Logo Logo
Cookiebot

The California Consumer Privacy Act (CCPA) may affect how your website is allowed to handle the personal information of Californians.

Try our free website scan to see how your website tracks and handles personal information.

The California Consumer Privacy Act (CCPA) is taking effect on January 1, 2020.

Updated June 22, 2020.


California is the physical frontier of America, where the continent plunges into the Pacific.

With the California Consumer Privacy Act (CCPA), it is now also the frontier of data privacy law in the US.

In this article, we take a close look at the CCPA and how Cookiebot helps your website become compliant.


CCPA compliance with Cookiebot


Cookiebot is a tool that automatically scans your website, finds all cookies and similar tracking technology, and then enables compliance with both the CCPA and the EU's GDPR.

Cookies (especially those from third parties imbedded through plugins) can harvest personal information such as names, physical addresses, IP addresses, location data, but also sensitive personal data such as religious convictions, political opinions and/or sexual orientation.

The CCPA requires that businesses enable California residents to opt out of having their personal information sold to third parties, as well as disclosing what data has already been collected and deleting it, if consumers request it.

Cookiebot enables compliance with the CCPA with a specific configuration that detects whether a user is from California, and then displays the required Do Not Sell My Personal Information link on the website's cookie declaration (as seen below).


This is how Cookiebot's CCPA solution looks like for your end-users:



CCPA compliance with Cookiebot consent management platform.

Cookiebot's CCPA configuration complying with the CCPA opt out requirements.



CCPa compliance through Cookiebot's opt out configuration.

Cookiebot CCPA opt in banner enabling businesses to obtain the consent of minors.



CCPA compliance with Cookiebot's opt out platform.

Cookiebot CCPA opt in banner, unfolded with details showing cookies and trackers present.



Cookiebot also supports multiple compliance solutions on the same website, so that your website will display different banners depending on where your visitors come from.

This way, visitors from the EU will be presented with a GDPR compliant cookie banner asking for their prior consent, and visitors from California will meet the CCPA compliant cookie declaration with information on what data is being collected and a clear way for them to opt out of having their personal information sold to third parties.


CHECK OUT MORE DETAILS ON CCPA COMPLIANCE HERE


Try Cookiebot free for 30 days... or forever if you have a small website.


CCPA compliance checklist


If you're wondering what it takes to be compliant with the California Consumer Privacy Act (CCPA), here is a checklist for your business and its website.

The list is non-exhaustive, but covers the most central points of requirements in the CCPA.



Businesses must also update their privacy policy to include:

Try Cookiebot free for 30 days and become compliant with the California Consumer Privacy Act (CCPA)



CCPA – the right to opt out


The CCPA gives the consumer the right to demand a business not to sell their personal information to third parties (CCPA; 1798.120.) If such a request is received, the business is prohibited from selling the user's personal information.

Dive into the CCPA rights in depth here



The right to opt out is enshrined in the CCPA

The right to opt out of the surveillance markets of ad tech companies

is a right of the people, according to the California Consumer Privacy Act.



CCPA’s definition of “personal information”

Personal information is defined in the CCPA as“information that identifies, relates to, describes or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.


Personal information in the CCPA includes:

Learn more about personal information under the CCPA



"Opt out" simply means that a consumer can choose to direct a business to stop the sale of their personal information to a third party.


Compliance with the right to opt out

A business must provide a clear link on their website with the title “Do Not Sell My Personal Information” (CCPA; 1798.135.a.1).

This link must not require the consumer to create an account in order to direct the business to not sell their data.

If the consumer is under the age of 13, businesses are not allowed to sell their personal information unless first authorized by parents or legal guardians.

If the consumer is between the age of 13 and 15, businesses are not allowed to sell their personal information unless they have first opted in.

The CCPA prohibits discrimination against consumers based on their choice to exercise their rights.

This means that if a consumer chooses to opt out of the selling of their data to third parties, or if they request their data deleted, a business is not allowed to then e.g. charge different prices for services, provide different levels or quality of services or deny the consumers services (CCPA; 1798.125.a).

However, the CCPA does authorize businesses to offer financial incentives, e.g. different prices and quality of service, for the collection, sale or deletion of personal information, if the differences are reasonably related to the value provided to the business by the consumer’s data (CCPA; 1798.125.a.1.b).

Try Cookiebot free for 30 days to prevent collection and selling of your users’ data.



CCPA – the right to request disclosure


The CCPA grants the consumer the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected” (CCPA; 1798.100.a).



A GDPRization of the world means that Californians now have their own privacy law, the CCPA

A GDPRization of the world means that Californians now have their own privacy law.


A consumer has the right to access and obtain a copy of the personal information that has been collected on them by a business in the past 12 months.

