By now you’ve probably already heard about the CCPA, California’s upcoming privacy law which is being compared to the likes of the GDPR. Data law in general can be complex and bogged down in legal jargon, making it difficult to get an actual idea of the requirements and what’s practically required. In this post, we’ll dissect the main requirements and outline how you can meet them in a straightforward and actionable way.
What is the CCPA and what does it require you to do?
The California Consumer Privacy Act (CCPA) is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The law is set to become effective on January 1st, 2020 and outlines new requirements for businesses processing personally identifiable information, giving additional rights to California-based consumers. Therefore, the CCPA is carded to have a big impact on business processes and liability.
What is personally identifiable information? The law describes personally identifiable information as any information that identifies, describes or is capable of being associated with a particular consumer or household – with the exception of public government records. This includes things like IP addresses, emails, names, geolocations, biometrics, health, education, commercial, electronic activity, employment or audio information and much more. (See the full list here)
When does the CCPA apply and who does it apply to?
In general, any for-profit business that has or could have Californian consumers* as a part of their user-base could be subject to the CCPA – whether the business is based in California or not.
However, in order for the CCPA to apply to a business, any ONE of the following conditions must also apply:
- You process (buy, sell, receive, share) personally identifiable information of at least 50k US residents who potentially live in the state of California per year. – Since IP addresses are considered personal information, it’s likely that any website with at least 50k unique visits per year from California falls within this scope; or
- Your business makes at least half of it’s yearly revenue from sharing consumers’ personal information (IP addresses are considered personal information) with third parties for “any benefit (monetary or not) that you would otherwise not be legally entitled to”. – This can include things like using Analytics or retargeting for ads; or
- Your business has gross annual revenues exceeding twenty-five million dollars ($25,000,000).
*Under the CCPA, a “consumer” is defined as a natural person who is a California resident, so B2B scenarios (in which the customer is a business rather than a person) don’t count.
CalOPPA has not been repealed by the CCPA and still applies. Even if the CCPA does not apply to you, you may still be subject to other Californian laws like CalOPPA, or, if the CCPA does apply to you, you may be subject to both. You can read more about CalOPPA here.
Is the CCPA like the GDPR?
While there are some rights that overlap, the GDPR has a broader scope. Here’s a handy infographic we prepared on the CCPA vs GDPR for a quick comparison.
For the full description of user’s rights and CCPA requirements, and how you can meet them, continue reading below.
1. The Right to Be Informed
Under the CCPA, consumers have a right to be informed about how their information is processed at or before the point of collection. This disclosure should include the categories of data processed, how/where it was sourced from and the purpose of the processing (more details on this in the compliance section below).
2. The Right of Access
Under the CCPA, consumers have a right to access their personal information when verifiably requested*. You can find specific details in the compliance section below.
*“Verifiably requested” means a request that’s made by a consumer themself, on behalf of their minor child, or by a person authorized by the consumer to act on their behalf, which the business can reasonably verify (to have been made by this person). Cal. Civ. Code § 1798.140(y)
3. The Right to Data Portability
Under the CCPA, the right to data portability is connected to the right to access, under Section 1798.100 (d). It generally means that consumers have the right to receive requested information in a reasonably portable format.
Where businesses fulfill Access requests “electronically”, it’s also required that the information be provided to the consumer in “a portable and . . . readily usable format that allows the consumer to transmit this information to another entity without hindrance”.
Exceptions and limits:
- Consumers can only make 2 portability requests within a 12 month period.
- Single one-time instances of processing are excluded if the information is not sold or retained by the business or used is any other way to re-identify the person.
- There is no need to respond if you have not actually collected information about the consumer making the request.
4. The Right to Be Deleted
The CCPA grants consumers the right to request the deletion of any personal information that has been collected about them. If a verifiable request for deletion is received from a consumer, you must delete the consumer’s personal information from your records and instruct any related service providers to delete the consumer’s personal information from their records.
