What is CCPA compliance?
The introduction of the California Consumer Privacy Act (CCPA) in 2018 was a turning point for privacy law in the United States, with an estimated half a million companies in the US being affected by the law. CCPA compliance means that covered businesses – for-profit entities that fall under the scope of the CCPA – can demonstrably meet obligations set out under the CCPA, including a range of new consumer rights, a new definition of personal information, and new concepts of businesses and service providers in relation to the roles of controller and processor.
Download the eBook: The Ultimate Guide to CCPA Compliance
CCPA compliance has many benefits including providing organizations with both marketing and competitive advantages in the marketplace as well as avoiding heavy fines that can range up to $2500 per unintentional violation or $7500 per intentional violation.
Overview of the CCPA
The CCPA was the first comprehensive privacy law to be passed in the US. The initial ballot was introduced in October 2017 by the Californians for Consumer Privacy and set out the preliminary language of the CCPA. Senate Bill 1121 (SB 1121) was introduced by the California Legislature, eventually being approved by the California Senate, and subsequently referred to the California Assembly in May 2018. Californians for Consumer Privacy withdrew their ballot as part of a deal that saw SB 1121 being signed into law. In June 2018, the Governor of California, Jerry Brown, signed the CCPA into law with an effective date of January 1, 2020. The California Legislature has since issued several rounds of amendments to the CCPA as well as proposed regulations.
The CCPA set out to give Californian consumers more control over the way their personal information is handled through a number of new consumer rights as well as requiring businesses to inform consumers of certain information at the time of collection and via privacy policies.
Key CCPA terminology
Personal information
Personal information is the term used to describe personal data that falls under the scope of the CCPA. This is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples of personal information or PI include, but are not limited to:
Business
The definition of a business under the CCPA is similar to that of a data controller under the GDPR. A business is defined as a for-profit legal entity that collects personal information, determines the purposes of processing personal information, does business in California, and satisfies one or more of the following thresholds:
Service provider
As with the definition of business, a service provider under the CCPA has similarities to the concept of a data processor under the GDPR. A service provider is defined as any for-profit legal entity that processes personal information on behalf of a business.
Consumer
A consumer is a natural person who is a resident of California as defined within Title 18 of the California Code of Regulations.
“The term “resident,” as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”
Do not sell
Among the number of rights afforded to consumers in California, the CCPA includes the right to instruct businesses to stop selling their personal information. Businesses must inform consumers that personal information is sold to third parties and that consumers have the right to opt out of such sales via a privacy policy. Businesses must also include a “Do Not Sell My Personal Information” link on their homepage that directs consumers to a web page where they can exercise their right to opt out of the sale of their personal information.
Opt-out icon
The California Attorney General released a dedicated Opt-Out icon that businesses can use in addition to their Do Not Sell link to promote consumer’s awareness of their right to opt-out.
The use of an opt-out icon on a business’s website should not be used in place of a “Do Not Sell My Information” link.
Does the CCPA apply to your organization?
To decide whether your business is covered by the CCPA, you need to consider both the ‘material scope’ (i.e., whether your processing activity is regulated by the CCPA) and the ‘territorial scope’ (i.e., whether your commercial activities take place within California or involve the personal information of Californians).
Territorial Scope
Entities doing business in California are covered by the CCPA’s territorial scope. However, businesses conducting commercial activities “wholly outside California” do not fall under the scope of the CCPA, this includes:
Material scope
The CCPA’s material scope covers the processing, collecting, and selling of consumer personal information. Businesses, as defined earlier, should consider each act made regarding personal information and its corresponding obligations.
Processing is defined as an operation that is performed on personal data whether by automated means or not. Collecting personal information under the CCPA includes, but is not limited to buying, renting, receiving, or accessing any personal information relating to a consumer. The term selling includes actions such as renting, disclosing, or exchanging personal information for “monetary or other valuable consideration.”
CCPA consumer rights
The CCPA prescribes several rights to allow consumers to control the way businesses process, share, and sell their personal information.
Right to know
Consumers have the right to know about the personal information a business collects about them and how it is used and shared.
Right to access
Consumers have the right to request a business to disclose the personal information that has been collected and the purposes of its use.
Right to delete
Consumers have the right to request that businesses delete any personal information that has been collected from them. Exemptions to this right apply.
Right to opt-out
Consumers have the right to opt out of the sale of their personal information.
Right not to be discriminated against
Consumers have the right to exercise their rights under the CCPA without repercussions such as being denied goods or services, being charged a different price, or being provided with a different level of service.
5 steps to CCPA compliance
Implement a consumer rights request process
The first step towards CCPA compliance involves setting up a dedicated consumer rights request process to fulfill the requirements that organizations face in light of new consumer rights under the CCPA. When implementing a consumer rights request process, you should consider the following steps:
Opt-out for AdTech and cookies
The CCPA’s opt-out of sale requirement means businesses should examine their practices for scanning websites and consider if those fall under the CCPA’s definition of a sale.
Geo-targeted cookies banners can include CCPA-specific language for opt-out consent and can help businesses satisfy compliance under the CCPA’s requirements for disclosure at the time of collection.
Data mapping and vendor management systems may also be needed in order to determine the third parties that receive personal information who do not fall under the service provider exemption.
Internal data governance
Creating a data inventory and internal data governance processes can help with responding to consumer requests efficiently as well as understanding what data you have, where it is stored, and the compliance requirements attached to it.
A centralized data inventory can also assist with tracking where the transfer or sale of data occurs as well as monitoring vendor relationships and potential third-party risks as well as tracking CCPA compliance.
Policy and disclosure management
Privacy policies and collection notices should be updated in order to meet the requirements set out under the CCPA. Businesses must disclose the categories of personal information collected, the purposes for its use, and consumers’ rights at the point of collection.
There are also other mandatory disclosures that businesses must make within their privacy policy, including whether the business has sold or disclosed consumers’ personal information. The privacy policy must also include a description of consumers’ rights and at least one intake method for submitting rights requests. Businesses could consider hosting this information in a dedicated privacy portal or through a California-specific privacy policy.
Download the eBook: The Ultimate Guide to CCPA Compliance
Ongoing CCPA compliance
Compliance with any privacy law or regulation is not a one-time, check-box exercise and requires continuous monitoring. The following three pillars are key areas to consider when looking to achieve ongoing compliance with the CCPA: