What is CCPA compliance?

The introduction of the California Consumer Privacy Act (CCPA) in 2018 was a turning point for privacy law in the United States, with an estimated half a million companies in the US being affected by the law. CCPA compliance means that covered businesses – for-profit entities that fall under the scope of the CCPA – can demonstrably meet obligations set out under the CCPA, including a range of new consumer rights, a new definition of personal information, and new concepts of businesses and service providers in relation to the roles of controller and processor.

Download the eBook: The Ultimate Guide to CCPA Compliance

CCPA compliance has many benefits including providing organizations with both marketing and competitive advantages in the marketplace as well as avoiding heavy fines that can range up to $2500 per unintentional violation or $7500 per intentional violation.

Overview of the CCPA

The CCPA was the first comprehensive privacy law to be passed in the US. The initial ballot was introduced in October 2017 by the Californians for Consumer Privacy and set out the preliminary language of the CCPA. Senate Bill 1121 (SB 1121) was introduced by the California Legislature, eventually being approved by the California Senate, and subsequently referred to the California Assembly in May 2018. Californians for Consumer Privacy withdrew their ballot as part of a deal that saw SB 1121 being signed into law. In June 2018, the Governor of California, Jerry Brown, signed the CCPA into law with an effective date of January 1, 2020. The California Legislature has since issued several rounds of amendments to the CCPA as well as proposed regulations.

The CCPA set out to give Californian consumers more control over the way their personal information is handled through a number of new consumer rights as well as requiring businesses to inform consumers of certain information at the time of collection and via privacy policies.

Key CCPA terminology

Personal information

Personal information is the term used to describe personal data that falls under the scope of the CCPA. This is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples of personal information or PI include, but are not limited to:

• Real name
• Postal address
• An online identifier
• IP address
• Email address
• Social security number
• Driver’s license number
• Passport number
   

Business

The definition of a business under the CCPA is similar to that of a data controller under the GDPR. A business is defined as a for-profit legal entity that collects personal information, determines the purposes of processing personal information, does business in California, and satisfies one or more of the following thresholds:

• Has annual gross revenues in excess of $25,000,000;
• Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; and
• Derives 50% or more of its annual revenues from selling consumers’ personal information
   

Service provider

As with the definition of business, a service provider under the CCPA has similarities to the concept of a data processor under the GDPR. A service provider is defined as any for-profit legal entity that processes personal information on behalf of a business.

Consumer

A consumer is a natural person who is a resident of California as defined within Title 18 of the California Code of Regulations.

“The term “resident,” as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”

Do not sell

Among the number of rights afforded to consumers in California, the CCPA includes the right to instruct businesses to stop selling their personal information. Businesses must inform consumers that personal information is sold to third parties and that consumers have the right to opt out of such sales via a privacy policy. Businesses must also include a “Do Not Sell My Personal Information” link on their homepage that directs consumers to a web page where they can exercise their right to opt out of the sale of their personal information.

Opt-out icon

The California Attorney General released a dedicated Opt-Out icon that businesses can use in addition to their Do Not Sell link to promote consumer’s awareness of their right to opt-out.

The use of an opt-out icon on a business’s website should not be used in place of a “Do Not Sell My Information” link.

Does the CCPA apply to your organization?

To decide whether your business is covered by the CCPA, you need to consider both the ‘material scope’ (i.e., whether your processing activity is regulated by the CCPA) and the ‘territorial scope’ (i.e., whether your commercial activities take place within California or involve the personal information of Californians).

Territorial Scope

Entities doing business in California are covered by the CCPA’s territorial scope. However, businesses conducting commercial activities “wholly outside California” do not fall under the scope of the CCPA, this includes:

• Information that was collected while the consumer was outside of California,
• Where no part of the sale of the consumer’s personal information occurred in California, and
• Where no personal information collected while the consumer was in California is sold
   

Material scope

The CCPA’s material scope covers the processing, collecting, and selling of consumer personal information. Businesses, as defined earlier, should consider each act made regarding personal information and its corresponding obligations.

Processing is defined as an operation that is performed on personal data whether by automated means or not. Collecting personal information under the CCPA includes, but is not limited to buying, renting, receiving, or accessing any personal information relating to a consumer. The term selling includes actions such as renting, disclosing, or exchanging personal information for “monetary or other valuable consideration.”

