All Blog Posts

California Consumer Privacy Act (CCPA)

In this blogpost, a walkthrough of some parts of the CCPA regulations for your business to be aware of – plus a simple and automatic way to become CCPA compliant.

Updated March 25, 2021.

On August 14, 2020, the final CCPA regulations were approved and took effect immediately. This means that enforcement of the CCPA is in effect with the Attorney General’s Office as the lead supervisor.

Additional CCPA regulations took effect on March 15, 2021 that further clarify important requirements for your website’s CCPA compliance.

Quick summary

What are the CCPA regulations?

The CCPA regulations are a set of detailed clarifications and instructions that specify the practical and technical aspects of how your business obtains compliance with the California Consumer Privacy Act (CCPA).

A set of final CCPA regulations took effect on August 14, 2020 (pdf) and an additional set of amendments and modifications took effect on March 15, 2021 (pdf).

If the CCPA is a legal landscape, then the CCPA regulations are the map, giving detailed directions for navigating California’s data privacy law and showing exactly how to be in compliance with its key provisions, such as providing compliant methods for consumers to submit requests and the correct ways of responding to such consumer requests.

With the approval of the CCPA regulations, enforcement of the California Consumer privacy Act (Act) begins.

If your business hasn’t already become compliant with the CCPA, now is the time to make sure you do.

Become CCPA compliant with Cookiebot consent management platform (CMP)

Scan your website to see if you process data in California

What do the CCPA regulations say?

The CCPA regulations describe in detail the ways in which your business must setup its CCPA compliance, in particular regarding –

  • Notifying consumers of collection
  • Notifying consumers on how to exercise their rights
  • How to setup request submissions and how to respond
  • How to verify consumer requests
  • How to offer financial incentives vs what constitutes as discrimination
  • Rules concerning consumers under the age of 13
  • Rules concerning consumer age 13-16.
Book with the map of Canada - Cookiebot
CCPA regulations map the practical and technical aspects of CCPA compliance for your business, while Cookiebot CMP provides fully automated CCPA cookie compliance for your website.

Learn more about CCPA compliance with Cookiebot CMP

Learn more about the CCPA and website cookies

How do the CCPA regulations affect my website?

The CCPA regulations are the road map for your business on how to navigate the CCPA and its key provisions.

The CCPA regulations have a huge impact on the daily, digital aspects of your business – e.g. the practical circumstances of collecting personal information (PI) and the practical aspects of responding to consumers exercising their rights over this personal information, collected by you and/or shared with third parties.

With the CCPA regulations, your business is able to make sure that it creates the right setup and framework on its website, in apps or offline for consumers to request access, deletion and opt-outs and for you to respond to such requests in a compliant way.

Overall, the CCPA regulations mandate transparency from your website to its users.

The CCPA requires you to be completely open to consumers about what cookies and trackers are in operation on your website collecting and sharing their personal information.

The CCPA also requires you to be able to take control of your website’s data collection and sharing if consumers opt-out.

Scan for free to see what cookies and trackers are in use on your website

Learn more about CCPA compliance with Cookiebot CMP

Try Cookiebot CMP free for 14 days – or forever if you have a small website

CCPA Compliance with Cookiebot CMP

Cookiebot CMP is a world-leading consent management platform built around a powerful scanning technology that automatically detects and takes control of all cookies, trackers and trojan horses on your website.

Cookiebot CMP does this by simulating real-life users, clicking, scrolling and doing all possible human interactions with your website, to activate all first- and third-party cookies and trackers.

Once all cookies and tracker are detected, Cookiebot CMP automatically puts you and your end-users in control of how personal information collection should happen on your domain.

Cookiebot CMP is cloud-based and highly automated and offers full plug-and-play compliance with GDPR/ePR, CCPA, LGPD and more data privacy law.

Cookiebot CCPA compliant cookie declaration screenshot - Cookiebot
Cookiebot CMP plug-and-play CCPA compliance for your website enables consumers to opt-out of third-party data sales.

