Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

CCPA regulations out - compliance with Cookiebot

Published August 31, 2020.


On August 14, 2020, the final CCPA regulations were approved and took effect immediately. This means that enforcement of the CCPA can now go ahead with the Attorney General’s Office as the lead supervisor.

In this blogpost, a walkthrough of some parts of the CCPA regulations for your business to be aware of – plus a simple and automatic way to become CCPA compliant.


Quick summary


What are the CCPA regulations?

The CCPA regulations are a set of detailed clarifications and instructions that specify the practical and technical aspects of how your business obtains compliance with the California Consumer Privacy Act (CCPA).

If the CCPA is a legal landscape, then the CCPA regulations are the map, giving detailed directions for navigating California’s data privacy law and showing exactly how to be in compliance with its key provisions, such as providing compliant methods for consumers to submit requests and the correct ways of responding to such consumer requests.

With the approval of the CCPA regulations, enforcement of the California Consumer privacy Act (Act) begins.

If your business hasn’t already become compliant with the CCPA, now is the time to make sure you do.

Become CCPA compliant free for 30 days with Cookiebot – or forever if you have a small website


What do the CCPA regulations say?

The CCPA regulations describe in detail the ways in which your business must setup its CCPA compliance, in particular regarding –



CCPA regulations are published - compliance with Cookiebot

CCPA regulations map the practical and technical aspects of CCPA compliance for your business, while Cookiebot provides fully automated CCPA cookie compliance for your website.



Learn more about CCPA compliance with Cookiebot


How do the CCPA regulations affect my website?

The CCPA regulations are the road map for your business on how to navigate the CCPA and its key provisions.

The CCPA regulations have a huge impact on the daily, digital aspects of your business – e.g. the practical circumstances of collecting personal information (PI) and the practical aspects of responding to consumers exercising their rights over this personal information, collected by you and/or shared with third parties.

With the CCPA regulations, your business is able to make sure that it creates the right setup and framework on its website, in apps or offline for consumers to request access, deletion and opt-outs and for you to respond to such requests in a compliant way.

Overall, the CCPA regulations mandate transparency from your website to its users.

The CCPA requires you to be completely open to consumers about what cookies and trackers are in operation on your website collecting and sharing their personal information.

The CCPA also requires you to be able to take control of your website’s data collection and sharing if consumers opt-out.

Scan for free to see what cookies and trackers are in operation on your website

Learn more about CCPA compliance with Cookiebot

Try Cookiebot free for 30 days – or forever if you have a small website



CCPA Compliance with Cookiebot


Cookiebot is a consent management platform (CMP) built around a powerful scanning technology that automatically detects and takes control of all cookies, trackers and trojan horses on your website.

Cookiebot does this by simulating real-life users, clicking, scrolling and doing all possible human interactions with your website, to activate all first- and third-party cookies and trackers.

Once all cookies and tracker are detected, Cookiebot automatically puts you and your end-users in control of how personal information collection should happen on your domain.

Cookiebot is cloud-based and highly automated and offers full plug-and-play compliance with GDPR/ePR, CCPA, LGPD and more data privacy law.



CCPA privacy policy: Cookiebot ensures compliance with California's law.

Cookiebot’s plug-and-play CCPA compliance for your website enabling consumers to opt-out of third-party data sales.



Cookiebot provides your website with plug-and-play CCPA compliance by:

Cookiebot has worked since 2012 for more privacy and transparency on our digital infrastructures – respecting the individual user and their private lives without breaking the economic model of the Internet.

Try Cookiebot free for 30 days for full CCPA compliance – or forever if you have a small website.



CCPA regulations - compliance with Cookiebot



CCPA regulations in detail


Now, we take a closer look at some of the most important aspects of the CCPA final regulations that have a direct impact on your business’ handling of personal information on its website, app and offline.

The following list is a non-exhaustive walkthrough of the CCPA regulations and is not meant as legal guidance.

