If your company is already compliant with the EU's General Data Protection Regulation (GDPR) you should have less work to do since some the CCPA/CPRA's rules often mirror those found in the GDPR.
However, there are still several important updates you will need to make.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. What is the CCPA (CPRA)?
- 1.1. Who Does the CCPA (CPRA) Apply to?
- 2.1. A Conspicuous Link
- 2.2. 12 Month Updates
- 2.3. "Do Not Sell My Personal Information"
- 2.4. Categories of Information Collected
- 2.4.1. Sources of Information Collection
- 2.4.2. Why You Collect Personal Information
- 2.4.3. Categories of Personal Information Disclosed for Business Purposes
- 2.5. Categories of Personal Information Sold
- 2.6. Children's Opt-In
- 2.7. Consumer Rights
- 2.7.1. Access to Personal Data
- 2.7.2. Deletion of Personal Data
- 2.7.3. Protection from Discrimination
- 3. Summary
What is the CCPA (CPRA)?
The CCPA (CPRA) creates strict privacy rules for businesses to comply with.
The Act gives consumers additional rights, for example, it enables consumers to demand companies disclose what personal information they have collected. The CCPA (CPRA) also enables consumers to request companies delete their data and to stop companies from sharing their data with third parties.
Overall, the Act forces businesses to be more transparent with regard to how they collect, use and share consumer's personal data.
Finally, the CCPA (CPRA) allows consumers to sue businesses that fail to comply with the privacy rules.
Who Does the CCPA (CPRA) Apply to?
Notably, companies do not need to have any physical presence in California for this law to apply.
The CCPA (CPRA) applies to any business that:
- Has an annual gross revenue of $25 million or more,
- Collects or receives the personal data of 100,000 people or more, or
- Makes more than half of its gross annual revenue from selling or sharing personal data
Let's break down each of these requirements.
A Conspicuous Link
Many companies choose to place a link in the website's footer since this is often where consumers check for legal policies.
12 Month Updates
In addition, the policy needs to clearly display the date it was last updated. You may also wish to include a short summary of information advising what was changed in the most recent update.
"Do Not Sell My Personal Information"
The CCPA (CPRA) requires companies that sell personal data to display a 'clear and conspicuous' link titled "Do Not Sell My Personal Information."
Companies that do not sell personal information are exempt from this requirement, therefore if your business does not sell personal data you are not required to include this link. Note that the Act defines the sale of personal data as a company who shares data with a third party "for monetary of other valuable consideration."
For the sake of clarity, some companies choose to include the link even though they do not sell personal information.
Deluxe has written a Privacy Notice for residents of California that includes a clause for how a user can opt out of the sale of personal information:
The notice also includes a link to an opt out request form:
Semasio includes a link to the company's 'Opt-Out - Do Not Sell My Information' page in the website's footer:
The footer link takes the user to a page where they are able to click a button enabling them to opt out of the collection, use or sale of their information:
Wilmington Endocrinology has gone as far as to include a 'Do Not Sell My Personal Information' link in its cookie consent notice, which pops up as soon as a user arrives on the website for the first time:
However, it doesn't include a link to this page or the Privacy statement in the website footer. Including it in the footer versus the cookie notice - which only shows up once - would be a better move here.
When users click on the link in the cookie notice, they're taken to a page where they are able to object to their personal data being sold by entering their name and email address:
It's better to link this page in a few locations than just once. Adding it to a cookie notice is nice, but it needs to be elsewhere on the website, and somewhere where a user would know to look.
Categories of Information Collected
The CCPA (CPRA) states that companies must disclose a list of all the categories of personal data that the business has collected in the previous 12 months from any source.
The CCPA (CPRA) has defined the categories of information that must be disclosed, and these include:
- Personal identifiers (e.g. IP address, telephone number, cookies, beacons)
- Information protected against security breaches (e.g. name, password, social security number)
- Categories of personal information listed in the California Customer Records statute
- Protected classification information (e.g. sexuality, ethnicity, sex)
- Commercial Information (e.g. records of services purchased)
- Internet activity (e.g. browsing history, search history)
- Audio, electronic, thermal and video data
- Professional or employment related information
- Education information
- Biometric data (e.g. fingerprints, voice recording, DNA)
- Inferences drawn from profiling
- Sensitive personal information
Pharmaceutical company NeilMed has included a table which states what each category of personal data is and whether or not the company has collected that category of data within the last 12 months:
Fico states that the company collects information drawn from inferences and provides a good explanation of what inferences are:
Blackthorn also states what types of information the company collects, as well as clarifying what categories of personal information the company does not collect:
Sources of Information Collection
NVA advises that the company obtains personal information from both direct and indirect sources:
Fico offers a detailed explanation of where the company obtains each category of information:
Be as detailed and specific as possible here, and don't leave anything out.