Cookiebot CMP provides your website with plug-and-play CCPA compliance by:

  • Detecting all cookies and trackers – even the hidden trojan horses
  • Automatically taking control of all cookies and trackers
  • Informing consumers of all cookies and third-party trackers in operation on your website through an exhaustive cookie declaration for total transparency
  • Showing what types of personal information your website collects
  • Revealing the purposes for each category of collection
  • Featuring a Do Not Sell My Personal Information link for consumer to opt-out of third-party data sales.

Cookiebot CMP has worked since 2012 for more privacy and transparency on our digital infrastructures – respecting the individual user and their private lives without breaking the economic model of the Internet.

Try Cookiebot CMP free for 14 days for full CCPA compliance – or forever if you have a small website.

CCPA regulations in detail

Let’s take a closer look at some of the most important aspects of the CCPA final regulations that have a direct impact on your business’ handling of personal information on its website, app and offline.

The following list is a non-exhaustive walkthrough of the CCPA regulations and is not meant as legal guidance.

The CCPA regulations clarify the following important aspects of the CCPA –

  • Requirements for notices in general
  • Requirements for notice on collection
  • Requirements for notice of right to opt-out
  • Requirements for submitting requests
  • Requirements for verifying requests
  • Requirements for requesting opt-out
  • Requirements for financial incentives
  • Requirements for dealing with consumers under age 13
  • Requirements for your website’s privacy policy.

The final CCPA regulations in text (pdf)

Additional CCPA regulations from March 15, 2021 (pdf)

List of modifications made to the final CCPA regulations from earlier drafts

Learn more about CCPA and cookies

Notices to consumers

CCPA regulations on notices in general –

On notices to consumers, the CCPA regulations specify the practical and technical aspects of how your business becomes compliant with the CCPA’s requirements for telling consumers what kind of personal information you collect, how and for what purposes.

Every business that seeks compliance with the CCPA must provide several notices on their website, in mobile apps and offline, if relevant – including notice of collection, notice of the right to opt-out, notice of financial incentives (if any), a privacy policy and more.

On the formatting of notices to consumers, the CCPA regulations specify that –

  • All notices must use plain, straightforward language and avoid technical or legal jargon
  • All notices must be formatted in such a way as to draw the consumer’s attention
  • All notices must be readable, including on smaller screens
  • All notices must be available in the languages that the business ordinarily uses
  • All notices must be accessible to consumers with disabilities
  • A business that collects personal information from a consumer shall provide a notice at collection
  • A business that sells personal information shall provide a notice of right to opt-out
  • A business that offers a financial incentive or price or service difference shall provide a notice of financial incentive.
CCPA regulations - become compliant with Cookiebot today.
California residents have the right to be notified when you collect or share their personal information.

The following notices are required by the CCPA regulations from your business –

  • Notice at collection, i.e. the notice given by your business to a consumer at or before the point at which a business collects personal information from the consumer
  • Notice of right to opt-out, i.e. the notice given by your business informing consumers of their right to opt-out of the sale of their personal information
  • Notice of financial incentive, i.e. means the notice given by your business explaining each financial incentive or price or service difference (i.e. any difference in the price or rate charged for any goods or services to any consumer related to the collection, retention, or sale of personal information).

Try Cookiebot CMP free for 14 days for full CCPA compliance – or forever if you have a small website.

Scan your website for free to see what cookies and trackers share PI with third parties

CCPA regulations on the notice of collection –

The purpose of the notice at collection is to provide consumers with a timely notice at or before the point of collection about what kind of personal information you will collect and the purposes for which that personal information will be collected and used.

This is one of the core pillars of the CCPA, summarized here by its author and co-sponsor Alistair McTaggart as “Tell me what you know about me. Stop selling it. Keep it safe.”

In other words, telling consumers about your website’s collection, handling and sharing of personal information is the core of the CCPA.

The CCPA regulations specify that a notice on collection –

  • Must include a list of the categories of personal information about consumers to be collected.
  • Must specify the business or commercial purposes for which the categories of personal information will be used
  • Must include a link titled “Do Not Sell My Personal Information” if the business sells personal information
  • Must include a link to the privacy policy of the business
  • If collection happens online, the business should provide a link to the notice on the landing page of their website
  • If collection happens through an app, it should provide a link to the notice in the app (e.g. via the settings menu) and on the download page of the app
  • If the business collects personal information through an app for a purpose that the consumer would not reasonably expect, the business must provide a summary of the categories of personal information being collected and a link to the full notice at collection.

