CCPA (CPRA) compliance requirements extend much further than those of previous California privacy laws.
This article will act as a practical guide to help you meet the CCPA/CPRA's requirements.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Confirm Whether the CCPA (CPRA) Applies to Your Company
- 3. Conduct a Personal Information Audit
- 3.1. Identify What Personal Information Your Company Collects
- 3.2. Identify Your Sources of Personal Information
- 3.3. Confirm Whether You Sell Personal Information
- 3.4. Confirm Whether Share You Personal Information for Business Purposes
- 4. Facilitate CCPA (CPRA) Consumer Rights
- 4.1. The Right to Know
- 4.1.1. Additional Conditions on the Right to Know
- 4.2. The Right to Delete
- 4.2.1. Exceptions to the Right to Delete
- 4.3. The Right to Opt Out
- 4.4. Your CCPA (CPRA) Opt-Out Free Solution
- 4.5. The Right to Opt In (for Minors)
- 4.6. The Right to Non-Discrimination
- 5. Summary of CCPA (CPRA) Compliance Requirements
Confirm Whether the CCPA (CPRA) Applies to Your Company
The CCPA (CPRA) only applies to certain entities, which the CCPA (CPRA) simply calls "businesses." There are several relevant sections of the law that define a "business."
Here's the first relevant section, at Section 1798.140:
If your company operates for profit and has customers or users in California (who we'll call "consumers" from now on), it almost certainly meets this part of the CCPA's definition of a "business."
Note that your company does not need to have any physical presence in California, or even the United States, to be subject to the CCPA (CPRA). This law affects businesses worldwide.
The CCPA (CPRA) applies to business that meet one of the following:
- Pull in annual gross revenues of at least $25 million per year
- Buy, sell, receive for commercial purposes, and/or share for commercial purposes personal information from at least 100,000 California consumers or household
- Earn at least half of its annual gross revenues per year from selling or sharing California consumers' personal information
Information about consumer rights under the CCPA (CPRA):
If you sell personal information:
- Information about the right to opt-out
- A link to your "Do Not Sell My Personal Information" page
- The categories of personal information your business has collected over the past 12 months
The categories of personal information your business has sold over the preceding 12-month period
- Or, if you haven't sold any personal information in the preceding 12 months, you must disclose this
The categories of any personal information your business has disclosed for business purposes over the preceding 12 months
- Or, if you haven't disclosed any personal information for business purposes in the preceding 12-month period, you must disclose this
- California Online Privacy Protection Act (CalOPPA)
- EU General Data Protection Regulation (GDPR)
- Children's Online Privacy Protection Act (COPPA)
Conduct a Personal Information Audit
CCPA (CPRA) compliance requires a complete understanding of how your business uses personal information, including:
- What types of personal information you collect and store
- Your sources of personal information
What personal information you:
- Share for business purposes
Identify What Personal Information Your Company Collects
The CCPA (CPRA) brings a new definition of "personal information" that is broader than any privacy law the US has ever seen.
One of your first tasks under the CCPA (CPRA) is to identify what personal information your business collects.
Here's how the CCPA (CPRA) defines "personal information":
This definition of personal information is very similar to that of the GDPR. Interpret it broadly.
For more information, read our article: What is Personal Information Under Privacy Laws?
|Category of personal information||Examples of the types of personal information that might belong in this category (not exhaustive)|
||Name, social security number, email address, postal address, alias.|
||These examples, available here, include: "[...] employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information."|
||Sexual orientation, gender identity and expression, race, color, ancestry. national origin, religion, sex, health conditions, AIDS/HIV status, disability: physical or mental, age (if 40 and older), genetic information, marital status, military service or veteran status, political affiliations, status as a victim of domestic violence, assault, or stalking.|
||Commercial information, including records of personal property, purchase or spending habits.|
||Iris, retina, fingerprint, face, hand, palm images vein patterns. Voice recordings, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data.|
||Browsing history, search history website, application, or advertisement data (e.g. analytics information).|
||Information gathered from GPS or other location-tracking techniques.|
||The CCPA (CPRA) does not clarify how this differs from biometric information.|
||Employment history, professional qualifications, accreditations.|
||As defined in the Family Educational Rights and Privacy Act (available here), including a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.|
||This could be a profile based on cookie data or buying habits on an ecommerce website.|
||This could be personal information that includes biometric information, health data, sexual orientation data and other similarly sensitive information.|
Identify Your Sources of Personal Information
There are many potential sources of personal information. For most businesses, their main source of personal information is probably their own customers.
Your customers probably provide some personal information directly and voluntarily. For example, via:
- Emails to your support department
- Physical mail to your billing department
- Forms on your website
- Messages on social media
- Feedback/research surveys
You might collect some other types of personal information from consumers directly, via sources such as:
- Server logs
- Website or app analytics
You might also collect personal information about consumers from third parties. Sometimes this will be publicly available.
The CCPA (CPRA) states that public information is not personal information if it is "lawfully made available from federal, state, or local government records" so long as it is "used for a purpose that is not compatible with the purpose for which the data is maintained."
However, you might collect some other types of publicly available information that would qualify as personal information. For example via:
- Social media profiles
- Job sites
- Online forums
Finally, there might be personal information that you buy, or receive for commercial purposes, from third parties, including:
- Market research companies
- Other businesses
Confirm Whether You Sell Personal Information
Some parts of the CCPA (CPRA) only apply if your business sells personal information. Here's how the CCPA (CPRA) defines this:
Based on this definition, it should be obvious whether your business sells personal information.
For clarity, however, the CCPA (CPRA) lists 4 ways of sharing personal information that do not qualify as "selling" personal information. Broadly, they are:
- Making a disclosure at a consumer's request
- Disclosing that a consumer has exercised their right to opt out
- Sharing personal information for a business purpose
- Transferring personal information as part of a merger or acquisition
In any case, the recipient of the consumer's personal information must not sell it.
