California Consumer Privacy Act (CCPA) Website Compliance
Enacted in 2018, the California Consumer Privacy Act (CCPA) was created to give California consumers additional rights pertaining to how their data is used by businesses. The act requires businesses that collect personal information from California consumers to provide the ability for those consumers to access, delete, and opt-out of the sharing or sale of that data. Although there is a lot of grey area that still needs to be sorted out on this subject matter, the regulations have taken effect on January 1, 2020. However, the laws will not be enforced by the California attorney general until July 1, 2020, 6 months after the regulations were published.
CCPA Granted Rights for California Consumers
Under the CCPA, California consumers have the right to:
- Know what personal information is being collected. To the best of their ability, a site must be able to provide the personal information they have used, collected, shared, or sold about a user at both the category and specific level;
- Delete that personal information. A consumer must be able to request that the personal information kept about them is deleted;
- Opt-out of the sale of personal information. Consumers must be able to opt-out of the sale of their personal information. For consumers between the ages of 13-16, a user must opt-in for the sale of their information. Furthermore, California consumers under the age of 13 must obtain guardian consent for their personal information to be able to be sold by a business;
- Non-discrimination for consumers who choose to exercise a right under the CCPA. A California consumer who as chosen to opt-out must not be treated equally in terms of the price or service they receive from a business compared to a consumer who has not chosen to opt-out. In other words, a business can’t charge someone more just because a consumer chose to not let that business sell their data.
Does the CCPA Apply to My Business?
The most important thing to understand first is whether or not your business can be held liable under the CCPA.
A business must meet at least one of the following requirements to be liable under the CCPA such as:
- It must exceed $25 million in gross annual revenue;
- It must receive, buy, or sell the personal information of over 50,000 households, consumers, or devices;
- It must derive 50 or more percent of its annual revenue from the sale of consumers’ personal information.
Additionally, if a business handles personal information of 4 million or more California consumers, they will have additional obligations under the regulations of the CCPA.
Potential Fines for Non-Compliance with the CCPA
As stated in the Assembly Bill 874, an amendment made to section 1798.140 of the Civil Code, “The act generally provides for its enforcement by the Attorney General, but also provides for a private right of action in certain circumstances.” In other words, it is not just the Attorney General of California who can take action against businesses that are violating the code, but under particular circumstances, citizens who have found their privacy rights have been violated may also be able to take action against a business.
Businesses who are not compliant with the CCPA regulations may have up to 45 days to come within compliance once it is brought to their attention, but failure to do so could result in the business facing fines of up to $7,500 per violation per consumer. Depending on the size of your business, the type and volume of personal information you collect, and the total number of consumers that submit this information, the sum of fees could amount to a massive size if action is not taken to become compliant within the time limit. However, compared to the estimated $12 billion worth of personal information that is sold annually in California to advertisers, this is only a drop in the pond for some of the larger corporations. CCPA regulations pose a more serious threat to small businesses though, where a single case could potentially amount enough fees that the business may not be able to survive the hit.
Obligations That Businesses Must Uphold Under the CCPA
If a business is subject to CCPA regulation, it must satisfy obligations such as:
- Providing notice to consumers at the time of or before data is collected.
- Creating procedures to handle consumer inquiries about knowing, deleting, or opting out of the sharing of their personal information. A business must have a “Do Not Sell My Personal Information” link on their website or mobile app that consumers to follow to find contact information about how to opt-out or begin the process on the website itself.
- Responding to requests received from a California consumer about their right to know, delete, or opt-out of personal information sharing in a specific amount of time. User privacy settings that indicate a consumer’s choice to opt-out must be treated by the business as if they were validly submitted opt-out requests.
- Verifying the identity of consumers who make a request about personal information. This aspect must be handled regardless of whether or not a consumer maintains a password-protected account with the business or website. If the business is unable to verify the consumer’s identity, it must comply with the request to the greatest extent possible, but it can deny the request. If a business is somehow unable to access the collected information for deletion, as in some cases such as with Facebook Pixel tracking where the data is completely anonymous, making it nearly impossible to identify which data belongs to a particular consumer, the business should treat the request as an opt-out request.
- Disclosing financial incentives that a business is offered in exchange for the sale or retention of consumers’ personal information. Furthermore, a business must disclose the details of how the incentive is allowed under the regulations of the CCPA.
- Maintaining records of the consumer requests. Records of both the request and response from the business must be kept for 24 months to be able to show that an effort was made to comply.
What Can Be Done to Make My Site CCPA Compliant?
1. Create a CCPA section in the site’s Privacy Policy which discusses the privacy rights that were granted to California consumers under the California Civil Code 1798.135 of the CCPA. This new section should provide links to the “Do Not Sell My Personal Information” opt-out page, a link to the California Explicit Notice if it is separate from the Privacy Policy, and contact information in the form of an email or phone number where users can contact the business about viewing, updating or deleting their personal information.
2. Create a “California Explicit Notice” as either a new page on the site or a section within the privacy policy which discusses in detail:
- Which data is collected by the website;
- What it is used for, which information can be returned upon request;
- The limitations on how many times a user can request the retrieval of this data within a 12-month period;
- Describe the actions a user can take to have this data deleted or to stop the sale of this personal information;
- Suggestions for creating a secure user/password combination if users can create a login account on the site;
- Describe any additional security measures which are being taken to prevent the theft of user data being kept by the business;
- Discuss the differences between the sale of their information and the custom-tailored ad experience that is built from data collected by Google Analytics tracking.
This page or section should contain links to the request page, the opt-out page (if separate from the request page), and to the privacy policy (if separate).
3. Create a request page on the website where users can fill out a form, call, or email to request access to the stored information that the business has collected about them, submit a request for removal or deletion of this personal information, and request to opt-out of the sale of their information. This request page must be linked to from the home page of the site and from the privacy policy, as required by CCPA regulation. If the page for opt-out is separate from the request page, it should also link to and from the privacy policy & request page.