If your organization has a presence in California or does business with California residents, then it most likely needs to comply with the California Consumer Privacy Act (CCPA).
Enacted in 2020, the CCPA is a landmark privacy law in the United States with a long reach and tough regulatory obligations. Here’s what your IT, security, and marketing teams need to know to achieve – and maintain – CCPA compliance.
What Is the CCPA?
The California Consumer Privacy Act, commonly abbreviated as the CCPA, defines privacy rights for California residents. In essence, it offers people the right to know when and how their personal information is gathered and sold, plus the right to refuse such collection and processing. The CCPA also gives people the right to receive the same service from a business at the same cost even if a person decides to exercise his or her privacy rights.
CCPA Compliance Checklist: Where to Begin
The CCPA imposes several duties on company owners. Among them:
- Publish a privacy policy that meets CCPA guidelines and is reviewed and revised at least annually.
- Inform customers about what happens to their personal information when it is shared with the company.
- To monitor the history of data processing, keep a data inventory.
- Inform a customer that a firm is requesting their consent to gather their data before or at the time of collection.
- Give customers access to the personal information that is stored about them.
- Describe how customers can ask a company to erase their personal information (in other words, the right to be forgotten).
- Assure that customers are aware of their CCPA rights. If you sell personal information, make a page that requests that others not do so.
That may seem like a considerable compliance burden, but don’t be daunted. The CCPA seeks a compromise between privacy concerns and business expansion.
How Do I Know if I’m CCPA Compliant?
The CCPA applies to for-profit organizations. This implies that the CCPA doesn’t apply if you manage a charity or another non-profit – but the answer is not quite that simple. Hence an understanding of CCPA requirements is crucial.
If you are the owner of a for-profit firm, you must abide by the CCPA if your enterprise:
- Receives, handles or transmits information from more than 50,000 California residents annually.
- Your annual gross receipts are more significant than $25 million; or
- You make at least half of your yearly income by selling Californians’ data.
You need to meet the first criteria and one of the second or third criteria for the CCPA to cover your business. That is, you must abide by the law even if your annual income is only $10 million, but 55,000 of your customers or website visitors are California residents.
What CCPA Compliance Entails
To achieve CCPA compliance, you should keep consumer privacy at the heart of your data-handling processes and procedures. To help, we’ve summarized relevant sections for you to use as guideposts on your CCPA compliance journey.
Section 1798.100: Consumer rights to data disclosure and access
- Do you tell California residents (“consumers”) immediately, while the transaction is happening, that your business is collecting their information, and for what business purposes you are collecting it? Are these privacy notices concise and easy to understand?
- Do you comply with consumer requests free of charge regarding collecting their data? Do you first verify the identity of the person making the request?
Section 1798.105: Consumers’ right to have their information deleted
- Do you promptly delete California consumers’ information from your data inventory after receiving verified requests? You can refrain if the data falls under one of these categories:
- It’s needed for legal purposes (including a law enforcement investigation).
- Your business (or business partner) requires it to do your work.
- It’s already publicly available elsewhere.
- The information would help if you had it to complete a transaction for the consumer or fulfill a contract.
- You’re using the information to identify and repair system errors.
- It’s needed as a part of scientific, historical, or statistical research in the public interest.
Section 1798.110: Consumers’ right to access their data
- Can your business provide 12 months’ worth of a consumer’s data upon receiving the consumer’s verified request for it?
- Can you give the categories of third parties, such as service providers, with whom you have shared that data?
Section 1798.115: Consumers’ rights regarding the sale of personal information
- Do you inform your customers about which of their data you are selling?
- Do you tell them the categories of third parties to whom your business has sold their data over the previous 12 months?
Section 1798.120: “Do Not Sell” my data: Consumer rights
- Do you verify the age of every consumer from whom you collect data?
- Do you provide a “Do Not Sell My Data” button or link in a prominent place on your business website?
- Do you provide an “opt-in” feature for minors under 16?
- Do you inform children under 13 that their parents must consent for you to sell their data and provide a way for their parents to do so?
Section 1798.125: Non-discrimination
- Do you refrain from discriminating against consumers who make requests regarding their data by, for example, charging them a different price for products or services?
- You may offer customers financial incentives in exchange for their permission to collect and sell their information.
Section 1798.130: Business obligations to consumers: Data access
- Does your business provide at least two ways for consumers to request access to or delete their data? These may include:
- A toll-free phone number;
- An email address;
- A website address (with a way to contact you).
- Do you verify and respond to access requests within 45 days?
- Do you provide logs showing how you have handled their data dating back 12 months?
