The California Consumer Privacy Act (CCPA) requires affected businesses to take several actions, including publishing particular information in particular forms.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Who's Covered by the CCPA
- 2. The CCPA's Principles and Broad Requirements
- 3. Categories of Personal Information Under the CCPA
- 4. Notice at Collection
- 7. Other Required Notifications Under the CCPA
- 8. Combining Required Notifications Under the CCPA
- 9. Upcoming Changes to CCPA Notifications
- 10. Summary
Who's Covered by the CCPA
The CCPA has been fully enforced since 1 July 2020. It affects the way you handle personal data about California residents if you are a business and meet any of three criteria:
- Your annual revenue is more than $25 million
- The number of California consumers whose personal data you buy, share or sell within any one-year period exceeds 50,000. (This threshold also applies to the number of households or devices, though these situations are much rarer.)
- At least half of your annual revenue comes from selling personal data about California consumers
The CCPA's Principles and Broad Requirements
The CCPA upholds five consumer rights. It's important to know and understand these as they could affect any legal or regulatory dispute about your CCPA compliance and how to interpret the law:
- To know what data you collect about them
- To know if you sell or disclose their data
- To stop you selling the data
- To access the data you hold about them
- To exercise these rights without you discriminating against them on price or service
Unlike some data privacy laws, the CCPA doesn't require that you get consent before collecting data.
Instead, its main rules are about you giving clear information about the data you collect and how you use it. This makes the consumer rights meaningful and allows them to make relevant decisions or exercise the rights
Categories of Personal Information Under the CCPA
Naturally, the information you collect about each consumer (both the specific detail and the type of information) will vary immensely from case to case.
To make the notification requirements practical, the CCPA groups personal information into 11 categories. You'll refer to these categories when making the mandatory privacy notifications:
The categories are defined in full in section 1798.140.(o) of the CCPA's legislative text, but broadly they are as follows:
- Identifiers such as names, addresses and numbers, particularly government-issued numbers
- Personal information covered by subdivision (e) of Section 1798.80 of the California Code. In simple terms, this means anything that identifies an individual and isn't already public knowledge.
- Information about protected classifications. This means details of characteristics that you are not allowed to use for discrimination under California or federal law. Examples include age, marital status, race, religion and sexual orientation.
- Any commercial information such as past purchases
- Biometric information
- Information about online activity such as search and browsing history and whether the person viewed or clicked on a particular site, app or ad
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information. This is mainly about covering images, audio and video content that involves personal information.
- Professional and employment information.
- Educational information, specifically anything that's not publicly available but does directly or indirectly relate to or identify a student
- Inferences drawn from any information in the other categories to profile somebody. This could include trying to build up a picture of their preferences, personalities, beliefs or purchasing habits.
Notice at Collection
The first requirement for telling consumers about your data practices is a specific one. You must make this notification at the time of collection, before you collect the data.
The notification must say which category or categories the data falls into. You must then give a category-by-category breakdown of:
- How you will use the data
- Why you will use the data
- Whether you intend to pass on the data to a third party (whether sold or shared)
- If you will pass on the data, who will receive it
This advance notification covers your intentions when you collect the data.
If you later want to do anything not covered in the notification, such as using it for a new purpose or sharing it with somebody, you do not need new consent, but you must notify the person the data relates to.
As we'll detail later, consumers can demand that you stop selling their personal data.
The logic behind this approach is that if the consumer knows that you have used/sold/disclosed data from a particular category before, they can reasonably conclude you will do so with the data you are about to collect
Just remember that:
- The details of the data you are collecting now (including the category and your intended use) must match what you have listed for the past 12 months. If you're doing something new (including collecting data in a different category), you will need to cover this in a standalone advance notification.
Some businesses, particularly those serving national audiences, produce a standalone section or separate page detailing the privacy rights of consumers in California.
This is allowed under the CPRA, but you must make sure that:
You conspicuously highlight it so California consumers know to read the section
- You are confident that California consumers can see all relevant information about their rights and your practices before you collect data
You must list the consumers rights under CCPA (which we covered earlier) and give at least one way a consumer can exercise these rights, for example a mailing address, email address or online form.
BusinessOL does this clearly:
You also need to list a category-by-category breakdown of whether you have collected, sold or disclosed (shared without payment) any personal information in the past 12 months. This covers all consumer data rather than that of a specific customer.
For each of the three activities (collect, sell, disclose) you need to list all the categories which the data falls into, or state that you have not collected/sold/disclosed any data.
Different businesses take different approaches to this requirement.