The CCPA regulations clarify the following important aspects of the CCPA –

The final CCPA regulations in text (PDF)

List of modifications made to the final CCPA regulations from earlier drafts

Learn more about CCPA and cookies



Notices to consumers


CCPA regulations on notices in general –

On notices to consumers, the CCPA regulations specify the practical and technical aspects of how your business becomes compliant with the CCPA’s requirements for telling consumers what kind of personal information you collect, how and for what purposes.

Every business that seeks compliance with the CCPA must provide several notices on their website, in mobile apps and offline, if relevant – including notice of collection, notice of the right to opt-out, notice of financial incentives (if any), a privacy policy and more.

On the formatting of notices to consumers, the CCPA regulations specify that –



CCPA regulations - become compliant with Cookiebot today.CCPA regulations - become compliant with Cookiebot.CCPA regulations - become compliant with Cookiebot.

California residents have the right to be notified when you collect or share their personal information.



The following notices are required by the CCPA regulations from your business –

Try Cookiebot free for 30 days for full CCPA compliance – or forever if you have a small website.

Scan your website for free to see what cookies and trackers share PI with third parties


CCPA regulations on the notice of collection –

The purpose of the notice at collection is to provide consumers with a timely notice at or before the point of collection about what kind of personal information you will collect and the purposes for which that personal information will be collected and used.

This is one of the core pillars of the CCPA, summarized here by its author and co-sponsor Alistair McTaggart as “Tell me what you know about me. Stop selling it. Keep it safe.”

In other words, telling consumers about your website’s collection, handling and sharing of personal information is the core of the CCPA.

The CCPA regulations specify that a notice on collection –

If a notice of collection is not given to the consumer at or before the point of collection, your business is not allowed to collect personal information from the consumer.

Become CCPA compliant with Cookiebot free for 30 days (or forever, if you have less than 100 subpages)


CCPA regulations on notice of right to opt-out –

Another key part of the CCPA – perhaps its most famous too – is the consumer right to opt-out of having their personal information sold, shared or disclosed to third parties, such as ad tech companies who use it for profiling and behavioral advertisement.

The CCPA regulations specify that the notice of right to opt-out must include a description of the consumer’s right to opt-out and an interactive form by which the consumer can request opt-out, including instructions for the opt-out method.



CCPA regulations determine enforcement - CCPA compliance with Cookiebot.

California residents are entitled to opt-out of any future sales, sharing or disclosure of their PI by your business. Cookiebot enables fully automated CCPA compliance for your website.



A “Do Not Sell My Personal Information” link must be featured on your business’ website homepage or the download and/or landing page in an app (or in the settings menu of the app).

Become CCPA compliant with Cookiebot free for 30 days - or forever, if your website is small.


CCPA regulations on notice of financial incentives –

If your business offers financial incentives, e.g. different prices or rates in return for the collection of consumers’ personal information, make sure to do provide a notice prior to consumers opting-in to these.

Your notice on financial incentives must include:


Requests from consumers


CCPA regulations on how to submit requests in general –

The California Consumer Privacy Act (CCPA) is the first data privacy law in the US to create rights for citizens to the personal information they generate everyday online.

In turn, the CCPA regulations clarify the practical and technical aspects of how your business must enable consumers to exercise their rights, e.g. by submitting requests to your business for gaining access to or having deleted collected personal information, or to opt-out entirely of any selling, sharing or disclosure of their personal information that your business might make to third parties.



CCPA regulations are released - CCPA compliance with CookiebotCCPA regulations released - compliance with Cookiebot.

CCPA regulations map the practical and technical aspects of CCPA compliance for your business, while Cookiebot provides fully automated CCPA cookie compliance for your website.



There are three main requests that consumers can make to your business based on the CCPA:

The CCPA mandates different approaches for how your business must enable consumer to submit requests – these differences have to do with whether your business operates exclusively online and which type of request the consumer is making.


How consumers should be able to submit requests

If your business operates exclusively online, providing an email address is enough as a valid method for consumers to submit requests to your business to, e.g. to know what personal information you have collected or to have collected data deleted.

