On this page
The California Consumer Privacy Act (CCPA) is a robust U.S. privacy law that was amended and expanded by the CPRA.
This article will outline the major core requirements of the CCPA (CPRA) and how they affect startups, with practical steps on how you can comply.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
The Rights of Consumers Covered by the CCPA (CPRA)
First, we'll lay out some of the specific rights the CCPA (CPRA) affords consumers and whether startups have to abide by the legislation's rules and obligations. We'll cover the core requirements of the law and then we'll talk about how these requirements specifically impact startups.
The crucial areas outlined in the legislation's opening are the following:
- The right of California residents to know what sensitive, personal data is collected about them
- The right of California residents to know if their sensitive, personal data is disclosed, shared, or sold and to whom
- The right of California residents to say no to the sale of sensitive, personal data
- The right of California residents to access their sensitive, personal data
- The right of California residents to equal price and service if they exert their right to privacy
Do Startups Have to Comply with the CCPA (CPRA)?
If your business website receives more than 138 visits daily, then the answer is yes. The CCPA (CPRA) applies to organizations that are for-profit entities, and which collect and process the private, personal data of California residents.
Additionally, the CCPA (CPRA) applies if the organization meets one of the following three criteria:
- The organization must gross over $25 million per year
- The organization must make at least 50% of its revenue from selling or sharing the private information of consumers, or
- The organization buys, receives, and/or shares personal data related to 100,000 consumers
Of the scenarios listed above, the one that's most likely applicable to startups is number 3. The CCPA/CPRA's use of "personal information" is rather general and broadly defined. Essentially, personal data according to the law includes any data that can be connected directly or indirectly to a specific consumer.
A few examples of this include a consumer's internet activity, IP address, geolocation information, and purchasing history.
Core Requirements of the CCPA (CPRA)
Organizations must be able to meet the CCPA/CPRA's right-to-know standard that provides consumers with end-to-end transparency. Additionally, companies will need to let consumers know when their personal information is collected, what kind of data is collected, how the company plans to use that information, and whether it will be shared or sold.
To meet CCPA (CPRA) requirements, companies must:
- Supply appropriate notifications on any paper documents, mobile apps, and on websites where consumer data is gathered
- Supply a "Do Not Sell My Information" or "Do Not Sell My Info" link so consumers can opt-out of having their personal information sold
- Ensure that all notifications provided to consumers are accessible to everyone, including individuals with disabilities
- Ensure all notifications are visible before personal information is collected
It must be noted that the State of California attempted (controversially) to make it easy for companies to supply an "opt-out" option to consumers by creating an opt-out logo and button, which organizations would have been forced to place on their websites. These buttons and logos would then be used to link to official privacy regulations.
However, this provision was scrapped by an amendment to the CCPA in March 2020. As Jen King, the Director of Consumer Privacy at Stanford University, said in a blog post concerning this subject:
"I've been wary about this requirement since I first learned of it, primarily because the existing mechanisms by which we inform the public about privacy are ad hoc and aren't a product of strategic thinking informed by research. A "Do Not Sell" logo will compete with privacy policy links, security indicators, e-commerce seals, and, of course, with content."
While the button and logo icons were scrapped, the CCPA still requires that startups provide their website visitors with an obvious way to view their Privacy Policy. The policy should contain language letting consumers know how they can opt out of having their information sold.
Additionally, startups will also need to:
- Supply users with an opt-out option in all communications, whether on or offline
- Ensure that all requests to opt-out are documented
- Maintain and store all documented records of such requests
Finally, startups must recognize that their customers have a right to have their data deleted. If the startup receives a deletion request, it will need to verify the customer's identity, and then let the customer know that their request has been received. The company will also need to ensure the customer knows their request is actively being processed.
Understand How Your Startup Will Support Consumer Rights
Assuming that your startup falls under the CCPA (CPRA) rules, you need to take a hard look at current data flows that involve personal information.
Consider any ways that your organization is gathering information, which could include data collection through apps or on your website. Think about any third parties to whom you may be providing personal information and who you're taking it from.
You must have a firm grasp of whether your business is actively using personal information as defined by the CCPA (CPRA) before you can begin making any changes that might be necessary to ensure compliance. You must be thorough. That means you'll need to speak with internal stakeholders to discover where they may also be collecting, using, storing, or transferring data.
That may sound extreme, but what if your startup has a website or app that gathers the personal information of its users and then someone takes it and uploads it to a third-party cloud services provider (e.g., think about DropBox, Google Drive, or Box.com), and then a company partner has access?
You must understand that there are different CCPA (CPRA) requirements for companies, third parties, and service providers. The bottom line is that you can't fall in line with the legislation if you don't understand how sensitive data flows in and out of your business.
Review Your Privacy Policy
In all likelihood, after a thorough review of your information architecture and data flows, you'll discover that there is a lot you need to do to ensure compliance with the CCPA (CPRA). You'll need a comprehensive understanding of the CCPA/CPRA's legal requirements, your information architecture, and your own business goals.
Something else you'll need to review is your company's Privacy Policy because according to the Internet Society's Online Trust Alliance (OTA), most Privacy Policies are not up to CCPA (CPRA) standards.
For example, the OTA analyzed over 1,200 Privacy Policies from businesses around the globe and discovered that while many stated that they didn't share data with third parties, not even one Privacy Policy stated explicitly that website users would be notified when their data was shared or sold, which the CCPA (CPRA) demands.
Becoming CCPA/CPRA-Compliant
As you work toward compliance with the CCPA (CPRA), you'll discover that there are many areas where your startup needs to update how you do things. Improvements and updates in procedures and processes, security practices, and in policies may all be necessary.
What Your Privacy Policy Needs
There are many things your startup's Privacy Policy could include. However, immediately below is a quick checklist of the major things you must include to be compliant with the CCPA (CPRA).
- State clearly what information your startup collects
- State why you collect this personal information and what you use it for
- State who your startup may share personal information with, and why
- State how your startup gathers personal information
- Provide users with information on whom they can contact if they want more details on how their information is used and stored
- Provide information on consumer rights
- Update your startup's Privacy Policy every 12 months to ensure that it is current and compliant
- Provide information on how users can have their personal information deleted
For example, see how Maven lets their users know they can delete their accounts as well as personal data in the screenshot below:
You must also:
- Provide information on how users can opt-out of your data gathering efforts
- Ensure that consumers know you do not discriminate against them if they choose not to participate in your data gathering efforts
Finally, you must make sure that when you update your Privacy Policy you must make that fact public. You will need to either provide or send out notices that changes have been made.
The bottom line here is that most companies, and probably your startup, deals with user data rather heavily. If you deal with customers in California at all, you are bound to abide by the CCPA/CPRA's rules.
Therefore, even though the CCPA/CPRA's privacy requirements might seem daunting, updating your Privacy Policy is a good idea. Compliance doesn't have to be hard, and it's in your best interests.
