Businesses worldwide have a new set of strict obligations under the California Consumer Privacy Act (CCPA), which came into force on January 1st, 2020.
CCPA compliance requirements extend much further than those of previous California privacy laws.
To comply with the CCPA, your tasks include:
- Conducting a personal information audit
- Facilitating CCPA consumer rights
Below is some practical guidance to help you meet the CCPA's requirements.
Confirm Whether the CCPA Applies to Your Company
The CCPA only applies to certain entities, which the CCPA simply calls "businesses." There are several relevant sections of the law that define a "business."
Here's the first relevant section, at Section 1798.140:
If your company operates for profit and has customers or users in California (who we'll call "consumers" from now on), it almost certainly meets this part of the CCPA's definition of a "business."
The exception is if your company only collects personal information on behalf of other companies, in which case it is a "service provider."
Note that your company does not need to have any physical presence in California, or even the United States, to be subject to the CCPA. This law affects businesses worldwide.
Here's the second relevant part of this section of the CCPA:
This raises 3 questions about your company:
- Does it raise annual gross revenues of at least $25 million per year?
- Does it buy, sell, receive for commercial purposes, and/or share for commercial purposes personal information from at least 50,000 California consumers, households, and/or devices?
- Does it earn at least half of its annual gross revenues per year from selling California consumers' personal information?
If you answer "yes" to one or more of these questions, the CCPA applies to your business.
- California Online Privacy Protection Act (CalOPPA)
- EU General Data Protection Regulation (GDPR)
- Children's Online Privacy Protection Act (COPPA)
Conduct a Personal Information Audit
CCPA compliance requires a complete understanding of how your business uses personal information, including:
Identify What Personal Information Your Company Collects
The CCPA brings a new definition of "personal information" that is broader than any privacy law the US has ever seen.
One of your first tasks under the CCPA is to identify what personal information your business collects.
Here's how the CCPA defines "personal information":
This definition of personal information is very similar to that of the GDPR. Interpret it broadly.
For more information, read our article: What is Personal Information Under Privacy Laws?
|Category of personal information
||Examples of the types of personal information that might belong in this category (not exhaustive)
|Name, social security number, email address, postal address, alias.
- Personal information as defined in the California Customer Records Statute
|These examples, available here, include: "[...] employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information."
- Characteristics of protected classifications under California or federal law
|Sexual orientation, gender identity and expression, race, color, ancestry. national origin, religion, sex, health conditions, AIDS/HIV status, disability: physical or mental, age (if 40 and older), genetic information, marital status, military service or veteran status, political affiliations, status as a victim of domestic violence, assault, or stalking.
- Commercial information
|Commercial information, including records of personal property, purchase or spending habits.
- Biometric information
|Iris, retina, fingerprint, face, hand, palm images vein patterns. Voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data.
- Internet or other electronic network activity information
|Browsing history, search history website, application, or advertisement data (e.g. analytics information).
- Geolocation data
|Information gathered from GPS or other location-tracking techniques.
- Audio, electronic, visual, thermal, olfactory, or similar information
|The CCPA does not clarify how this differs from biometric information.
- Professional or employment-related information
|Employment history, professional qualifications, accreditations.
- Education information
|As defined in the Family Educational Rights and Privacy Act (available here), including a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.
- Inferences drawn from personal information to create a profile about a consumer
|This could be a profile based on cookie data or buying habits on an ecommerce website.
Identify Your Sources of Personal Information
There are many potential sources of personal information. For most businesses, their main source of personal information is probably their own customers.
Your customers probably provide some personal information directly and voluntarily. For example, via:
- Emails to your support department
- Physical mail to your billing department
- Forms on your website
- Messages on social media
- Feedback/research surveys
You might collect some other types of personal information from consumers directly, via sources such as:
- Server logs
- Website or app analytics
You might also collect personal information about consumers from third parties. Sometimes this will be publicly available.
The CCPA states that public information is not personal information if it is "lawfully made available from federal, state, or local government records" so long as it is "used for a purpose that is not compatible with the purpose for which the data is maintained."
However, you might collect some other types of publicly available information that would qualify as personal information. For example via:
- Social media profiles
- Job sites
- Online forums
Finally, there might be personal information that you buy, or receive for commercial purposes, from third parties, including:
- Market research companies
- Other businesses
Confirm Whether You Sell Personal Information
Some parts of the CCPA only apply if your business sells personal information. Here's how the CCPA defines this:
Based on this definition, it should be obvious whether your business sells personal information.
For clarity, however, the CCPA lists 4 ways of sharing personal information that do not qualify as "selling" personal information. Broadly, they are:
- Making a disclosure at a consumer's request
- Disclosing that a consumer has exercised their right to opt out
- Sharing personal information for a business purpose
- Transferring personal information as part of a merger or acquisition
In any case, the recipient of the consumer's personal information must not sell it.
Confirm Whether Share You Personal Information for Business Purposes
The CCPA only allows consumers to opt out of the sale of their personal information. But even if you don't sell consumers' personal information, you probably share personal information for other reasons.
