By now you’ve probably already heard about the CCPA, California’s upcoming privacy law which is being compared to the likes of the GDPR. Data law in general can be complex and bogged down in legal jargon, making it difficult to get an actual idea of the requirements and what’s practically required. In this post, we’ll dissect the main requirements and outline how you can meet them in a straightforward and actionable way.
The California Consumer Privacy Act (CCPA) is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The law is set to become effective on January 1st, 2020 and outlines new requirements for businesses processing personally identifiable information, giving additional rights to California-based consumers. Therefore, the CCPA is carded to have a big impact on business processes and liability.
What is personally identifiable information? The law describes personally identifiable information as any information that identifies, describes or is capable of being associated with a particular consumer or household – with the exception of public government records. This includes things like IP addresses, emails, names, geolocations, biometrics, health, education, commercial, electronic activity, employment or audio information and much more. (See the full list here)
In general, any for-profit business that has or could have Californian consumers* as a part of their user-base could be subject to the CCPA – whether the business is based in California or not.
However, in order for the CCPA to apply to a business, any ONE of the following conditions must also apply:
*Under the CCPA, a “consumer” is defined as a natural person who is a California resident, so B2B scenarios (in which the customer is a business rather than a person) don’t count.
IMPORTANT!
CalOPPA has not been repealed by the CCPA and still applies. Even if the CCPA does not apply to you, you may still be subject to other Californian laws like CalOPPA, or, if the CCPA does apply to you, you may be subject to both. You can read more about CalOPPA here.
While there are some rights that overlap, the GDPR has a broader scope. Here’s a handy infographic we prepared on the CCPA vs GDPR for a quick comparison.
For the full description of user’s rights and CCPA requirements, and how you can meet them, continue reading below.
Under the CCPA, consumers have a right to be informed about how their information is processed at or before the point of collection. This disclosure should include the categories of data processed, how/where it was sourced from and the purpose of the processing (more details on this in the compliance section below).
Under the CCPA, consumers have a right to access their personal information when verifiably requested*. You can find specific details in the compliance section below.
*“Verifiably requested” means a request that’s made by a consumer themself, on behalf of their minor child, or by a person authorized by the consumer to act on their behalf, which the business can reasonably verify (to have been made by this person). Cal. Civ. Code § 1798.140(y)
Under the CCPA, the right to data portability is connected to the right to access, under Section 1798.100 (d). It generally means that consumers have the right to receive requested information in a reasonably portable format.
Where businesses fulfill Access requests “electronically”, it’s also required that the information be provided to the consumer in “a portable and . . . readily usable format that allows the consumer to transmit this information to another entity without hindrance”.
Exceptions and limits:
The CCPA grants consumers the right to request the deletion of any personal information that has been collected about them. If a verifiable request for deletion is received from a consumer, you must delete the consumer’s personal information from your records and instruct any related service providers to delete the consumer’s personal information from their records.
Exceptions and limits:
Businesses are not required to comply with the request of deletion if the information is needed:
Under the CCPA, a consumer has the right, at any time, to tell a business which sells their personal information to third parties, that they must stop selling such personal information. Under the CCPA, “selling” simply means sharing the data with third-parties for “any benefit (monetary or not)” that you otherwise would not be legally entitled to. Selling within the context of the CCPA, therefore, can include things like using Analytics or retargeting for ads.
Businesses are prohibited from selling the personal information of consumers if the business has actual knowledge that the consumer is under the age of 16. In such cases, businesses may only sell the information if:
Under the CCPA, businesses are prohibited from discriminating against consumers for exercising their rights granted under the law. This includes:
Exceptions (somewhat)
Consumers are given the right to sue businesses that violate the law. The associated fines will be between $100 and $750, or any higher amount related to actual damages (where larger damages can be proven). The state can bring charges of up to $2,500 per violation for businesses that unintentionally violate the CCPA, and fines of up to $7,500 per violation, for businesses that commit intentional violations.
While these fines might not seem like a lot when compared to other privacy laws, do consider that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.
At this point, you’re probably wondering how you can best meet the somewhat complicated technical requirements of the CCPA. The good news is that with the right mindset and tools, complying with the CCPA is more straightforward than you might think. Let’s dive in.