Some simply produce a list of relevant categories for each activity. Others find it easier to produce a single chart that shows each category and then whether the business has collected/sold/disclosed data in that category.
Which is best may depend on how much data you have used in this way and how many categories it involves.
Here's an example of how you can use separate charts for each type of use (collect/sell/disclose). It goes beyond the minimum compliance by listing in detail what each category covers:
Refinitiv opts for a list of the relevant categories:
Now let's take a look at what else the CCPA requires that you need to be aware of.
Other Required Notifications Under the CCPA
As noted, the CCPA gives people the right to stop you from selling their personal information. Once they do so, you must comply within 10 days and cannot resume sales until the person gives permission. You cannot ask for permission for at least one year.
You must include a link from your home page to this dedicated page, and the link must use the text "Do Not Sell My Personal Information."
The Los Angeles Times does this in its home page footer:
Note that this opt-out principle doesn't apply where the person the data is about is under 16 (whether you know their age for sure, or you should have known). In these cases, you need advance consent to sell the data and simply notifying in advance isn't enough.
If the child is aged 13 to 16 you need their consent. If they are under 13, you need a parent or guardian's consent.
Combining Required Notifications Under the CCPA
You may feel it would be easier for you and consumers if you combined the various pieces of information the CCPA requires you to provide.
The first thing to understand on this point is that you cannot do this with the "Do Not Sell" page. The CCPA specifically says you need a dedicated page for exercising the opt-out.
Upcoming Changes to CCPA Notifications
A new law, the California Privacy Rights Act (CPRA), takes legal effect on 1 January 2023. Officials plan to begin enforcing the CPRA from 1 July 2023.
For all practical purposes, the CPRA will replace the CCPA. The main effects are to narrow the number of businesses covered by the law but keep in place all the existing requirements for covered businesses and add new ones.
The new scope will be that businesses are covered in any of three cases:
- Annual revenue above $25 million (Unchanged)
- At least 50% of annual revenue comes from selling personal data about Californian consumers (Unchanged)
- Buying, selling or sharing personal data about more than 100,000 California consumers or households in a 12-month period (Threshold doubled and devices no longer counted)
The main change the CPRA introduces for notifications is a new 12th category covering sensitive personal information. You need to include this whenever you list information about the existing 11 categories.
The sensitive data category covers any of the following that isn't already public knowledge:
- A combination of financial details that could get access to an account, for example card number and online password
- Biometric data that you process to identify someone
- Communications between the consumer and a third party (in other words, not your business)
- Ethnic or racial origin
- Genetic data
- Geolocation (but only where it is "precise")
- Health data
- Membership of a union
- Numbers issued by the government such as Social Security or driver license number
- Religious or philosophical detail
- Sexual orientation or data about sex life
Consumers have the right to limit the way you use data in this category. If they exercise this right, you must only use this information to provide goods or services the customer requested. You can't use it for marketing.
The CPRA says you must do one of two things to allow people to exercise this new right:
- Have a dedicated webpage and link to it from your homepage with the wording "Limit the Use of My Sensitive Personal Information"
- Combine it with the dedicated page for opting out of data sales. In this case you must still link from the homepage, but you can use any appropriate wording. (For example "Exercise my CPRA rights" would likely be suitable.)
Let's recap what you need to know about notifications under the CCPA:
- The CCPA applies if you handle data about California residents and meet criteria on revenue, the number of Californians whose data you collect, or the proportion of your revenue that comes from selling California consumers' data.
- The CCPA upholds five key rights: know about data collection; know about data disclosure; object to data sales; access held data; exercise these rights without discrimination.
- You don't need consent to collect data. You don't need consent to sell data, except with children.
- You do need to tell people about your data practices, using 11 categories of data to organize the details.
- When collecting data you must say which categories you are collecting. For each category, you must say how and why you are using it and whether you plan to disclose it (and who will get it).
- This breakdown could be a list or a table depending on the amount of detail involved.
- People have the right to opt out of your data sales. You must make this right available through a dedicated web page. Your home page must link to this using the words "Do Not Sell My Personal Information."
- Combining the documents is only appropriate where your plans for the data you are collecting now match the way you used it in the previous 12 months.
- A new law, the CPRA, takes effect in 2023. It adds a 12th category, sensitive information, to include in all the breakdowns of data use.
- The CPRA also requires a dedicated page to let users exercise a new right to limit your use of sensitive information solely to providing goods and services. Your home page must link to this with the words "Limit the Use of My Personal Information." Alternatively you can combine this with the data sales opt-out page.