Exceptions and limits:
Businesses are not required to comply with the request of deletion if the information is needed:
- to complete the transaction that the personal information was collected for;
- to provide a good or a service requested by the consumer, or to carry out an agreement between the business and the consumer;
- to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
- to debug to identify and repair errors;
- to exercise free speech, or exercise another consumer’s right to free speech;
- to comply with the California Electronic Communications Privacy Act (CalECPA);
- for public or peer-reviewed scientific, historical, or statistical research in the public interest;
- to comply with a legal obligation;
- to enable strictly internal uses that are reasonably in tune with the consumer’s expectations (based on the consumer’s relationship with the business);
- for strictly internal use in a lawful manner compatible with the context in which the consumer provided the information.
5. The Right to Opt-Out (the right to say no to the sale of their data)
Under the CCPA, a consumer has the right, at any time, to tell a business which sells their personal information to third parties, that they must stop selling such personal information. Under the CCPA, “selling” simply means sharing the data with third-parties for “any benefit (monetary or not)” that you otherwise would not be legally entitled to. Selling within the context of the CCPA, therefore, can include things like using Analytics or retargeting for ads.
6. The Right to Opt-In (prior consent for minors)
Businesses are prohibited from selling the personal information of consumers if the business has actual knowledge that the consumer is under the age of 16. In such cases, businesses may only sell the information if:
- the consumer is between 13 and 16 and has opted-in; or
- the consumer is less than 13 years of age and the consumer’s parent or guardian has opted-in on the consumer’s behalf.
7. The Right to Not Be Discriminated Against (even if the consumer uses their privacy rights)
Under the CCPA, businesses are prohibited from discriminating against consumers for exercising their rights granted under the law. This includes:
- Denying goods or services to the consumer.
- Charging different prices for goods or services, including via the use of discounts or other benefits, or imposing penalties.
- Providing a different level or quality of goods or services to consumers who exercise their rights.
- Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
- You may charge or offer different prices, rates, levels, quality of goods or services ONLY in cases where that difference is reasonably related to the value provided to the consumer, by the consumer’s data.
To better illustrate this tricky point, let’s look at the following example: A business offers a standard 20% discount on a product as an incentive to re-purchase, one month after the consumer’s first purchase of the same product. During this one month period, the consumer exercises their right to deletion and requests that their personal information be deleted.
In this case, because the business no longer has the consumer data which shows that the consumer previously purchased the product, they cannot reasonably offer the standard 30% discount to that particular consumer.
Businesses are prohibited from using financial incentive practices that are “unjust, unreasonable, coercive, or usurious in nature”.
Consequences for Violating the CCPA
Consumers are given the right to sue businesses that violate the law. The associated fines will be between $100 and $750, or any higher amount related to actual damages (where larger damages can be proven). The state can bring charges of up to $2,500 per violation for businesses that unintentionally violate the CCPA, and fines of up to $7,500 per violation, for businesses that commit intentional violations.
While these fines might not seem like a lot when compared to other privacy laws, do consider that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.
How to Meet CCPA Requirements
At this point, you’re probably wondering how you can best meet the somewhat complicated technical requirements of the CCPA. The good news is that with the right mindset and tools, complying with the CCPA is more straightforward than you might think. Let’s dive in.
Step 1: Assess and Review
A critical exercise in compliance with laws like the CCPA (and others like the GDPR) is honestly reviewing and assessing your processes and systems. Here are some questions to help you with this:
- What categories of personal data do I collect and which categories of third-parties do I share this data with?
- Which sources do I collect this information from and what are their categories (e.g. analytics)?
- What are the reasons or purposes of my data collection?
- Which CCPA consumer rights (if any) do not apply to my processing activities?
- Am I keeping track of all the service providers that access consumers’ personal information on my behalf?
- Can I reliably contact these parties to fulfill things like deletion requests?
- Do I maintain reliable records of the information and the categories of personal information I collect for each consumer?
- Which exceptions reasonably and honestly apply to my scenario?
Step 2: Make Required Disclosures and Honor Consumer Rights When Exercised
Based on your answers in the step above, identify and include the appropriate statements on your website where necessary.
The Right to be Informed
Consumers have the right to be informed of the following information.