If a notice of collection is not given to the consumer at or before the point of collection, your business is not allowed to collect personal information from the consumer.

Become CCPA compliant with Cookiebot CMP free for 14 days (or forever, if you have less than 50 subpages)

CCPA regulations on notice of right to opt-out –

Another key part of the CCPA – perhaps its most famous too – is the consumer right to opt-out of having their personal information sold, shared or disclosed to third parties, such as ad tech companies who use it for profiling and behavioral advertisement.

The CCPA regulations specify that the notice of right to opt-out must include a description of the consumer’s right to opt-out and an interactive form by which the consumer can request opt-out, including instructions for the opt-out method.

In addition, the CCPA regulations from March 15, 2021 provide a uniform opt-out icon that your website can use, plus requirements for look and size on your domain. Note that this icon cannot be used instead of posting the notice of right to opt-out, but as an addition (see Section 999.306.f.1 of the March 15, 2021 additional CCPA regulations).

Visit the Attorney General’s website to download the opt-out icon

Palm tree with a building in the background - Cookiebot
California residents are entitled to opt-out of any future sales, sharing or disclosure of their PI by your business. Cookiebot CMP enables fully automated CCPA compliance for your website.

A “Do Not Sell My Personal Information” link must be featured on your business’ website homepage or the download and/or landing page in an app (or in the settings menu of the app).

The additional CCPA regulations from March 15, 2021 also spell out in further detail how your website’s methods for letting users submit their opt-out requests need to be easy and require minimal steps.

They include a list of examples of how not to format your opt-out request method, including examples of nudging, double-negatives, non-compliant requirements for the user and more (see Section 999-315.h of the CCPA regulations from March 15, 2021).

Become CCPA compliant with Cookiebot CMP free for 14 days – or forever, if your website is small.

CCPA regulations on notice of financial incentives –

If your business offers financial incentives, e.g. different prices or rates in return for the collection of consumers’ personal information, make sure to provide a notice prior to consumers opting-in to these.

Your notice on financial incentives must include:

  • A summary of the financial incentives or different prices or rates offered
  • A description of the financial incentives, including the categories of personal information that are implicated by the financial incentives
  • How the consumer can opt-in to the financial incentive and a state of how the consumer can withdraw from it at any time
  • How the financial incentive is reasonably related to the value of the consumer’s personal information.

Requests from consumers

CCPA regulations on how to submit requests in general –

The California Consumer Privacy Act (CCPA) is the first data privacy law in the US to create rights for citizens to the personal information they generate everyday online.

In turn, the CCPA regulations clarify the practical and technical aspects of how your business must enable consumers to exercise their rights, e.g. by submitting requests to your business for gaining access to or having deleted collected personal information, or to opt-out entirely of any selling, sharing or disclosure of their personal information that your business might make to third parties.

Groups of people walking along a beach - Cookiebot
CCPA regulations map the practical and technical aspects of CCPA compliance for your business, while Cookiebot provides fully automated CCPA cookie compliance for your website.

There are three main requests that consumers can make to your business based on the CCPA:

  • “Request to delete” means a consumer request that a business delete personal information about the consumer that the business has collected from the consumer.
  • “Request to know” means that a consumer requests that your business disclose the personal information it has collected about them in the past 12 months, including: specific pieces of personal information, categories of personal information, categories of sources from which the personal information is collected, categories of personal information that the business has sold or disclosed for a business purpose, categories of third parties to whom the personal information was sold or disclosed for a business purpose, and the business or commercial purpose for collecting or selling personal information.
  • “Request to opt-out” means a consumer request that a business not sell the consumer’s personal information to third parties.

The CCPA mandates different approaches for how your business must enable consumer to submit requests – these differences have to do with whether your business operates exclusively online and which type of request the consumer is making.

How consumers should be able to submit requests

If your business operates exclusively online, providing an email address is enough as a valid method for consumers to submit requests to your business to, e.g. to know what personal information you have collected or to have collected data deleted.

