Don’t ignore the United States’ first major privacy law. California consumers now have the right to sue non-compliant brands and can face hefty fines. Learn if your business is subject to CCPA compliance & how to comply with an easy-to-follow checklist.
What is the CCPA? The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. Learn more about CCPA, what it is, who it applies to & what penalties you could face.
The California Consumer Privacy Act doesn’t apply to every business. You are only subject if:
- The business for profit
- Does business in California
- Collects user’s personal information
- Has an annual gross revenue in excess of $25 million
- Annually buys, receives, sells, or shares personal information for commercial purposes of 50,000 or more users, households, or devices
- Derives 50% or more of its annual revenue from selling users’ personal information
- Medical information collected by a covered entity governed by the Health Insurance Portability and Accountability Act (HIPAA) or California Confidentiality of Medical Information Act (CMIA); entities subject to HIPAA or CMIA; or information collected as part of a clinical trial;
- Personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act or California Financial Privacy Information Act;
- Information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994;
- The sale of personal information to or from a consumer reporting agency to be reported in or used to generate a consumer report;
- Efforts to comply with federal, state, or local law; a civil, criminal, or regulatory investigation; or a subpoena or summons;
- Cooperation with law enforcement agencies or exercising/defending legal claims;
- Until January 1, 2021: Personal information collected from job applicants, employees, owners, directors, staff, officers, and contractors of a business (except that employees will be subject to the right-to-know notification requirements);*
- Until January 1, 2021: Personal information about an employee, owner, director, officer or contractor collected pursuant to due diligence or business-to-business communications or transactions;* or
- Vehicle information and vehicle ownership information retained or shared by dealers and vehicle manufacturers for warranty or recall-related repair*
The CCPA is all about users’ privacy and protecting it. Before you proceed, put together a comprehensive list of information you collect from California users and how that information is used. This will make completing the checklist much easier and quicker.
- Put together a list of information you collect from CA users and how it’s used
- Add opt-out and Right to be forgotten links on your homepage
- Create a “Do Not Sell My Information” page
- Provide a way for users to access & delete their information
- Provide users a way to opt-out if you sell their information
- Create a process and identify individuals responsible for preserving copies of “specific pieces of personal information that the business has collected about [each] consumer” and promptly responding to consumers’ requests to access same
- Create a documented process (including, but not limited to, a toll-free number and website address) and identify individuals responsible for responding to “verifiable consumer requests” with individualized disclosures about the business’s collection, sale, or disclosure of the personal information belonging to the specific consumer making the request
- Create policies that reconcile the CCPA’s requirement to delete data upon request with the need to preserve evidence in litigation and avoid sanctions for the spoliation of evidence
- Create a process & identify individuals responsible for deleting user data
- Provide minors with a “right to opt-in.”
- Provide training for employees on the CCPA’s prescribed consumer rights
- Review existing agreements with third parties or service providers
- Provide consumers the right to equal service and price
- Create & maintain a robust incident response plan
The definition of ‘personal data’ under the CCPPA explicitly states that it is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This law differs from GDPR, ePrivacy Directive, and privacy laws by including household information in the scope of what personal information entails.
(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household
Personal information includes the following 11 enumerated categories:
- Name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number.
- Personal information under California’s records destruction law (Cal. Civ. Code § 1798.80(e)), which additionally includes signature, physical characteristics or description, telephone number, insurance policy number, education, employment, employment history, or financial account information.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity, such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information that is not publicly available personally identifiable information, as defined in the Family Educational Rights and Privacy Act (20 USC § 1232(g), 34 CFR Part 99).
- Inferences drawn from any of the information listed above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Excluded from this definition is “aggregate consumer information,” which is defined as data that is “not linked or reasonably linkable to any consumer or household, including via a device,” as well as information that is publicly available from federal, state, or local government records.
For more information about what’s considered personal data, see subsection (o)(1) of 1798.140 of the CCPA.
