Updated November 30, 2020.
California Consumer Privacy Act (CCPA) carves out specific requirements for how businesses around the world are allowed to handle the personal information of California residents.
California Consumer Privacy Act (CCPA) is a state-wide law that took effect on January 1, 2020 and governs the collection, processing and selling of California residents’ personal information (PI).
The CCPA empowers California residents (known as consumers in the law) with the:
If a company or organization meets the CCPA definition of business, it is obligated to operate in compliance with the law when handling the PI of California residents – no matter where in the world the business itself is located.
On August 14, 2020, the final CCPA regulations took effect and form the basis for the Attorney General’s enforcement, which has already begun.
The CCPA regulations specify the practical and technical aspects of how to become compliant with the law.
On November 3, 2020, the California Privacy Rights Act (CPRA) was passed into law in the General Election.
The California Privacy Rights Act (CPRA) is a new state-wide data law that will amend the existing CCPA-setup – expanding rights for California residents, creating additional business regulations and establishing the new CPPA government enforcement authority.
The California Privacy Rights Act (CPRA) will take effect on January 1, 2023 and will be enforced from July 1, 2023 – but will have a so-called “look-back period” to data collected and shared from January 2022.
Cookiebot is a consent management platform (CMP) that enables compliance with the CCPA, the EU’s GDPR and other data privacy laws through technology that deep-scans your website to uncover all cookies and trackers present.
This way, you can know exactly what personal information your website collects, for what purposes, which third parties it shares it with – and take control for compliance.
Cookiebot enables CCPA compliance, including the required Do Not Sell link.
Cookiebot enables CCPA compliance, including the required Do Not Sell link.
It’s the way you tell your users from California what happens to their data when they visit your website, and the way you let them know what rights they have in this online exchange, including how they can exercise their rights when it comes to your business.
It’s very important that your CCPA privacy notice includes all the required content, otherwise you are not in compliance with the law.
A CCPA privacy notice requirement is also that your users have easy access to it from your website’s front page. This can be a link in the footer of your front page. More on this below.
Okay, let’s take a more detailed look at these requirements.
One of the clear CCPA privacy notice requirements is that it has to be available for consumers through a conspicuous link on your website’s front page, i.e. clearly visible and accessible for your users.
Another requirement of the California law is that your CCPA privacy notice is updated at least once every twelve months.
Most CCPA privacy policies therefore have a last updated header or footer to inform the consumers that the content they are reading is correct and up to date.
One of the reasons that a CCPA privacy notice needs to be updated is because it is a requirement of the law that consumers are made aware if your business starts collecting new categories of personal information, or if it starts collecting PI with a different purpose than before.
You must also tell your user how to exercise the disclosure, deletion and opt out rights. This is another important CCPA privacy notice requirement.
Consumers must send a verifiable consumer request, commonly through a link on your website, by calling your business or sending you an e-mail.
Let your users know clearly what their rights are and how they can exercise them in relation to your business.
The CCPA specifies that California residents must get a notice at collection, i.e. your users must be informed at or before the point of collection about the categories of PI that you collect and the purposes for which you collect them.
It is central to the CCPA privacy notice that a business list exhaustively all categories of personal information that they have collected in the last 12 months.
A common way of categorizing personal information in CCPA privacy policies is between –
This means that you must, in your CCPA privacy notice, tell your users where you collect the different categories of PI from.
A common list of sources would include third party implementations (such as Google Analytics), affiliates, customers, publicly available sources, resellers, partners, vendors, suppliers, data brokers, service providers and so on.
You must of course list specifically who these sources are, not just say that “you collect PI”.
Tell your Californian users why you collect their personal information, and what you intend to use it for.
Common purposes for PI collection include:
Additionally, consumers have the right to be informed every time a business begins collecting new forms of personal information, or if they start collecting personal information for new purposes.
Do you share personal information with Google or Facebook or other third parties through plugins and cookies on your website? You need to tell your Californian users about this.
Check out these CCPA privacy notice templates if you’re in doubt of how to write yours.
If you don’t know what third party cookies and trackers your website harbors, try Cookiebot for free today.
Not only do you have to disclose all third parties with whom you share or sell personal information in your CCPA privacy notice, you must also feature a Do Not Sell My Personal Information link on your website.
Cookiebot’s cookie declaration for websites seeking CCPA compliance.
This CCPA mandatory link will enable consumers to exercise their perhaps most famous CCPA right: the right to opt out of having their personal information sold to third parties.
Additionally, you have to disclose to consumers what categories of PI your business has sold to third parties in the last 12 months.
Selling has a broad definition in the CCPA that includes disclosure and sharing in exchange for money or things of other values.
To be on the safe side, a list of the PI you have sold in the last 12 months should include the categories of PI that you have disclosed to third parties, e.g. through third party cookies on your website.
You will need to deep-scan your website in order to know all third-party cookies and trackers that are embedded on your website.
A 2020 study on website tracking shows the unsettling reality of third-party tracking:
Try Cookiebot’s deep-scanning technology today to uncover all cookies and similar trackers on your website.
But remember, don’t copy-paste.
The California Consumer Privacy Act (CCPA) is a data privacy law that governs the personal information of California residents and how businesses are allowed to collect, share and sell these. The CCPA empowers California residents with a set of rights over their own personal information, such as the right to opt out of third-party data sales and the right to have collected PI deleted. The CCPA also sets out specific rules for how businesses are allowed to handle the personal information of California residents.
The CCPA defines a business as a company that meets at least one of the three following thresholds: 1) have an annual gross revenue exceeding $25 million, 2) derive 50% or more of its annual revenues from selling the personal information of California residents, or 3) buys, receives, sells or shares the personal information of 50.000 or more California residents annually. A company doesn’t have to be based in California to be liable under the CCPA - if a company in Texas or Europe meets any of the three thresholds above, it must live up to the CCPA requirements for compliance.
The CCPA empowers California residents with the following rights: the right to opt out of having their personal information sold to third-parties, the right to be informed of data collection, sharing and selling, the right to disclosure of what kind of personal information has been collected on them, the right to have already collected data deleted, and the right to equal services and prices regardless of whether they choose to exercise any of these rights.