The CCPA specifies that consumers have the right to request the disclosure of (CCPA; 1798.110/115):


Compliance with "the right to request disclosure"

The request to disclosure has to be verifiable, before the business has to provide the information (CCPA; 1798.100.c).

If verifiable, a business must promptly take steps to disclose and deliver, free of charge, the personal information to the consumer (CCPA; 1798.100.d).

The business must make available two or more methods for submitting requests (CCPA; 1798.130.a.1), and disclose, free of charge, the required information within 45 days of receiving the verifiable request (CCPA; 1798.130.a.2).

To be CCPA compliant, a business also needs to update its privacy policy to include:

Try Cookiebot free for 30 days and to protect your users' data from third party sales.


CCPA's definition of "business"

In the CCPA, a business is an umbrella term that includes both companies, corporations, associations, partnerships or any other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.

However, to be regarded as a business under the CCPA, a company has to meet at least one of the three following attributes (CCPA; 1798.140.c):

This means that if you have a small business that makes under $25 million a year, or if less than half of your business income relies on selling personal information to third parties, or if your business does not sell more than fifty-thousand Californians’ personal information, the CCPA does not apply to you.

However, if your business shares common branding with a company that meets one of the abovementioned thresholds, your business will be subject to CCPA compliance.

Common branding means that a business shares a name, service mark or trademark with another business.



CCPA - the right to request deletion


The CCPA grants the consumer the right to request that a business delete any personal information about the consumer which the business has collected from the consumer” (CCPA; 1798.105.a).

It specifies that “a business that collects personal information has to disclose the consumer’s rights to request the deletion of the consumer’s personal information” (CCPA; 1798.105.b).


CCPA’s definition of “collection”, “sale”, and “deletion”

The CCPA defines collection as anything that relates to access of personal information, actively or passively.

In other words, intentional and passive collection of personal information, such as IP addresses or other online identifiers, counts as collection.

Sale/selling is defined as any sharing, disclosure or sale of personal information with a third party in exchange for money or other value.

Deletion is pretty straight forward. It means permanent erasure of personal information as requested by the consumer.

A business has to make it clear to the consumers that they have the right to request their data to be deleted. It must describe this right and how to exercise it.



CCPA - household data


One of the main areas of ambiguity in the California Consumer Privacy Act have to do with the definition of data, specifically the two categories of “individual data” and “household data”.

Household data is not itself defined in the CCPA.

On June 1, 2020, the final proposed regulations for CCPA enforcement were published by the Office of the California Attorney General, and they define household as: a person or group of people who

  1. reside at the same address,
  2. share a common device or the same service provided by a business,
  3. are identified by the business as sharing the same group account or unique identifier.


What is "household data" and how is it different from "individual data"?

Household data is a type of personal information that will be defined by the Attorney General.



The final proposed regulations also clarify if a household does not have a password-protected account, the business is not required to comply with a request for access or deletion of personal information, unless the following conditions are met:

1. All consumers in the household jointly request access to specific pieces of personal information.

2. All members of the household can be individually verified.

3. All members making the request are still members of that household.

The Office of the California Attorney General is still committed to start enforcing the CCPA on July 1, 2020, but the final proposed CCPA regulations still need to be approved by the OAL (Office of Administrative Law).


CCPA vs GDPR, California & Europe compared


So how does the California Consumer Privacy Act fare against its European equivalent, the General Data Protection Regulation that came into effect in May 2018?

Click here for an in-depth comparison of the CCPA vs GDPR


Reminder: what is the GDPR?

The General Data Protection Regulation (GDPR) is a European law that has global jurisdiction, in the sense that it protects the personal information and user data of all European citizens, regardless of where in the world the website or business handling the EU user data is located.

Check if your website is GDPR compliant for free.

The crux of GDPR is that websites and businesses must obtain clear and unambiguous consent from its users prior to any processing of personal data, after specifying all types of cookies and other tracking technology present and operating on its pages. It also requires that they safely and confidentially document each user consent.



European privacy law differs on a vital point from its Californian counterpart.

European privacy law differs on a vital point from its Californian counterpart.



The scope of GDPR is large and deals with all types of data (i.e. not only personal information), how companies and organizations have to secure transparency and document user consent.


Consent vs request: the main differences between CCPA and GDPR

The most clear and consequential distinction between the European and Californian laws are at the point of consent.

The GDPR grants the user the right of consent, meaning that their data cannot be used until the user gives their consent to do so.

This consent can be given in different ways, but the crux of it is that under the GDPR prior consent is demanded by law.



GDPR compliance in EU with Cookiebot.

Cookiebot's GDPR compliance banner for EU visitors.



Now, in the CCPA nothing of the sort is stated.