A critical exercise in compliance with laws like the CCPA (and others like the GDPR) is honestly reviewing and assessing your processes and systems. Here are some questions to help you with this:
Based on your answers in the step above, identify and include the appropriate statements on your website where necessary.
Consumers have the right to be informed of the following information.
Technical implementation of this means keeping internal records of the type of processing you do (including who your service providers are) so that you’re able to include relevant details in your privacy policy, and potentially at the point of data collection (e.g a contact form) if applicable.
Here we’ll look at the specifics of what information or action is required and how you must fulfill these requests.
Consumers have the right to access the following:
Technical implementation of this means having a means of retrieving information processed on specific consumers. One approach to this is simply being aware of what processes typically apply to particular user groups or transactions. From there you can compare against your internal privacy, sales and/or database records to retrieve the relevant information.
As previously mentioned, the right of portability is bundled together with the right of access as it relates to the fulfillment of an Access request.
When an access request is received you must respond through either regular mail or in an electronic format (such as email, file download, etc.). If delivered electronically, the information must be delivered in a format that’s easy to use and that allows the information to be easily transmitted to another person or company without hindrance.
When deletion requests are received, you must delete the consumer’s personal information from your records and instruct any related service providers to delete the consumer’s personal information from their records. You must provide consumers with two or more methods for submitting requests, including, at a minimum, a toll-free telephone number, and if the business maintains an internet web site, a web site address. You must also make reasonable efforts to verify that the person making the request is either the consumer about whom the information was collected, or authorized to request this information on behalf of the consumer as outlined above.
Access, portability and deletion rights must be honored, at no cost to the consumer, within 45 days of receiving a verifiable request. The fulfillment period can be extended (only once) by a further 45 days if necessary, provided that the consumer is given notice of this fact.
When someone exercises their opt-out rights (the right to say no to the sale of their data), you must comply upon receiving the request. This right must be facilitated by having a “Do Not Sell My Personal Information” (“DNSMPI“) link on your website (mandatory). The link must be easily accessible, clearly visible, and located both on your website’s homepage and within your privacy policy (with the appropriate disclosures). The link must take the user to a page where they can opt-out of the sale of their personal information without first needing to create an account. You are allowed to host and redirect California residents to a separate homepage with the visible DNSMPI link.
Technical implementation of this means having a way to transmit consumer privacy preferences to any third-parties or ad networks that you might be using (more information in the final section below). In cases where the selling/sharing is manual (eg. sharing your mailing list with another company for direct marketing purposes) you could consider having you DNCMPI link point to a short contact form by which users can directly send you their requests.
Once an opt-out request is received, you cannot sell/share the personal information of that consumer unless the consumer gives express authorization for the sale of their personal information by opting back in.
Businesses may only ask for a consumer’s authorization one more time, and only 12 months after the consumer have opted-out.
*In cases where you are aware that the consumer is a minor under the age of 16 opt-in applies – i.e. you must not sell their information unless explicitly authorized to do so by a parent or guardian (for minors under 13) or if explicitly authorized to do so by the minor consumer in cases where the minor is between the ages of 13-16.
The service, quality, levels and/ or prices you charge/ offer to consumers must not be influenced by or dependent on whether or not they’ve chosen to exercise their rights. The only exceptions to this rule are in cases where the value of service or good offered relies upon the data collected about the consumer (as explained previously in the post).
You may also offer financial incentives (including payments) to consumers in exchange for accessing their personal information, but these incentives must be fair, reasonable, non-coercive and not extortionate. Consumers must first be notified of such incentives via the homepage of your website.
Not only do Laws evolve with time, but so do your own business purposes. For this reason, it’s vital that from time to time you review your internal processes, partners, technical capabilities, and legal documents, and keep them up-to-date with legal requirements.
Compliance is a complicated issue that heavily depends both on legal understanding and correct technical implementation. We’ve tried to provide clear and unbiased information that you can use to both set up your own systems for meeting requirements or to make informed decisions about what solutions might work for you. At iubenda we specialise in making compliance accessible and affordable by doing the heavy technical and legal lifting so that you can focus on growing your business. Our soon-to-be-released features for CCPA compliance makes most, if not all, of the technical implementation of CCPA a breeze, so if you’d like to be alerted when these features go live, please leave us your email using the form here.