- the categories of personal information that you’ve collected, sold or shared in the past 12 months;
- the categories of third parties that you have and/or may share the personal information with;
- the categories of sources from which you collect consumers’ personal information;
- the business/ commercial purpose for collecting or selling the consumer’s personal information;
- the applicable consumers’ rights and they can be exercised
Fulfilling Requests (Access, Portability, Deletion, Opt-out)
Here we’ll look at the specifics of what information or action is required and how you must fulfill these requests.
The Right of Access
Consumers have the right to access the following:
- the categories personal information you’ve processed/collected about them in the past 12 months;
- the actual and specific pieces of information collected about them;
- the categories of sources through which you collected the information;
- the categories of personal information shared/sold
- the categories of third parties that the personal information is shared with/sold to (e.g ad companies);
- your purpose(s) for collecting or sharing the information;
- the particular categories of personal information shared for business purposes.
Technical implementation of this means having a means of retrieving information processed on specific consumers. One approach to this is simply being aware of what processes typically apply to particular user groups or transactions. From there you can compare against your internal privacy, sales and/or database records to retrieve the relevant information.
The Right of Portability
As previously mentioned, the right of portability is bundled together with the right of access as it relates to the fulfillment of an Access request.
When an access request is received you must respond through either regular mail or in an electronic format (such as email, file download, etc.). If delivered electronically, the information must be delivered in a format that’s easy to use and that allows the information to be easily transmitted to another person or company without hindrance.
The Right to be Deleted
When deletion requests are received, you must delete the consumer’s personal information from your records and instruct any related service providers to delete the consumer’s personal information from their records. You must provide consumers with two or more methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the business maintains an internet web site, a web site address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.
Access, portability and deletion rights must be honored, at no cost to the consumer, within 45 days of receiving a verifiable request. The fulfillment period can be extended (only once) by a further 45 days if necessary, provided that the consumer is given notice of this fact.
The Right to Opt-out
Technical implementation of this means having a way to transmit consumer privacy preferences to any third-parties or ad networks that you might be using (more information in the final section below). In cases where the selling/sharing is manual (eg. sharing your mailing list with another company for direct marketing purposes) you could consider having you DNCMPI link point to a short contact form by which users can directly send you their requests.
Once an opt-out request is received, you cannot sell/share the personal information of that consumer unless the consumer gives express authorization for the sale of their personal information by opting back in.
Businesses may only ask for a consumer’s authorization one more time, and only 12 months after the consumer have opted-out.
*In cases where you are aware that the consumer is a minor under the age of 16 opt-in applies – i.e. you must not sell their information unless explicitly authorized to do so by a parent or guardian (for minors under 13) or if explicitly authorized to do so by the minor consumer in cases where the minor is between the ages of 13-16.
Step 3: Do Not Discriminate Against Consumers Exercising Their Rights
The service, quality, levels and/ or prices you charge/ offer to consumers must not be influenced by or dependent on whether or not they’ve chosen to exercise their rights. The only exceptions to this rule are in cases where the value of service or good offered relies upon the data collected about the consumer (as explained previously in the post).
You may also offer financial incentives (including payments) to consumers in exchange for accessing their personal information, but these incentives must be fair, reasonable, non-coercive and not extortionate. Consumers must first be notified of such incentives via the homepage of your website.
Step 4: Periodically Review Your Processes
Not only do Laws evolve with time, but so do your own business purposes. For this reason, it’s vital that from time to time you review your internal processes, partners, technical capabilities, and legal documents, and keep them up-to-date with legal requirements.
A Pain-Free Solution
Compliance is a complicated issue that heavily depends both on legal understanding and correct technical implementation. We’ve tried to provide clear and unbiased information that you can use to both set up your own systems for meeting requirements or to make informed decisions about what solutions might work for you. At iubenda we specialise in making compliance accessible and affordable by doing the heavy technical and legal lifting so that you can focus on growing your business. Our soon-to-be-released features for CCPA compliance makes most, if not all, of the technical implementation of CCPA a breeze, so if you’d like to be alerted when these features go live, please leave us your email using the form here.