- The categories of personal information to be collected about the user and the purposes for which the information will be used, and
- The categories of users’ personal information that were actually collected in the preceding 12 months and sold or disclosed for business purposes in the preceding 12 months.
Businesses must also inform consumers of their right to be forgotten and right to opt-out of the sale of personal information to third parties.
If you sell your visitors’ personal information, you must give these consumers the opportunity to opt out of this sale. This is in line with the principle that everyone has control over what happens to their personal data. Be sure to include the following:
- Details concerning the consumer’s right to opt-out of the sale of their personal data
- A contact form for submitting a request for said opt-out
- Information pertaining to other contact methods for opting out
- The burden of proof required for when a consumer has elected to have an authorized agent to submit an opt-out request on their behalf
General CCPA Compliance
The following applies to all websites that are required to comply with CCPA:
- Obtain prior consent from minors 13-16 years old before selling their personal data
- For minors younger than 13 you have to obtain prior consent by their parents
- Provide a toll-free phone number
Need help bringing your site into compliance with the CCPA? Ensuring all aspects of this new privacy law can be overwhelming — but it doesn’t have to be.
Contact Entermedia.com for a free CCPA compliance consultation to get your site in compliance before you face lawsuits and large fines for non-compliance.
Do I need to obtain prior consent before collecting data? No, unlike many other consumer data protection regulations, this cookie law doesn’t require obtaining prior CCPA cookie consent for collecting and processing your users’ data.
Allow Users Access & Ability to Delete their Information
CCPA requires that you tell people what personal information you collected about them and what you’ve done with that information when they ask. Your response should include, among other things, the categories of service providers and others you share data with; for example, you share data with us as your site’s host.
Public Records & CCPA
Information that’s lawfully made publicly available is outside the scope of the CCPA. What does this mean? Here’s an example:
Say someone distributes an address book online. This is illegal, and so the exemption doesn’t apply. Government census records, on the other hand, are publicly available, and so the CCPA doesn’t apply to this information.
Allow Users to Opt-out if you Sell their Information
If you are selling the information your site collects about your customers or site visitors, you should provide an option for them to opt-out, or to opt-in if they are under the age of 16 (parental approval required for minors under 13). For example, if your site collects email addresses and you sell them to an affiliate you would need a clearly displayed “Do Not Sell My Info” link on your website.
Can I sell users’ data freely? The CCPA doesn’t prevent you from selling your users’ data, but it obliges you to allow them to opt-out of their personal information being used for a business purpose. This means that you have to include a “Do Not Sell My Personal Information” link on your website’s homepage to comply with CCPA. Anyone who wants to opt-out of sales of their personal data can click on the link and ban you from selling their personal information.
For 13-16 year old minors, you have to obtain prior CCPA cookie consent before selling their data. For minors younger than 13, you have to obtain consent from their parents or guardians.
Provide a Toll-Free Phone Number
The CCPA requires companies to set up specific communication channels so California residents can request information about their data.
The CCPA states that you are obliged to comply with the following:
Make available to consumers two or more designated methods for submitting requests for information required to be disclosed according to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information.
A toll-free telephone number is, unless you operate exclusively online and have a direct relationship with a consumer, a minimum requirement for anyone who processes personal data of California residents.
Blocking visitors from California could be an option. Remember, however, that if Google crawls your website, you may have a problem with your SEO. Another option is to use the services of a Toll-Free number like: 866-I-OPT-OUT. You can start a free trial at CCPA Toll Free.
CCPA Compliance for WordPress
For most WordPress websites, you likely already had to comply with the GDPR in some way or form. Below is a brief overview of current GDPR compliance requirements:
- Upgrade your WordPress to the latest version (4.9.6 or higher)
- Secure connection (SSL)
- Do Not Sell My Personal Information page
- Processing agreement with all processors and/or service providers
- Age verification (to obtain consent from users 13-16, and ensure privacy for users under 13)
WordPress User Information
Much of the personal information collected by your WordPress site can be gathered/deleted by you through your site’s dashboard. For example, you can search for and delete comments from a specific individual via your site’s comments admin area.