A business does not need prior consent to handle personal information, nor does a website need to obtain user consent to sell their data to third parties.

What the CCPA does is to grant the consumer the right to request – either disclosure, deletion, a business to stop selling their information. But this happens after the fact of both collection and sale.

Where the GDPR creates a door for the consumer to lock, the CCPA creates a window for the consumer to open in order to know what of their personal information might already be obtained by a business.

The GDPR is a prevention, whereas the CCPA is a means to transparency and then deletion (of past 12 months data collected).



CCPA enforcement 2020


Final proposed regulations from California AG June 2020

On June 1, 2020, the Office of the California Attorney General published the final set of proposed regulations for the enforcement of the California Consumer Privacy Act (CCPA).

Read the final text of regulations from the California Attorney General here



How strong will CCPA enforcement be?

How strong will CCPA enforcement be?



The final regulations have to be reviewed and approved by the OAL (Office of Administrative Law) before they can be put into effect, but the Attorney General is still aiming for an enforcement date on July 1, 2020.


Battle for a federal US data protection law

Another uncertain element in the enforcement of the CCPA is the possibility that a federal law will be passed and enforced in all of the US.

This could potentially override state-level regulations, such as the CCPA, and create a whole new landscape of higher legal authority.

Latest federal US data privacy law draft published on June 19, 2020 by Senator Brown of Ohio



CCPA enforcement is January 1, 2020.

Tech companies are still lobbying for more relaxed federal privacy laws.



This could also lead to a weaker nationwide version of stronger state-level laws, like the CCPA.

This is in the interest of Silicon Valley, obviously, who actively lobbied against the CCPA.

The fear of privacy activists and consumer groups, as well as the authors and sponsors of the CCPA, is that a federal law can seem like a victory, in that it ensures uniform law in all of the US, while in fact being a loss on part of the consumers, because these uniform federal laws might settle on a weaker privacy level than the CCPA.

The hopes of privacy activists are also, paradoxically, that a federal law could do better than California’s.

Their hope is that California will be the lower bar upon which a federal privacy law might build, rather than undercut.

As California goes, so goes the nation, as the old American saying puts it.

Or as Alastair Mactaggart said, when visiting Washington to meet with key senators and Trump administration officials on the matter: “California leads, the others follow”.

Protect your end-users digital privacy with Cookiebot for free today.



The grassroots story behind the CCPA


In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people.

Four decades later, the CCPA (California Consumer Privacy Act, Assembly Bill No. 375) took effect on January 1, 2020.

The California Consumer Privacy Act began as a bottom-up, grassroots initiative by unlikely privacy activists - spearheaded by a millionaire real estate developer, a former CIA analyst, an industry executive and a Pulitzer price-winning journalist, who worked on the Snowden leaks for the Washington Post.



CCPA started as a citizen ballot initiative in San Francisco and Oakland

The CCPA started as a citizen ballot initiative in San Francisco and Oakland.



Californians for Consumer Privacy is led by San Francisco real estate developer Alastair Mactaggart, who drafted a ballot initiative on consumer privacy protection to fill the legal void.

“Tell me what you know about me. Stop selling it. Keep it safe”, as Alastair Mactaggart summarized the proposal.

With the revelations of the Facebook/Cambridge Analytica scandal, the California ballot initiative suddenly got a strong wind in its back.



Californians for Consumer Privact gathered more than 600.000 signatures for the support of the CCPA

Californians for Consumer Privacy gathered more than 600.00 signatures

for the support of what would eventually become the CCPA.



A ballot initiative is a way for the Californian public to legislate bottom-up, by drafting a proposal for a law and securing enough signatures (eight percent of the people who voted in the last gubernatorial election) for the proposal to then become a part of the November general election ballot in that specific state. Voters then have to choose yes or no on the same day that they vote for president or congress.

In the case of the CCPA, Mactaggart spent $3 million of his own money to raise more than 600.000 signatures for the proposal (which was a stronger and tougher version than what would eventually become the CCPA), and thus secured a spot on the general election ballot to be held in November 2018.



Compromised: how the tech industry changed the CCPA

With the threat of a strong privacy law passing with a majority of citizen votes in the November general election 2018, the tech industry started lobbying heavily against the ballot version of the CCPA.



Heavy lobbying from Facebook weakened the CCPA

Facebook lobbied heavily against the CCPA.



One of the biggest fights between the ballot authors and the tech industry, specifically Facebook, was the so-called private right to action.

It was originally a right that authorized consumers to sue businesses and companies for any violation of the law, not just data breach. The tech industry was very pronounced in its opposition, fearing vast liability risks –

“We support more disclosure in principle, but the stakes are just much higher with the private right of action”, said Will Castleberry, Vice President for state and local policy in Facebook.

