If you plan on collecting personal data from Californians who visit your website or register for your services online, then you need to abide by the terms of the California Consumer Privacy Act (CCPA). The CCPA became law on January 1st 2020, meaning that if you haven't already prepared your business for the effects of the Act, then it's time to start.
First, let's consider what the CCPA is, and what its objectives are.
The CCPA is a piece of data protection legislation. It is designed to put Californians back in charge of what happens to their personal and identifiable information. Consumers spend so much time shopping and doing business online now that it's important for them to know their personal data is safe and secure.
In other words, the CCPA achieves two things. Firstly, it makes it easier for businesses to reassure consumers that their data is safe. Secondly, it encourages consumers to put their trust in online businesses. Although complying with new data protection laws can seem onerous, it's worth remembering that these laws are making life easier for you in the long run.
When it's broken down, you can see that the CCPA controls:
- The data collected by businesses
- How businesses justify the information they collect and store
- The consent consumers must provide before their data is harvested, processed, shared, or stored
The CCPA attempts to balance commercial realities against the individual's right to privacy. Before considering the CCPA in more detail, it's worth highlighting a few key points.
The CCPA doesn't apply to charities or other non-profits.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. Who the CCPA Applies to
- 2. California Residency and the CCPA
- 3. Personal Data and the CCPA
- 4.1. Anti-discrimination
- 4.2. The Right to be Forgotten
- 4.3. The Right to Access Data Collected
- 4.4. Marketing
- 4.5. Data Shared with Third Parties
- 4.6. Contact Information
- 6. Conclusion
Who the CCPA Applies to
- Your gross annual takings exceed $25 million
- You receive 50% or more of your annual revenue from selling data that belongs to Californians
- You distribute, process, or receive data from 50,000 or more Californians annually
Section 1798.140 sets out the details:
That all said, who does the CCPA protect? What constitutes a "Californian" for the CCPA's purposes?
California Residency and the CCPA
The CCPA only applies to people who actually reside in California. A resident for the Act's purposes is someone who is domiciled in California. This can be someone who:
- Typically resides in California but they're on vacation somewhere else
- Someone temporarily domiciled in California - for example, for work or another purpose that's more than a holiday
The CCPA defines this in subsection G of section 1798.140:
For example, if someone spends a few weeks visiting relatives in California, but they usually live in New York, the CCPA doesn't cover them. On the other hand, if someone travels to New York for a medical procedure or work meeting, but they normally live in California, the CCPA covers them.
So, to recap, the CCPA protects Californians, and for-profit companies, subject to a few exceptions, should comply with its rules. What protections, though, does the CCPA offer?
Personal Data and the CCPA
"Personal data" is helpfully defined in subsection O of - you guessed it - section 1798.140 of the CCPA. It's defined as data which can identify a person or their household. Although this list isn't exhaustive, examples of personal data include:
- Residential addresses
- Browsing history and IP addresses
- Employment information
- Biometric data
- Passport numbers
- Social security numbers
Here's the clause in full:
This lengthy section then goes on to explain that "publicly available" information isn't covered by the CCPA. So, information lawfully made publicly available, like census records, aren't covered:
- What information a business collects
- Why it collects this personal data at all
- Who the business may share this data with, and why
- How the business collected the data
- Who the consumer can contact if they wish to know more about how their data is used or stored
- The consumer's various rights
If you make any material changes, you'll need to send out or provide an Update Notice of the changes as well.
Essentially, what we can take from the guidelines is that businesses must:
- Grant consumers control over their personal data and what happens to it online
- Comply with a consumer's wishes when exercising their rights
- Never discriminate against a consumer who doesn't want their data used for, for example, marketing purposes and third-party sales
Conduct a privacy law self-audit so you know exactly what privacy practices your business engages in and what information you need to disclose to your users.
A business may not discriminate against a consumer just because they don't want to share personal data with that company. As defined by section 1798.125 of the CCPA, discrimination includes refusing to serve a customer or charging them different prices because they won't give you permission to sell on their data.
The Right to be Forgotten
Consumers have the right to request that you delete their personal data. This right is so important that it's at the very beginning start of the Act itself:
It's also included more specifically in section 1798.105 where it states that a consumer has the right to request that a business delete any personal information it may have collected from the consumer:
Medium also explains the consumer is responsible for ensuring that their personal data is deleted from all sources. For example, it's on the consumer to contact their payment provider to delete billing information. They have explained why this is necessary on the consumer's part, which complies with the CCPA's principles of honesty and transparency:
Summary: Check that you have a clause explaining fully how consumers can delete their personal data or request that you do it for them.
The Right to Access Data Collected
You should clearly set out what data you plan on collecting from the consumer, and why it's necessary to collect this data at all. Section 1798.110 of the CCPA makes this clear.
It states that consumers have the right to request that a business that collects personal information about the consumer disclose:
- The categories of personal information that have been collected
- The categories of sources from which the personal information is collected
- What the business or commercial purpose is for the collecting or selling of personal information
- The categories of third parties that the business shares personal information with
- The specific pieces of personal information that have been collected about that consumer
The company then explains that the customer has a right to access the data held on them. The customer has the right to ask for a copy of this data and to request that it's amended. They can also insist that the company deletes their data entirely:
You'll note that Nike makes it easy for customers to contact the team because it provides simple instructions on how to do so.
Although you can't control precisely what happens to personal data when it is transferred to these third parties, it's still important that consumers know how they got access to their data in the first place.
Data Shared with Third Parties
Businesses that collect personal data should always specify the types of third parties that they share personal information with, and why.
Here is an example from Hollister. After explaining that it doesn't sell personal data for marketing purposes, it lays out the circumstances in which it does share data with third parties. For example, the company may share data with third parties to fulfill orders, engage in advertising campaigns and communicate better with customers:
Summary: Be transparent about who you share data with.
This example from Twitter is more robust than you may need if your business isn't global, but the more methods of contact you provide, the better:
Summary: Make it easy for your customers to contact you in a variety of methods.
- On an account sign-up/log-in screen
- On the checkout page if you do ecommerce
- Within your Cookie Consent Notice
- On an email newsletter sign-up form
- Your collection and storage of personal data
- Why it's necessary to collect this data
- Who you share this data with, and what happens to the data once you have it
- If any third parties ever have access to the data
- What rights consumers have under the CCPA
- How customers will never be discriminated against for opting out of personal data marketing
- Who customers should contact for more information or to have their personal data deleted from records