What is CCPA?
The California Consumer Privacy Act (CCPA) protects customers against discrimination by granting them rights regarding collecting, processing, and selling their personally identified information or PII. If specific criteria are met, it will then apply to businesses that operate in California.
CCPA was US's first data privacy law that went into force on January 1, 2020. The California Privacy Rights Act (CPRA), which extends and modifies the CCPA, goes into effect on January 1, 2023.
CCPA Compliance: The Three Key Points for businesses
It doesn't matter where your business is located around the world; for-profit companies that:
Process the personally identified information or PII of more than 100,000 California residents annually, or
Make more than $25 million in gross annual revenue, or
Getting more than half of their annual income from selling the personal information of Californians is subject to the CCPA.
The CCPA defines the sale of PII as,
"selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." (1798.140.t1).
Any for-profit entity that does business with or shares common branding (such as trademark, service mark, or shared name) with another for-profit entity or third party liable under CCPA will also be subjected to CCPA compliance.
California's residents (referred to as "consumers") have the power to request the disclosure of any data that has already been collected, the deletion of any data that has already been collected, and the right to opt out of having sold or share their data as per CCPA guidelines.
Californians also have the right to notice and equal services and prices (i.e., they shall not be discriminated against based on their choice to exercise their privacy rights).
And ever since the enactment of the CPRA, which is stricter than its predecessor CCPA, businesses that violate the CCPA are subject to fines of $7,500 per violation and civil penalties of $750 per affected user.
CCPA Compliance: What happens to your website?
If your business falls under any of the three categories discussed above, and you also own an online domain or a website, you should be aware of specific requirements that must be implemented to make your website CCPA-compliant.
As soon as the user lands on your website, your website must disclose the type of personal data that will be collected and the purpose of your data collection before or while data collection.
You must also provide a link on your website that consumers can click to decline the selling of their personal information to third parties. It is also a good compliance practice linked to the privacy policy or cookie policy, which gives an in-depth declaration of what personal data is collected and why it is collected.
If the user is a minor, under 16, you must first have their opt-in permission before selling or disclosing a user's personal information to a third party. The minor's parent or legal guardian's consent must be taken if they are under 13.
If your business receives a subject access request from any of your consumers, you must provide the records of personal information gathered over the previous 12 months without any charges.
Disclosure of the personal information you have collected (including sources, commercial purposes, and categories of third parties with whom it has been shared).
It is against the law for your company to treat customers differently only because they choose to exercise their right to opt-out, request transparency, and update or delete information about them unless your business can give legal evidence for falsified claims.
Personal Information under CCPA
According to the CCPA,
"Information that identifies relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." (1798.140.o1).
Direct identifiers
Unique identifiers
Biometric data
Geolocation data
Location History
Internet activity (such as browsing history, search history, and data on the interaction with a webpage or app)
Sensitive information
Voice and face recordings
These are all examples of personal information covered by the CCPA (such as health data, unique characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, and financial and medical information).
Information that can be used to identify a person or a household is also considered personal information.
Though CCPA does not apply to aggregate or anonymous data, it can be considered credible personal information only if it can identify, with combination, or added with other information, leading to identifying a specific individual. This means that information that is not personally identifiable in and of itself may be subject to the CCPA if it can be used to infer or when combined with other information to identify a person or a household.
CCPA compliance and Cookies: What businesses must know
The CCPA's definition of personal information includes unique identifiers, which include cookies and other internet tracking technologies. Cookies are one of the most popular methods websites use to gather user data.
For essential website features, first-party cookies (those placed by the website itself) frequently gather anonymous data, which is the best for marketers and advertisers. Third-party cookies, such as those set by tech companies and social media platforms, often collect personal, sometimes sensitive, user information. They can be stored for up to 100 years before being destroyed after users close their browsers.
Even information gathered by cookies on your website may eventually be considered personal under the CCPA. While some of this data, such as anonymized analytics data, may not be regarded as personal information, when combined with other data to identify and connect devices, build profiles, and deliver tailored adverts, it can become so.
CCPA Compliance: Will CPRA change the game?
The new California Privacy Rights Act (CPRA) also applies to for-profit businesses with a gross annual turnover of more than US $25 million or whose revenue from selling or sharing personal information of California residents exceeds 50% of their yearly sales.
The minimal number of California residents or households whose personal information is processed and/or shared by these businesses has risen to 100,000 under the CPRA, which modifies one of the three thresholds.
The CPRA likewise covers B2B data, and the California Privacy Protection Agency (CPPA) has been established as the regulatory authority that enforces CPRA in the Golden State.
The CPRA covers data sharing, whereas the CCPA solely addresses the selling of personal information. The regulation also enhances or modifies consumers' already-existing rights and also has some additions, including:
the right to rectification,
the right to limit the use of data classified as sensitive personal information,
the right to request information about automated decision-making
The likely results of using such processes and the right to object to using automated decision-making technology about their personal information. Find out more about the CPRA's reach.
Suppose your company complies with any of the CCPA/CPRA compliance requirements. In that case, you are responsible for any personal information you acquire about California residents through your website's cookies and any sales or sharing of such information.
Customers can seek access to the personal data you have gathered on them over the last 12 months on your website, as well as a correction or deletion of that information.
Hence, you must be aware of the data your website gathers, how it is collected, its function, and the parties (third parties) with whom it shares this data.
Automate CCPA Compliance with Adzapier
Our Consent Management Platform (CMP) aids in ensuring compliance with the CCPA, CPRA, the European GDPR, and ePrivacy Directive, among other laws. The CMP from Adzapier benefits your company by:
Deep scanning, tracking 3rd parties, and categorizing cookies under CCPA and CPRA compliance are necessary to inform users of their usage to collect their data.
Customize cookie banner for CCPA compliance which mandates including CTAs "Do not sell or share my data" and an opt-in consent banner for minors under 16.
It provides end-to-end subject access automation, from verification to disclosure, modification, or withdrawal of user data within minutes, and protects your business from falsified claims.
If you are still trying to figure out your privacy stance, talk to one of our privacy experts and learn why CCPA compliance might be the need of your business today.