If you WordPress site includes contact forms, ensure there’s a way to gather and delete any information that is stored.
As part of implementing your CCPA deletion process you may want to establish a retention policy for the personal information your business collects. There isn’t a single right answer for how long your retention policy should be, but in general it’s a good idea to only keep information for as long as you need it. You can use the Bulk Actions option in the wp-admin dashboard to edit or delete collected information in a variety of areas including WooCommerce Orders, Contact Form Submissions, and Comments.
CCPA Compliance for Google Analytics
If you’re using Google Analytics like most sites, you’ll need to ensure you take the following steps to stay in compliance with CCPA:
Step 1: Include GA in your Do Not Sell My Personal Information page.
Google Analytics shares a lot of information with other Google services, such as Google Adwords, Google Optimizer, etc. If you have this enabled, you must mention it on your ‘Do Not Sell My Personal Information’ page.
You can disable sharing this data in GA by going to: Admin > Account Settings > Data Sharing Settings
Tracking User IDs
Google Analytics has an option to track user ID surfing behavior of different devices and keeps track of the number of sessions. If this is enabled, be sure to describe this in your ‘Do Not Sell My Personal Information’ page.
To disable it or check if you’re using it go to: Admin > Property Settings > Tracking Info > User ID
Google Analytics also shares data for advertising purposes, such as re-marketing. Put this in your ‘Do Not Sell My Personal Information’ or disable it by going to: Admin > Tracking Info > Data Collection
Step 2: Sign the service providing agreement with Google.
Service providing agreements are an important part of CCPA compliance. You need to sign one with Google Analytics which can be found here:
Account Settings > Data Processing Agreement > Review Amendment
The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law in United States. It was signed into law at the end of June 2018 and provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an “opt-out” for certain data transfers and an “opt-in” requirement for minors.
The CCPA only applies to companies doing business in California, which annually satisfy one or more of the following: (1) have a gross revenue of more than $25 million, (2) derive 50% or more of its annual revenue from the sale of consumer personal information, or (3) buys, sells, or shares the personal information of more than 50,000 consumers.
The CCPA goes into effect on January 1, 2020. However, enforcement by the Attorney General (AG) did not begin until July 1, 2020.
While the CCPA is similar to the GDPR, it is not the same. If you already prepared for the GDPR, you may be able to leverage some of the work that you did to meet your CCPA requirements. Many privacy laws across the world share common themes. These often include:
Consumer rights to access, update, delete, and receive a copy of personal information
Different obligations based on a company’s role as a business or service provider
Transparency and notice about a company’s data practices
In contrast to the GDPR, the CCPA also adds the right for consumers to opt-out of the “sale” of their personal information. Under the CCPA, “sale” is defined to include any sharing or disclosure for valuable consideration.
There are many differences. It’s easier to focus on the similarities, including:
Consumer rights to access, delete, and receive a copy of data.
Definition of “service providers” that is similar to how GDPR defines “processors” with a similar contractual obligation.
Definition of “businesses” that encompasses the GDPR definition of “controllers”.
The biggest difference in CCPA is the core requirement to enable an opt-out from sales of data to third parties (with “sale” broadly defined to include sharing of data for valuable consideration). This is a narrower and more specific obligation than the broad GDPR right to object to processing, which encompasses this type of “sale,” but is not specifically limited to covering this type of sharing.
CCPA introduces parental consent obligations consistent with The Children’s Online Privacy Protection Act (COPPA) for children under the age of 13.
For children between 13 and 16 years old, CCPA imposes a new obligation to obtain opt-in consent from the child for any “sale” of their personal information.
In October 2019, a number of amendments were passed to the CCPA. One amendment clarified that the CCPA obligations do not apply to the personal information of employees of the business. However, legislators put a one-year sunset on that exemption. We expect California to legislate a new data protection law for employees in 2020.