- Do you include in your response the categories of entities you have shared or to which you have sold their data?
- Do you allow each consumer to request access to their data two times per 12-month period?
- Do you display a privacy policy spelling out your obligations to California consumers and their rights on your website’s homepage?
- Do you update this privacy policy every year?
Section 1798.135: Business obligations to consumers: Data sales
- Does your business train employees in handling consumer requests under the CCPA?
- Do you wait 12 months after a consumer’s opt-out request before asking them again for permission to sell their data?
- Do you allow consumers to opt-out of having their data collected or sold, such as allowing them to create “guest” accounts when making purchases?
Section 1798.145 Data aggregation and de-identification
- If you aggregate consumer information by category, do you remove the identifying components of that data so it can’t be associated with a particular consumer or household?
- Does your business de-identify store information using “pseudonymization,” which involves replacing identifying fields with false information or pseudonyms?
Section 1798.150: Data security and breach management
- Does your business encrypt the data it collects from consumers?
- How do you secure the information you collect?
- Do you monitor your systems continuously to detect breach attempts and incidents?
- Do you notify data owners promptly in the event of a breach?
What Does CCPA Enforcement Entail?
The California state attorney general could impose penalties for noncompliance with the CCPA even if you aren’t breached. Meanwhile, if a data breach at your enterprise does affect California consumers, those consumers can sue you for statutory damages. This so-called “private right of action” is only one way you might pay for noncompliance.
To avoid costly lawsuits and fines, compliance is your best defense. But given the law’s complexity, even the best-intentioned enterprises could fall short of the mark.
What is a CCPA Violation?
The CCPA’s civil fines are one way that organizations can be held accountable for CCPA noncompliance.
According to the CCPA, only the California Office of the Attorney General can file civil lawsuits to uphold the law. The following, however, are a few instances of infractions that can subject corporations to civil penalties:
- Failing to have a privacy policy that complies with the CCPA;
- Refusal to address consumer requests under CCPA rights;
- Selling customer data without an explicit opt-out mechanism.
- Discriminating against or otherwise mistreating consumers who exercise their CCPA rights.
That said, the CCPA also gives consumers the power to sue a company in court and bring civil lawsuits against it for breaking the law. It is crucial to remember that under the CCPA, consumers only have that private right of action when their personal information is breached, not for any other legal infraction.
What are steps I can take to ensure my website is CCPA-compliant?
We have created a quick and simple checklist so you, as a website provider, can stay up to date on the most recent CCPA rules, even if it may be difficult for some to verify that a website is entirely CCPA compliant.
Start with your data privacy policy. Does it have all the necessary details? For example, the CCPA mandates that website operators disclose the kinds of user data they gather, including:
- What type of information do you collect and use;
- Why you pick and use this data;
- How you collect and use the data;
- The ways a consumer can request that their data be accessed, changed, moved, or deleted;
- The procedure for determining the identity of the requester;
- A description of personal data sales and how consumers may prevent their data from being sold.
Right to Information
If you intend to use the information on a consumer whose privacy is protected by the CCPA, you must disclose your plans to the consumer before data collection. You can use a pop-up or banner when a person visits your website.
Assemble and keep “Consent to the CCPA” forms so that you can collect consent for the personal data of minors before that data is sold. Obtain direct permission from visitors who are 13 to 16 years old; younger visitors must obtain approval from parents or legal guardians.
Include a link to a page that reads, “Do not sell my personal information,” for all website visitors. This link must be prominently displayed on the homepage of your website, maybe using a CMP. Once a user clicks on this link, it is forbidden to sell data.
Ascertain how users may reach you.
Your California users have a right under the CCPA to view the personal information you have on them and to ask for changes to be made, have it moved, or have it deleted. So it would be wise to create a way for people to make these requests.
Let ZenGRC Help You Maintain CCPA Compliance
Guides and checklists can only go so far if you’re still using old-fashioned spreadsheets to track your compliance efforts. Ask yourself: Do you want to work that hard? ZenGRC compliance and audit management solution leaves compliance-by-spreadsheet behind. ZenGRC automates much of the work of compliance by:
- Probing your systems and finding the gaps;
- Telling you what you need to do to fill those gaps;
- Tracking your vendors’ and service providers’ compliance;
- Displaying all its findings on user-friendly dashboards;
- Allowing easy, unlimited self-audits;
- Storing and categorizing the documentation you’ll need in a “single source of truth” repository at audit time.
With ZenGRC, you’ll confidently approach CCPA compliance, knowing it’s taken care of. Then, you’ll be free to focus on other more pressing matters, such as satisfying your customers and boosting your bottom line.
Schedule a demo for more information.