's requirements.
Finally, always keep a record of any consent you receive from minors or their guardians, so that it's verifiable consent.
Penalties For Non-Compliance
If you fail to get CCPA-compliant consent, you could be subject to financial penalties.
As set out in Section 1798.155, if you're notified of a non-compliance issue, you have 30 days to remedy the violation. This is known as the "time to cure". If you haven't complied with the CCPA within the 30-day period, you could be fined:
- $2,500 fine for a non-intentional infringement
$7,500 for a deliberate infringement
- The fine is for a single violation. So, for example, if you commit two accidental violations, and you don't fix them within 30 days, you could be fined $5,000.
- While the current law states that you have 30 days to fix a breach before you're fined, this could change.
The California Consumer Privacy Act (CCPA) applies to businesses targeting consumers in California. It gives people living in California control over what happens to their personal data, who it's shared with, and whether it's sold on.
If the CCPA applies, you don't normally need someone's consent to process personal information. However, you do need consent in the context of selling personal data. To summarise, you need consent if:
- Someone opts out of personal data selling, and you want to request they opt back in
- You want to sell data belonging to minors
If consent is required, you must:
- Use a "Do Not Sell" page
- Take reasonable steps to verify the age of under-16s, and never sell their data unless they opt in first
A failure to secure the right consent may lead to financial penalties.