Google, Facebook, Verizon, Comcast and AT&T each contributed $200.000 to a committee opposing the proposed ballot measure.

It was also estimated that they would spend around $100 million to campaign against the proposal come the November general election of 2018.

So, the initiative was watered down to only include a private right to action in the case of data breach (unauthorized access, theft etc.).

The CCPA was then drafted by Mactaggart, co-written and sponsored by two democratic lawmakers, raced through the State Legislature, passed unanimously and signed into law by the Governor of California on Thursday June 28, 2018 – all in less than one week.

Its co-author Assemblyman Ed Chau has called it “GDPR light”.



Data is the new oil…  if oil was alive


The tech industry is often compared to the oil industry of a hundred years ago – unregulated, monopolous and too powerful.

Data is the new oil, the fuel of the 21st century, they say.



Data is the new oil.

California has always been the frontier of opportunity and business.

Once it was “gold”, then it was “oil”, now it is “data”.



This is an apt comparison in many ways, since both the gold rush and the oil boom of the last centuries began in Southern California. But it leaves out a very important distinction that is critical to keep in mind:

Where oil is an inanimate resource that powers machines; data is the mapping of human behavior that powers digital infrastructures of probability in order to predict and make predictable the experience of being a person.

It is this collection and monetization of our inner and outer lives that has made Silicon Valley a force parallel to nation states in power and wealth.

Where the unregulated oil industry made a few men very rich and as a consequence very powerful, the unregulated tech industry is making a few men very rich and very knowledgeable, and as a consequence immensely more powerful than the oil tycoons of the late century.

This knowledge is the collective behavioral patterns of societies and the private inner lives of billions of people.

The collection and monetization of said knowledge has ushered in the era of surveillance capitalism in which, according to Harvard Business School professor Shoshana Zuboff, “the economic imperatives compel the leading tech companies to enter a collision course with democracy.”


Well, democracy is fighting back.


The CCPA applies specifically to the Golden State, it is not a federal law – but California is also the world’s fifth largest economy and the consensus is that the CCPA will likely mark the standard for privacy rights nationwide and that companies will comply with the CCPA across the U.S.

The CCPA is undoubtably a historic landmark for digital privacy in the U.S.

Google and Facebook are still free to use. With the CCPA, Californian citizens are no longer free for Google to use.



FAQ


What is the CCPA?

The California Consumer Privacy Act (CCPA) is a state-wide law that governs the collection, sharing and selling of personal information from California residents. It requires business to notify consumers if their PI is collected, to enable consumers to opt out of having their data shared or sold to third parties, as well as making is possible for consumers to access and have deleted already collected PI.

Learn more about CCPA compliance with Cookiebot


What is personal information under the CCPA?

The CCPA defines personal information (PI) as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes names, addresses, social security numbers, driver’s license, passport information, biometric data such as face, retina, fingerprints, DNA, voice recordings, and sensitive information such as religious beliefs, political convictions and sexual preferences.

Learn more about CCPA and personal information


What does the CCPA say about website cookies?

The CCPA defines cookies, IP addresses, browser and search history and other online identifiers (such as web beacons and pixel tags) as personal information. Cookies often work by generating unique identifiers on individual users that can be used to identify them. Websites that use cookies – particularly third-party cookies – must be aware and careful about being compliant with the CCPA.

Learn more about CCPA and cookies


How can I control cookies on my website?

Cookies are difficult to control, since they often load other third-party cookies that can change on repeated visits. Using a consent management platform can help your website detect all cookies and trackers in operation and control them in a way that makes you compliant with both the CCPA and GDPR.

Try Cookiebot free for 30 days to control your website’s cookies.



Resources


Try Cookiebot free for 30 days... or forever if you have a small website

CCPA compliance with Cookiebot

CCPA and cookies

CCPA and personal information

CCPA and rights for consumers

CCPA vs GDPR

The official CCPA law text

Final proposed regulations by the California Attorney General

The official GDPR law text

The proposed draft regulations from the Attorney General of California

CCPA vs GDPR

The fascinating story of how a group of citizens took on Silicon Valley from the bottom-up and created the CCPA (California Consumer Privacy Act)

Brave's letter urging stronger privacy for new proposed CPERA bill

California has become a battleground for the protection of consumer privacy laws

A look into the tech industry and big business lobbying in California going on now

A federal privacy law could do better than California’s

California law could be Congress’ model for data privacy. Or it could be erased.

After avoiding Congress for years, tech companies are now asking for help

Take a look at “The Age of Surveillance Capitalism” by Harvard Business professor Shoshana Zuboff

Make your website’s use of cookies and online tracking compliant today

Try for free