Why You Collect Personal Information
Vimeo includes a clause which explains how the company uses personal data, for example, for marketing and advertising:
Crescent Cove Advisors complies with the CCPA (CPRA) by including a clause that explains how the company uses the personal data it collects:
Categories of Personal Information Disclosed for Business Purposes
If you're wondering what actions are classed as"business purposes" the CCPA (CPRA) has clarified this in section 1798.140 (note that the screenshot is just an excerpt):
The section goes on to state that the following activities count as 'business purposes':
- Detecting security incidents
- Debugging to identify and repair errors
- Short-term uses
- Performing services
- Internal research for technological development and demonstration
- Testing or improving the quality or safety of a service
It's important to note that if your business has not disclosed any categories of data for business purposes in the last year, this must also be stated.
Additionally, you must state if you have shared information with a third party which is then disclosed for business purposes on your behalf.
NeilMed advises which third parties personal data is shared with and includes a list of categories of information that the company has disclosed for business purposes in the last 12 months. The clause also advises of the categories of data that have not been disclosed for business purposes in the preceding 12 months:
NVA states that the company has not disclosed any information for business purposes in the preceding 12 months:
As always, be as descriptive and informative as possible here for transparency and clarity purposes.
Categories of Personal Information Sold
If you do not sell any categories of information, this should be stated in your policy.
For example, NVA states that the company has not sold any categories of information in the preceding 12 months:
If this changes at any time, you need to update your policy with accurate information to reflect your current practices. Don't wait until the 12-month update mark, but rather update it in real time.
The CCPA (CPRA) creates an opt-in requirement for children aged between 13 and 16 years old. Children in this age range must opt in to the sale of their personal data in order for the company to be able to sell the data.
Additionally, the CCPA (CPRA) requires companies to obtain the consent of a parent or guardian prior to selling a child's data if the child is below the age of 13.
This opt-in requirement is especially relevant to any business that markets towards children, however it affects any business with "actual knowledge" of the child's age.
If your company does not sell the personal data of children under 16 this is also the ideal place to state this fact.
NVA includes a clause which clearly explains the opt-in rights of children aged 13-16, as well as the opt in rights of children below 13:
Instructions are provided for how the child or an authorized representative can opt out of having their personal information sold.
Consumers have a number of rights including the right:
- To access their personal data
- To delete their personal data
- Not to be discriminated against for exercising their rights under the CCPA
Note that this list is not exhaustive.
Let's breakdown the individual clauses your policy will need to include to comply with these rights.
Access to Personal Data
Consumers have a right to access their personal data. It is not enough to simply advise users of their access rights, you must also inform them how to access their personal data.
In addition, make sure that you inform consumers that you will respond to their request within 45 days, as this is a requirement of the CCPA (CPRA).
Squared Up informs users of their right of access and briefly explains what the right entails:
NeilMed also informs users of their right to access certain information and confirm what the company is able to disclose:
The company also advises how to exercise consumer rights:
Deletion of Personal Data
Make sure that your policy advises users of their right to delete their personal information and explain how the user is able to make this request.
NVA advises consumers of their deletion rights and explain that the data will be deleted once the company has verified a request:
NeilMed explains the right to deletion granted under the CCPA (CPRA) and also advises of the exemptions to this right:
Cellebrite advises of the consumers rights to access and deletion in one succinct clause. The company also explains how to exercise the rights and provides a link consumers can use for the same:
In some cases, you may be required to provide a toll-free phone number for your users to contact you through as part of their CCPA rights.
Protection from Discrimination
The CCPA (CPRA) states that consumers must not be discriminated against for exercising their rights.
For example, your policy should state that consumers will not be denied goods or services for exercising their consumer rights.
NVA also informs consumers about non-discrimination:
The CCPA (CPRA) requires companies to be transparent about data collection and sharing.
The Act gives consumers certain rights over their personal data, such as the right to access and delete data. Consumers are also able to opt out of their data being shared with third parties.
Additionally, companies are required to inform users of these rights and explain how to exercise them.
Finally, the Act states that consumers must not be discriminated against for exercising their rights and enables consumers to sue businesses who fail to comply with the Act.