The California Consumer Privacy Act (CCPA) is a data privacy law that regulates the collection, managing, processing, and selling of the personal information of California residents. It went into effect on January 1, 2020, and applies to businesses all over the world that deal with the personal information of California residents.
The CCPA law applies to businesses that conduct business in California and meet one of the following criteria:
- Sales of consumer data account for 50% (or more) of annual revenue, regardless of total revenue.
- Your business has total revenues of over $25 million, even if the sale, receipt, or purchasing of personal information is only a small percentage of your business's total revenues or business activities.
- Your organization sells, rents, receives or purchases consumer information on 50,000 (or more) individuals within a given calendar year (365 days).
Organizations that meet the above-mentioned criteria are required to comply with the CCPA. Not complying with the law could lead to financial penalties. Read the CCPA compliance checklist to be CCPA compliant.
CCPA Compliance Checklist
The CCPA privacy law regulates any business, that collects personal information (PI) from California consumers, including businesses based outside of the United States. This means that even if your business is based in Europe or anywhere else in the world, and you collect PI from California consumers, you must comply with the CCPA. Go through the CCPA compliance checklist and make sure you fulfill these CCPA compliance criteria.
- Inform consumers that you collect their personal information.
- Inform consumers why you collect this information.
- Inform consumers what are you planning to do with their personal information.
- Inform consumers how they can refuse your access to their personal information.
- Inform consumers that you won't discriminate against them if they do not provide your right to use their personal data for marketing purposes.
Maintain a data inventory
Start by creating an inventory of what personal information you have collected from consumers. Examine the last year of your business' data activities, and especially how you use the data you collect. Conduct an inventory of consumer data held by your organizations, and those you share with third parties and vendors. This also means taking stock of so-called "offline" data, which might include personal details collected in person.
Assign a person or team to be responsible for data privacy and train your employees. The responsible person should focus on CCPA and other compliance standards and the consumers' personal information protection.
Companies must identify:
- which data is used for the sale;
- what categories of personal information are transferred to third-parties;
- are there any categories of personal information, covered by HIPAA, the FCRA, or another law that would exempt the data from the CCPA’s scope;
- when the data was collected. The consumers' personal data has to be kept for 12 months.
The database has to be kept up to date and be able to track all consumer rights requests.
Implement protocols to ensure consumer rights
California's consumers have these main rights under the CCPA:
- Right to notice. Consumers have the right to be informed what personal data is being collected about them and the purposes for which the information is being used.
- Right to know. Consumers have the right to know the third parties with whom the business shares the information and whether their personal data is sold or disclosed.
- Right to disclosure. Consumers have the right to access their personal data upon request.
- Right to opt-out. Consumers have the right to agree or disagree to collect, manage, or sell their personal data.
- Right to deletion. Consumers have the right to ask for the deletion of their personal data.
- Right to equal services and prices. Consumers must not be discriminated against for exercising their privacy rights.
Respond to consumer requests. If California residents requested a detailed account of what information was collected on them over the span of the last 12 months or requested to delete their personal data- provide the information or delete it, correspondingly.
Create a Do Not Sell My PI button
Create a Do Not Sell My Personal Information button on a cookie or a separate web page if you sell personal information.
Take necessary remediation actions
Implement a system that allows certain data to be immediately and securely purged in response to requests deriving from consumers at the individual level.
Remediation does not always mean the deletion of personal data. Adequate action should depend on the type of sensitive data your organization is processing. In response to consumers' requests', you could delete, organize differently or migrate data to other locations for the best fit of consumers' needs adhering to compliance regulations.
Give consumers the right to access their PI
Provide consumers with several ways to request their personal information, for example via a phone, or via a web page.
Provide all the required personal information within 45 days. If PI was sold to third parties, inform the consumer the customers about the sold information, its collection purpose, and the categories of third parties the data was sold to.
Give consumers the right to request deleting their personal information.
Obtain consent from minors
Minors under the age of 16 need to give explicit consent to process their personal data since minors do not automatically consent under the CCPA. Develop a process to obtain direct consent from minors aged 13-16 years, and a process to obtain parents' consent from minors under 13 years.
Update security issues
The CCPA requires businesses to protect personal data with “reasonable” security. It means that personal data should be kept “reasonably” confidentially and should not be made available to non-related parties.
Update Third-Party processor contracts
If businesses use other companies to process personal data collected by them, businesses need to update their third-party contracts regarding consumers' personal data.
The CCPA requires that employees handling consumer personal data and related inquiries be informed of all CCPA requirements.
Companies must comply with CCPA regulations. Failure to comply with the CCPA could lead to fines, lawsuits, and reputational damage. Read more about the CCPA.
Frequently Asked Questions
What is CCPA compliance?
How to comply with the CCPA?
Who must comply with the CCPA?
The CCPA law applies to any for-profit business which conducts business in California, and meets one of the following criteria: sales of consumer data account for 50% (or more) of annual revenue; has total revenues of over $25 million; or sells, rents, receives, or purchases consumer information on 50,000 (or more) individuals within a given calendar year. CookieScript can help you to comply with the CCPA.
What are the penalties for not complying with the CCPA?
Infringement of the CCPA law is subject to enforcement by the California attorney general's office, and can seek civil penalties of $2500 for each law violation. If the CCPA law violation was issued, but the company did not take any actions to cure the privacy issues, this could lead to civil penalties of $7500 for each intentional law violation.