If your business doesn’t operate exclusively online, you must provide at least two ways for consumers to requests access, including a toll-free telephone number. This means, for example, an email address on your website and a toll-free telephone number for consumers to call, if they don’t interact with your business through its website.

If consumers only wish to request deletion of collected personal information and not request access, your business must still provide at least two methods, however it doesn’t have to be toll-free number, but can be a link on your website, an email address etc.

Important to note is that your business is not allowed to disclose a consumer’s social security number, driver’s license, bank account number, health insurance identification number, account passwords or unique biometric data among others.

However, your business must tell whether it has collected such personal information or not.

Become CCPA compliant with Cookiebot CMP free for 14 days (or forever, if your website has less than 50 subpages)

CCPA regulations on verifying consumer requests –

Your business must establish, document, and comply with a reasonable method for verifying that the consumer making the request (e.g. gain access to collected data or a request to have it deleted) is in fact the consumer whose personal information your business has collected.

The CCPA regulations suggest that you –

  • Match the identifying information provided by the consumer to the personal information of the consumer already maintained by your business or use a third-party identity verification service that complies with this section
  • Avoid requesting additional personal information from the consumer for verification purposes
  • Have more stringent verification processes for requests that deal with sensitive or valuable personal information.
Close up of the Golden Gate Bridge - Cookiebot
The CCPA regulations say that third-party identity verification services are valid for your business to use, i.e.  independent companies offering the service of verifying the identity of the consumer making a request to your business.

The additional CCPA regulations from March 15, 2021 also specifies how your business may require an authorized agent to provide verification of a consumer request, as well as details of what you may require from a consumer in order for them to verify their request (see Section 999.326 in the CCPA regulations from March 15, 2021).

The CCPA regulations also suggest that businesses may use a two-step request process for deletion, whereby the consumer submits their request and then subsequently confirms that they wish their personal information deleted.

Requests cover the last 12-month period of collection.

Your business must confirm received requests within 10 business days and tell the consumer about your process for handling the request, e.g. the verification process and estimated time of response.

A consumer request to access or have deleted their personal information must be handled within 45 days.

Become CCPA compliant with Cookiebot CMP free for 14 days – or forever if you have a small website.

CCPA regulations on requests to opt-out –

One of the core features of the California Consumer Privacy Act (CCPA) is the right of consumers to opt-out of having their personal information sold, disclosed or shared to third parties.

The CCPA regulations specify that they must include at least two ways for consumers to request opt-out, including the mandatory “Do Not Sell My Personal Information” link on websites and in apps. Other ways include email addresses, toll-free numbers and more.

If consumers use global privacy controls, such as browser privacy settings and plug-ins, these must be treated by your business and its website as a valid request to opt-out.

Cookiebot CCPA compliant cookie declaration screenshot - Cookiebot
Cookiebot CMP enables CCPA compliance through automated control of cookies and trackers, including the CCPA-specific opt-out link for California residents.

Your business must respond to an opt-out request within 15 business days.

If consumers want to opt-in again after having opted out, your business must use a two-step verification process: the consumer requests opt-in and then subsequently confirms their choice.

Financial incentives

CCPA regulations on financial incentives vs discrimination –

The CCPA regulations clarify how the CCPA, especially its options for offering financial incentives, is not to be used in discriminatory ways towards consumers by your business.

The CCPA’s main point is that discrimination is taking place if a business treats a consumer differently because they exercised one of their CCPA rights, e.g. the right to opt-out of third-party data selling and sharing.

The CCPA regulations have several examples of this, e.g. a music streaming platform that offers two plans: one free and one premium.

If, the CCPA regulations speculate, the streaming platform only allows paying consumers to opt-out of third-party personal information sales, discrimination is taking place, and your business is non-compliant.

Lake with mountains in the background - Cookiebot
While financial incentives are legal under the CCPA, discrimination of consumers and their rights to data privacy is not.

They key point about financial incentives in the CCPA is that your business is only allowed to offer them (or price differences or different rates) if they are reasonably related to the value of the consumer’s data.

The CCPA regulations clarify this by listing in detail how to calculate the value of consumer data.