The CCPA requires you to be transparent if you share personal information for "business purposes."
Here's the CCPA's main definition of a "business purpose:"
So, the CCPA defines a business purpose as the use of personal information:
- Is reasonably necessary and proportionate
- Is compatible with the purposes for which you collected the personal information
The CCPA provides the following list of 7 business purposes:
Note that the CCPA has other notice requirements beyond the consumer notices that you'll need to become familiar with as well. We address these notices in detail in our article: CCPA Notices.
Facilitate CCPA Consumer Rights
The CCPA brings consumers some powerful new rights over their personal information. Some of these are similar to the GDPR's data subject rights.
Before we go into detail about these rights, here are some practical steps you can take toward CCPA compliance in this area:
Set up a way for consumers to access the right to know and the right to delete, including at least:
- Conduct a personal information audit to ensure you can easily facilitate requests
If you sell personal information, you must also:
Set up a way for consumers to access the right to opt out, including at least:
- A web page
- A toll-free phone number
- Create a "Do Not Sell My Personal Information" page and link to it on your homepage
The Right to Know
If you receive a verifiable request under the right to know, you must provide these 5 types of information (in respect of the previous 12 months):
- The categories of personal information your company has collected about the consumer
- The categories of your sources of the consumer's personal information
- The business or commercial purposes for which your company collected that personal information
- The categories of third parties with whom you have shared that personal information
- The specific pieces of personal information you have collected about the consumer
There are extra rules if you sell personal information or disclose personal information for a business purpose. You must also provide the following information (in respect of the previous 12 months):
- The categories of any of the consumer's personal information that your company has sold
- The categories of the third parties to whom your company sold that personal information
- Which categories of personal information you sold to each category of third party
- Any categories of the consumer's personal information that your company has disclosed for business purpose
Additional Conditions on the Right to Know
Here are some of the CCPA's conditions for how you must facilitate the right to know, from Section 1798.100:
So, you must comply with a request under the right to know:
- If you receive a "verifiable consumer request"
- Twice every 12 months (if requested)
- For free
- In a portable format (e.g., a CSV file)
You should ask for ID if it would be reasonable to do so.
You must provide the requested information within 45 days. You can extend this period by an additional 45 days if you notify the consumer and it is "reasonably necessary" to do so.
The Right to Delete
You must delete the personal information you hold on a consumer on request. The same additional conditions apply to the right to delete as to the right to know. However, there are many exceptions to the right to delete.
Exceptions to the Right to Delete
You might not have to comply with a delete request if it is necessary to retain a consumer's personal information for one of the following 9 types of reasons:
- Performing a contract
- Ensuring security
- Exercising free speech
- Complying with the California Electronic Communications Privacy Act (available here)
- Conducting certain research
- Solely internal and reasonable uses
- Complying with a legal obligation
- Other internal uses that are contextually reasonable
Here are the exceptions to the right to delete in full, at Section 1798.105:
The Right to Opt Out
The right to opt out only applies if you sell consumers' personal information.
You must stop selling a consumer's personal information if you receive a verifiable consumer request under the right to opt out. You can request consent to resume selling a consumer's personal information, but only after 12 months have elapsed since they opted out.
You must provide a clear and conspicuous link on your website's homepage that reads: "Do Not Sell My Personal Information." This link should lead to a web page that allows California consumers to exercise their right to opt out.
Here's an example from Coca-Cola:
Clicking the "Make a Request" button leads to this page where users can request to opt out of having their data shared or sold. They can also request a copy of their personal information and request it be deleted:
This is a great example of how to facilitate all 3 of the CCPA's "active" rights: the right to know, the right to delete, and the right to opt out.
The Right to Opt In (for Minors)
Your business has the right to sell the personal information of adult California consumers unless they exercise their right to opt out. However, the rules are different for minors.
Here's the relevant section of the CCPA, 1798.120:
Let's break down the rules in this section:
- You must not sell a consumer's personal information if you have "actual knowledge" that they are under 16.
- A consumer aged between 13 and 16 can opt into the sale of their personal information.
- In the case of a consumer under 13, their parent or guardian can opt into the sale of their personal information on the consumer's behalf.
If you "wilfully disregard" a consumer's age you will be considered to have "actual knowledge" of their age.
California law tends to define "willful disregard" as a failure to take positive action. Therefore, you should consider implementing age-verification methods if you sell personal information.
The Right to Non-Discrimination
You cannot discriminate against a consumer who exercises their CCPA rights. The CCPA gives a non-exhaustive list of 5 examples of prohibited discriminatory activities:
Essentially, you must treat all consumers the same regardless of whether they exercise their CCPA rights.
However, note this section:
The CCPA does not consider it discriminatory to offer a different price to a consumer has not exercised their right to opt out, so long as the difference in price is based on the actual value your business gets from selling their personal information.
Summary of CCPA Compliance Requirements
To comply with the CCPA your main obligations include: