The California Consumer Privacy Act (CCPA) took effect in early 2020. It imposes several important requirements on large businesses and those which handle or sell a lot of personal data, including many businesses from outside the state of California. It was amended and expanded via the California Privacy Rights Act (CPRA), with the amendments taking effect on Jan 1, 2023.
Here's what you need to know and do when it comes to getting compliant with the CCPA (CPRA).
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Does the CCPA (CPRA) Apply to Me?
- 2. When Does the CCPA (CPRA) Take Effect?
- 3. Consumer Rights Under the CCPA (CPRA)
- 4. Penalties For Violating the CCPA (CPRA)
- 5. What You Must Do to Comply With the CCPA (CPRA)
- 5.1. Create an Opt-Out Page
- 5.2. Promote the Opt-Out Page
- 5.3. Organize Your Data
- 5.4. Give Notification & Update Privacy Policies
- 5.5. Deal with Requests
- 5.6. Assure You are Not Discriminating
- 5.7. Deal with Complaints
- 6. Summary
- 6.1. Need to know:
- 6.2. Need to do:
Does the CCPA (CPRA) Apply to Me?
Despite the name, you don't have to be either legally or physically based in California to be affected by the CCPA (CPRA). Instead it applies to businesses that serve residents of California (including through online businesses) and meet one of three criteria:
- The business has annual revenues of at least $25 million. (It doesn't matter how much of this comes from California.)
- The business processes personal data covering more than 100,000 consumers, households or devices. (Again, this isn't limited to people in California.)
- The business gets more than half its annual revenues from sharing or selling personal data.
There are key exemptions for financial companies, credit reporting agencies, and healthcare providers and insurers. In each case the exemptions apply if the company is already covered by a relevant federal data security law.
When Does the CCPA (CPRA) Take Effect?
The CCPA (CPRA) took legal effect on the 1st of January 2020. The CPRA amendments took effect on January 1, 2023.
Consumer Rights Under the CCPA (CPRA)
The CCPA (CPRA) grants a number of rights to Californian consumers. You should always bear these in mind when taking steps to comply with CCPA (CPRA). The way the law is written means it is highly likely regulators and courts will use these rights as guiding principles when ruling on any dispute or ambiguity about the precise measures CCPA (CPRA) requires.
The consumer rights are:
- To know what personal information an organization collects about them
- To know whether their personal information is disclosed or sold and, if so, to whom
- To refuse to allow their personal information to be sold
- To access the personal information a company has collected about them
- To be able to exercise these rights without losing access to services or being charged a higher price
- To correct the personal information a company has collected about them
- To limit the use of sensitive personal information
- To opt out of automated decision-making
- To opt out of the processing, sharing and selling of information
- To request that businesses delete personal information and also request that third-party vendors, service providers, or contractors delete the information that was sold or shared to them by the business
Penalties For Violating the CCPA (CPRA)
If you fail to meet the requirements of the CCPA (CPRA), the Attorney General can give you 30 days to rectify the violation. If you fail to do so, you face a fine of up to $7,500 per violation.
If you don't adequately secure personal data and then suffer a breach, each person whose data is breached can take civil action against you. If their case is proven, the court can make you pay damages with a minimum of $100 per consumer and a maximum of $750 per consumer, or the actual financial damages, whichever is greater. Note that the $100 to $750 figures still apply even if the customers can't prove they suffered any financial damages.
What You Must Do to Comply With the CCPA (CPRA)
To make sure you comply with CCPA (CPRA), both now and in the future, you'll need to complete the following steps.
Create an Opt-Out Page
The CCPA (CPRA) explicitly states that you must create a web page that lets users opt out of you selling their personal information. You can't force a user to create an account in order to use this opt-out page.
The page could have an online form for opting out but could also list contact details for where to send an opt-out request. You might also be required to provide a toll-free number for consumers to opt out by phone.
This example from Datalove explains the procedures for, and consequences of, opting out of data sharing:
Users are informed that by completing the form and confirming via email confirmation, the company and any of its marketing partners won't be able to use the data and that it will be purged from the system.
Your opt-out page doesn't have to be so all-or-nothing. Instead of limiting any information being used at all, you can make it so that you just agree to not sell the information but can still use it yourself for legitimate, necessary purposes.
Promote the Opt-Out Page
You must include a link to the opt-out page from your site's home page. This link must have the title "Do Not Sell My Personal Information."
This example from Really Simple Plugins shows a compliant home page link:
Organize Your Data
The CCPA (CPRA) gives users the right to know what data you have collected about them, disclosed or sold in the past 12 months, which may include a period before the CCPA (CPRA) takes effect. You should audit and review your data collection and organization to make certain that you can easily gather together the data you have about any individual.
As part of this review, it may be worth deleting any data which is no longer necessary for your operations or may no longer be accurate.
The CCPA (CPRA) lists 12 categories of personal information. You will need to organize your data so that you can quickly identify which data (if any) falls into each category. The categories are defined as follows in section 1798.140:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers
(B) Any categories of personal information described in subdivision (e) of Section 1798.80 (This is part of California law from before the CCPA and covers "any information that identifies, relates to, describes, or is capable of being associated with, a particular individual." It doesn't cover information that's available in public records.)
(C) Characteristics of protected classifications under California or federal law
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
(E) Biometric information
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement
(G) Geolocation data
(H) Audio, electronic, visual, thermal, olfactory, or similar information
(I) Professional or employment-related information
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
The CPRA amendment added the category of "sensitive personal information" to this list.
Give Notification & Update Privacy Policies
You will need to inform users of the personal information you collect about them, either before or at the point of collection.
You must inform them of two things:
- Which of the 12 categories the information you are collecting falls into, and
- What purpose/s you will use the information for
The CCPA (CPRA) also says you must publish a specific list of information on your website. This must be located:
- In the section of your website covering California privacy rights if you have one
- Somewhere else on your site if neither of the first two apply
This list of information must include:
- Details of consumer rights under the CCPA (CPRA)
- Contact details or methods for exercising those rights
- Which, if any, of the 12 categories apply to personal information you've collected about any consumers in the past 12 months
- Which, if any, of the 12 categories apply to personal information you've sold in the past 12 months
- Which, if any, of the 12 categories apply to personal information you've disclosed in the past 12 months
You must update this information at least once every 12 months.
This example from Techbuyer shows an efficient way to display the details of the 12 categories and how they apply:
This example from NVA informs consumers of some of their rights under the CCPA:
Deal with Requests
Make sure you have procedures in place to promptly deal with consumer requests for the data you have collected about them and/or sold or disclosed for business purposes. This may involve designating a specific staff member to take responsibility for responding.
When you respond to such a request you must answer five questions:
- What categories of information have you collected, sold or disclosed?
- What was the source or sources of the information?
- Why did you collect, sell or disclose the information?
- Who, if anyone, have you shared the information with?
- What specific information have you collected about the consumer?
Remember that you may need to verify an individual's identity before responding to a data request. Any information you collect to carry out this verification must only be used for this verification, so it's best not to retain it.
Your response must cover all data in the 12 months before you received the request. Your response must be in writing (including electronically) and usually be sent within 45 days of the request. You can extend this to 90 days if necessary but you must inform the consumer you are doing so before the initial 45-day deadline expires.
This example from JAMS covers both how to make a request and how the business will respond:
Assure You are Not Discriminating
Review your procedures to make sure you do not discriminate against consumers who exercise their CCPA (CPRA) rights. For example, check that you do not restrict access to services to people who've opted out of their data being sold.
Note that the CCPA (CPRA) does have an exemption that lets you charge different prices or offer different services based on what personal data a customer provides, but the differences must directly reflect the value of this data. The interpretation of this exemption has yet to be tested in practice, so you should seek expert legal advice before relying on it.
Deal with Complaints
Make sure you have procedures in place to deal with any complaints of alleged violations of the CCPA (CPRA), particularly from the Attorney General. You will normally only have 30 days to rectify any violation before you could face legal action with significant financial penalties.
Your procedures must allow you to quickly but accurately confirm whether the alleged violation is accurate and, if so, how you can make things right.
Let's recap what you need to understand and do to comply with CCPA (CPRA):
Need to know:
- The CCPA (CPRA) applies to large companies, those which handle a lot of personal data, and those which make most of their money selling personal data
- It doesn't matter whether the company is legally or physically based in California, just whether it serves customers in the state (including online)
- The law took effect on 1 January 2020. The CPRA amendments took effect on 1 January 2023.
- The CCPA (CPRA) is based on upholding consumer rights regarding personal information
- Violations could lead to court action brought by the Attorney General or individuals, with potentially expensive penalties
Need to do:
- Create a web page where users can opt out of their personal information being sold
- Organize your data so that you know which of 12 CCPA-defined categories it falls into and to which individuals it relates
- Make sure you notify individuals about what personal information you are collecting and how you'll use it
- Establish procedures for responding to data access requests, usually within 45 days
- Check you aren't breaching the CCPA (CPRA) by discriminating against consumers who exercise their privacy rights
- Establish procedures for dealing with any complaints about alleged violations