In calculating the value of consumer data, your business must take into account at least one of the following methods:

  • The marginal value to the business of the sale, collection, or deletion of a consumer’s data.
  • The average value to the business of the sale, collection, or deletion of a consumer’s data.
  • The aggregate value to the business of the sale, collection, or deletion of consumers’ data divided by the total number of consumers.
  • Revenue generated by the business from sale, collection, or retention of consumers’ personal information.
  • Expenses related to the sale, collection, or retention of consumers’ personal information.
  • Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference.
  • Profit generated by the business from sale, collection, or retention of consumers’ personal information.
  • Any other practical and reasonably reliable method of calculation used in good faith.

Become CCPA compliant with Cookiebot CMP free for 14 days – or forever if you have a small website.

Consumers under 13

CCPA regulations on consumer under 13 years –

If your business has consumers under the age of 13, you must only sell, disclose or share their personal information after having obtained their opt-in to such. The CCPA regulations specify that this can be done in several ways:

  • Through a consent form signed by the parent or guardian.
  • Have parents or guardians video call, communicate in-person or call a toll-free number staffed by trained personnel.
Boy sitting on a wooden beam - Cookiebot
Minors must opt-in by default to third-party data sales, not opt-out as adult California residents.

If the consumer is between the age of 13 and 16, they must also opt-in before you are allowed to sell, share or disclose their personal information – however, no parent or guardian is needed in the process.

Requirements for privacy policies

CCPA regulations on how to craft your website’s privacy policy

Your privacy policy is your business’ statement on matters of user privacy, handling of data and so on.

Your privacy policy must inform consumers of the collection, use, disclosure, and sale of personal information, and of the rights of consumers regarding their own personal information.

Your website’s CCPA privacy policy must be available online through a link on the homepage.

A CCPA privacy policy must include (non-exhaustive list):

  • Notices of right to know about personal information collected, disclosed or sold;
  • Notice of right to request deletion
  • Notice of right to request opt-out
  • How to exercise these rights
  • What categories of personal information your business has collected, including sources and purposes for collecting
  • Whether your business sells personal information and if so the purposes for selling and the third parties that it has sold to.

Learn more about the CCPA and your website’s privacy policy

Summary

So, what now?

The final CCPA regulations have been approved by the Office of Administrative Law and enforcement by the Attorney General of California has begun!

Additional CCPA regulations took effect on March 15, 2021

Cookiebot CMP offers CCPA compliance when it  comes to your website’s cookies and tracking, along with compliance with the EU GDPR/ePR, Brazilian LGPD and more data privacy laws around the world.

Sign up to Cookiebot CMP free for 14 days to experience plug-and-play compliance for your website

Scan your website to see what cookies and trackers are in operation

FAQ

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that governs the collection, sharing and selling of the personal information of California residents. It took effect on January 1, 2020 and enforcement began in August 2020.

Learn more about CCPA compliance

What are the CCPA regulations?

The CCPA regulations are a set of clarifications and instructions of enforcement for the practical and technical aspects of compliance with the California Consumer Privacy Act (CCPA). They form the basis of the Attorney General’s enforcement of the CCPA and specify how businesses must live up to the law’s provisions.

Become CCPA compliant with Cookiebot CMP free for 14 days – or forever if you have a small website.

What is personal information?

Personal information (PI) is defined in the California Consumer Privacy Act (CCPA) as any kind of information that can identify a living individual, either directly (via names and addresses) or indirectly by inference (via online search history and digital behavior).

Learn more about the CCPA and personal information

How can my website be CCPA compliant?

Using a consent management platform (CMP) that automatically scans your website and detects all cookies, trackers and third-party trojan horses is a simple and easy way for your business to become CCPA compliant. Take control of the processes through which your website collects personal information and offer true transparency to your customers.

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Resources

Final CCPA regulations from August 14, 2020 (pdf)

Additional CCPA regulations from March 15, 2021 (pdf)

CCPA compliance with Cookiebot

CCPA and cookies

CCPA final regulations in text (PDF)

List of modifications made to the final CCPA regulations

Office of the Attorney General of California

IAPP on the final CCPA regulations

IAPP: How to limit exposure and minimize your risk under the CCPA

IAPP: CCPA and employer data, a compliance checklist

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.