Confirm Whether Share You Personal Information for Business Purposes
The CCPA (CPRA) requires you to be transparent if you share personal information for "business purposes."
Here's the CCPA/CPRA's main definition of a "business purpose:"
So, the CCPA (CPRA) defines a business purpose as the use of personal information:
- Is reasonably necessary and proportionate
- Is compatible with the purposes for which you collected the personal information
The CCPA (CPRA) provides the following list of 7 business purposes:
Note that the CCPA (CPRA) has other notice requirements beyond the consumer notices that you'll need to become familiar with as well. We address these notices in detail in our article: CCPA (CPRA) Notices.
Facilitate CCPA (CPRA) Consumer Rights
The CCPA (CPRA) brings consumers some powerful new rights over their personal information. Some of these are similar to the GDPR's data subject rights.
Before we go into detail about these rights, here are some practical steps you can take toward CCPA (CPRA) compliance in this area:
Set up a way for consumers to access the right to know and the right to delete, including at least:
- A web page
- A toll-free phone number
- Conduct a personal information audit to ensure you can easily facilitate requests
If you sell personal information, you must also:
Set up a way for consumers to access the right to opt out, including at least:
- A web page
- A toll-free phone number
- Create a "Do Not Sell My Personal Information" page and link to it on your homepage
The Right to Know
If you receive a verifiable request under the right to know, you must provide these types of information (in respect of the previous 12 months):
- The categories of personal information your company has collected about the consumer
- The categories of your sources of the consumer's personal information
- The business or commercial purposes for which your company collected that personal information
- The categories of third parties with whom you have shared that personal information
- The specific pieces of personal information you have collected about the consumer
There are extra rules if you sell personal information or disclose personal information for a business purpose. You must also provide the following information (in respect of the previous 12 months):
- The categories of any of the consumer's personal information that your company has sold
- The categories of the third parties to whom your company sold that personal information
- Which categories of personal information you sold to each category of third party
- Any categories of the consumer's personal information that your company has disclosed for business purpose
Additional Conditions on the Right to Know
Here are some of the CCPA/CPRA's conditions for how you must facilitate the right to know, from Section 1798.100:
So, you must comply with a request under the right to know:
- If you receive a "verifiable consumer request"
- Twice every 12 months (if requested)
- For free
- In a portable format (e.g., a CSV file)
You should ask for ID if it would be reasonable to do so.
You must provide the requested information within 45 days. You can extend this period by an additional 45 days if you notify the consumer and it is "reasonably necessary" to do so.
The Right to Delete
You must delete the personal information you hold on a consumer on request. The same additional conditions apply to the right to delete as to the right to know. However, there are many exceptions to the right to delete.
Exceptions to the Right to Delete
You might not have to comply with a delete request if it is necessary to retain a consumer's personal information for one of the following 9 types of reasons:
- Performing a contract
- Ensuring security
- Exercising free speech
- Complying with the California Electronic Communications Privacy Act (available here)
- Conducting certain research
- Solely internal and reasonable uses
- Complying with a legal obligation
- Other internal uses that are contextually reasonable
Here are the exceptions to the right to delete in full, at Section 1798.105:
The Right to Opt Out
The right to opt out only applies if you sell consumers' personal information.
You must stop selling a consumer's personal information if you receive a verifiable consumer request under the right to opt out. You can request consent to resume selling a consumer's personal information, but only after 12 months have elapsed since they opted out.
You must provide a clear and conspicuous link on your website's homepage that reads: "Do Not Sell My Personal Information." This link should lead to a web page that allows California consumers to exercise their right to opt out.
Here's an example from Coca-Cola:
Clicking the "Make a Request" button leads to this page where users can request to opt out of having their data shared or sold. They can also request a copy of their personal information and request it be deleted:
This is a great example of how to facilitate all 3 of the CCPA/CPRA's "active" rights: the right to know, the right to delete, and the right to opt out.
Your CCPA (CPRA) Opt-Out Free Solution
The Right to Opt In (for Minors)
Your business has the right to sell the personal information of adult California consumers unless they exercise their right to opt out. However, the rules are different for minors.
Here's the relevant section of the CCPA (CPRA), 1798.120:
Let's break down the rules in this section:
- You must not sell a consumer's personal information if you have "actual knowledge" that they are under 16.
- A consumer aged between 13 and 16 can opt into the sale of their personal information.
- In the case of a consumer under 13, their parent or guardian can opt into the sale of their personal information on the consumer's behalf.
If you "wilfully disregard" a consumer's age you will be considered to have "actual knowledge" of their age.
California law tends to define "willful disregard" as a failure to take positive action. Therefore, you should consider implementing age-verification methods if you sell personal information.
The Right to Non-Discrimination
You cannot discriminate against a consumer who exercises their CCPA (CPRA) rights. The CCPA (CPRA) gives a non-exhaustive list of 5 examples of prohibited discriminatory activities:
Essentially, you must treat all consumers the same regardless of whether they exercise their CCPA (CPRA) rights.
However, note this section:
The CCPA (CPRA) does not consider it discriminatory to offer a different price to a consumer has not exercised their right to opt out, so long as the difference in price is based on the actual value your business gets from selling their personal information.
Summary of CCPA (CPRA) Compliance Requirements
To comply with the CCPA (CPRA) your main obligations include:
Conduct a personal information audit to determine:
- What types of personal information you collect
- Your sources of personal information
- Whether you sell personal information
- Whether you share personal information for business purposes
- Set up a process to facilitate the right to know and the right to delete
- If you sell personal information, set up a "Do Not Sell My Personal Information" page