CCPA consumer rights

The CCPA prescribes several rights to allow consumers to control the way businesses process, share, and sell their personal information.

Right to know

Consumers have the right to know about the personal information a business collects about them and how it is used and shared.

Right to access

Consumers have the right to request a business to disclose the personal information that has been collected and the purposes of its use.

Right to delete

Consumers have the right to request that businesses delete any personal information that has been collected from them. Exemptions to this right apply.

Right to opt-out

Consumers have the right to opt out of the sale of their personal information.

Right not to be discriminated against

Consumers have the right to exercise their rights under the CCPA without repercussions such as being denied goods or services, being charged a different price, or being provided with a different level of service.

5 steps to CCPA compliance

Implement a consumer rights request process

The first step towards CCPA compliance involves setting up a dedicated consumer rights request process to fulfill the requirements that organizations face in light of new consumer rights under the CCPA. When implementing a consumer rights request process, you should consider the following steps:

• Intake consumer rights requests: Organizations should provide two or more designated intake methods including a toll-free telephone number and a web address. Consumers should not be required to create an account in order to submit a request, however, businesses can require consumers who have an existing account to use this to exercise their rights.
• Determine the validity of the request: Once a request is received the privacy office should review the request and determine what action should be taken and if any exemptions apply.
• Verify the consumer’s identity: For access and deletion requests, organizations should take measures to verify the identity of the requester which can include email or phone verification, confirming known information, or third-party verification service. Consumers exercising their right to opt-out are not required to verify their identity and a secure method for communicating with consumers should be provided.
• Fulfill the requests: Organizations should cover the 12-month period preceding the request and disclose the information in a portable and easily readable format. Requests should be honored free of charge and within 45 days of receipt.
• Document request history: Organizations should keep a record of requests for 24 months for accountability, compliance, and in case of a dispute. Records of consumers’ requests should be maintained in order to monitor whether consumers have made two requests within a 12-month period.
   

Opt-out for AdTech and cookies

The CCPA’s opt-out of sale requirement means businesses should examine their practices for scanning websites and consider if those fall under the CCPA’s definition of a sale.

Geo-targeted cookies banners can include CCPA-specific language for opt-out consent and can help businesses satisfy compliance under the CCPA’s requirements for disclosure at the time of collection.

Data mapping and vendor management systems may also be needed in order to determine the third parties that receive personal information who do not fall under the service provider exemption.

Internal data governance

Creating a data inventory and internal data governance processes can help with responding to consumer requests efficiently as well as understanding what data you have, where it is stored, and the compliance requirements attached to it.

A centralized data inventory can also assist with tracking where the transfer or sale of data occurs as well as monitoring vendor relationships and potential third-party risks as well as tracking CCPA compliance.

Policy and disclosure management

Privacy policies and collection notices should be updated in order to meet the requirements set out under the CCPA. Businesses must disclose the categories of personal information collected, the purposes for its use, and consumers’ rights at the point of collection.

There are also other mandatory disclosures that businesses must make within their privacy policy, including whether the business has sold or disclosed consumers’ personal information. The privacy policy must also include a description of consumers’ rights and at least one intake method for submitting rights requests. Businesses could consider hosting this information in a dedicated privacy portal or through a California-specific privacy policy.

Download the eBook: The Ultimate Guide to CCPA Compliance

Ongoing CCPA compliance

Compliance with any privacy law or regulation is not a one-time, check-box exercise and requires continuous monitoring. The following three pillars are key areas to consider when looking to achieve ongoing compliance with the CCPA:

• Research: Stay on top of ongoing regulatory developments and monitor new regulatory authority guidance to be able to accurately review internal policies and processes for areas of improvement.
• Training: Employees across the organizations should be trained on CCPA requirements and business processes to help ensure a baseline understanding of compliance responsibilities. The CCPA and their Regulations also outline specific training requirements for covered businesses including training for handling consumer requests made by minors and a privacy training policy for businesses that sell or share the personal information of 10 million or more consumers.
• Benchmarking: Businesses covered by the CCPA should consider obtaining privacy or ISO certifications as well as internal program maturity assessments to benchmark progress towards CCPA compliance.