California Consumer Privacy Act (CCPA) compliance guide

The California state legislature is serious about privacy, with not one but two privacy laws that regulate websites – the California Online Privacy Protect Act (CalOPPA) and the California Consumer Privacy Act (CCPA). The CCPA is a relatively new law, going into effect on January 1st, 2020 and an enforcement date being set for July 1st, 2020 and it is one of the most comprehensive privacy laws in the United States. In this compliance guide, we will discuss the following with regard to the CCPA: 

  • Who this law applies to; 
  • How the CCPA defines personal information; 
  • The privacy rights that this law provides to consumers; 
  • This law’s requirements for Privacy Policies; and 
  • Penalties for failing to comply. 

Who does the CCPA apply to? 

Like most privacy laws, the CCPA has a very broad application in that it can apply to businesses outside of California, reflecting the fact that consumers can submit their personal information to websites all over the world. The CCPA applies to for-profit entities that collect and process personal information of California consumers, that do business in California and that meet one of the following conditions: 

  • Has annual gross revenues in excess of $25,000,000; 
  • Annually buys, receives, sells or shares the personal information of 50,000 or more California consumers, households or devices; 
  • Derives 50% or more of its annual revenues from selling the personal information of California consumers. 

As the management of vendors and service providers is crucial to CCPA compliance, it is important to note that your clients may require you to be compliant via contract, even if your business is too small to meet the statutory requirements outlined above. If you do need to be compliant with this privacy law, you are required to have a Privacy Policy that makes certain disclosures or you could be fined or even sued. 

How does the CCPA define personal information? 

Since privacy laws apply to and regulate the collection, use and disclosure of personal information, it is important to understand how these privacy laws define personal information as that will determine whether you need to comply. The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. 

The CCPA can be lovingly nicknamed as “the law of categories”  as it requires Privacy Policies to disclose the categories of personal information being collected, with the following categories and a few examples of personal information being cited: 

  • Identifiers (e.g. real name, alias, email address, IP address, postal address); 
  • Any characteristics identified in Section 1798.80(e) (e.g. signature, credit card number, debit card number, Social Security Number); 
  • Characteristics of protected classifications under California or federal law (e.g. race, color, religion, sex/gender); 
  • Commercial information (e.g. records of personal property, products or services purchased, obtained or considered); 
  • Biometric information (e.g. image of the iris, retina, fingerprint); 
  • Internet or other electronic network activity information (e.g. browsing history, search history); 
  • Geolocation data; 
  • Audio, electronic, visual, thermal, olfactory or similar information; 
  • Education information, which is defined as information that is not publicly available personal information as defined by the Family Educational Rights and Privacy Act; 
  • Inferences drawn from any of the information above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes. 

If you are collecting any of the personal information described above and the CCPA applies to you, then you need to ensure that you honor the privacy rights that the CCPA provides to residents of California. 

Consumer rights 

The goal of the CCPA is to provide California residents with more control over their personal information by giving them the following privacy rights: 

  • The right to know what personal information is collected about them; 
  • The right to know whether their personal information is sold or disclosed and to whom; 
  • The right to say no to the sale of their personal information; 
  • The right to access their personal information that a business holds about them; and 
  • The right to equal service and price, even if they exercise their privacy rights. 

It is important to note that the CCPA includes a right to be fully informed about a company’s personal information management practices, which means that certain websites need to have a comprehensive Privacy Policy under this law. 

CCPA Privacy Policy requirements

The CCPA requires certain websites to have a Privacy Policy that makes the following disclosures: 

  • A description of the consumer’s rights and one or more methods for exercising those rights; 
  • A list of categories of personal information that you have collected about consumers in the last 12 months by reference to these two lists: 
    • A list of categories of personal information that you have sold in the last 12 months. If you have not sold personal information, then you must state that; 
    • A list of personal information categories that you have disclosed in the last 12 months. If you have not disclosed personal information, then you must state that; 
  • How a consumer can designate an authorized agent to exercise the consumer’s privacy rights on their behalf; 
  • A contact that the consumer can reach out to with any questions or concerns; 
  • The date the Privacy Policy was last updated; 
  • The categories of sources from which you have collected or received the personal information; 
  • The purposes for which you will use the personal information that you have collected; 
  • If you sell personal information, you must also make the following disclosures: 
    • A link to your “do not sell my personal information” page; 
    • What categories of third parties you have sold the personal information to. 

If you annually sell the personal information of 4,000,000 or more California consumers, you also need to include the following disclosures in your Privacy Policy: 

  • What number of requests to know you have received; 
  • What number of requests to delete you have received; 
  • What number of requests to opt out you have received. 

For each of these types of requests, you also need to disclose what number of these requests you have complied with in whole or in part and what number of requests you have denied. You will also need to disclose the median number of days within which you have substantively responded to these requests. Not having a CCPA compliant Privacy Policy can lead to significant fines and even lawsuits. 

Penalties for failing to comply 

The CCPA’s enforcement date is July 1st, 2020 and this law will be enforced by the California Attorney General. Fines for non-compliance are $2,500 per violation or $7,500 per intentional violation. The CCPA also includes a private right of action, or the ability for consumers to sue businesses directly for the unauthorized access of their data. 

The California Consumer Privacy Act is one of the most comprehensive privacy laws governing the collection, use and disclosure of personal information by websites in the United States. If it applies to you, you need to have a comprehensive Privacy Policy or you could face fines and lawsuits. Use Termageddon’s Privacy Policy generator to get your CCPA ready Privacy Policy today. Curious about what other privacy laws may apply to your website? Check out our blog post on what laws require websites to have a Privacy Policy