If your business doesn’t operate exclusively online, you must provide at least two ways for consumers to requests access, including a toll-free telephone number. This means, for example, an email address on your website and a toll-free telephone number for consumers to call, if they don’t interact with your business through its website.

If consumers only wish to request deletion of collected personal information and not request access, your business must still provide at least two methods, however it doesn’t have to be toll-free number, but can be a link on your website, an email address etc.

Important to note is that your business is not allowed to disclose a consumer’s social security number, driver’s license, bank account number, health insurance identification number, account passwords or unique biometric data among others.

However, your business must tell whether it has collected such personal information or not.

Become CCPA compliant with Cookiebot free for 30 days (or forever, if your website has less than 100 subpages)


CCPA regulations on verifying consumer requests –

Your business must establish, document, and comply with a reasonable method for verifying that the consumer making the request (e.g. gain access to collected data or a request to have it deleted) is in fact the consumer whose personal information your business has collected.

The CCPA regulations suggest that you –



CCPA regulations are final - get compliance with Cookiebot.

The CCPA regulations say that third-party identity verification services are valid for your business to use, i.e.  independent companies offering the service of verifying the identity of the consumer making a request to your business.



The CCPA regulations also suggest that businesses may use a two-step request process for deletion, whereby the consumer submits their request and then subsequently confirms that they wish their personal information deleted.

Requests cover the last 12-month period of collection.

Your business must confirm received requests within 10 business days and tell the consumer about your process for handling the request, e.g. the verification process and estimated time of response.

A consumer request to access or have deleted their personal information must be handled within 45 days.

Become CCPA compliant with Cookiebot free for 30 days – or forever if you have a small website.


CCPA regulations on requests to opt-out –

One of the core features of the California Consumer Privacy Act (CCPA) is the right of consumers to opt-out of having their personal information sold, disclosed or shared to third parties.

The CCPA regulations specify that they must include at least two ways for consumers to request opt-out, including the mandatory “Do Not Sell My Personal Information” link on websites and in apps. Other ways include email addresses, toll-free numbers and more.

If consumers use global privacy controls, such as browser privacy settings and plug-ins, these must be treated by your business and its website as a valid request to opt-out.



CCPA regulations map your business' compliance.

Cookiebot enables CCPA compliance through automated control of cookies and trackers, including the CCPA-specific opt-out link for California residents.



Your business must respond to an opt-out request within 15 business days.

If consumers want to opt-in again after having opted out, your business must use a two-step verification process: the consumer requests opt-in and then subsequently confirms their choice.


Financial incentives


CCPA regulations on financial incentives vs discrimination –

The CCPA regulations clarify how the CCPA, especially its options for offering financial incentives, is not to be used in discriminatory ways towards consumers by your business.

The CCPA’s main point is that discrimination is taking place if a business treats a consumer differently because they exercised one of their CCPA rights, e.g. the right to opt-out of third-party data selling and sharing.

The CCPA regulations have several examples of this, e.g. a music streaming platform that offers two plans: one free and one premium.

If, the CCPA regulations speculate, the streaming platform only allows paying consumers to opt-out of third-party personal information sales, discrimination is taking place, and your business is non-compliant.



CCPA regulations explain the practical aspects of compliance.CCPA regulations explain practical aspects of compliance.

While financial incentives are legal under the CCPA, discrimination of consumers and their rights to data privacy is not.



They key point about financial incentives in the CCPA is that your business is only allowed to offer them (or price differences or different rates) if they are reasonably related to the value of the consumer’s data.

The CCPA regulations clarify this by listing in detail how to calculate the value of consumer data.

In calculating the value of consumer data, your business must take into account at least one of the following methods:

Become CCPA compliant with Cookiebot free for 30 days – or forever if you have a small website.


Consumers under 13


CCPA regulations on consumer under 13 years –

If your business has consumers under the age of 13, you must only sell, disclose or share their personal information after having obtained their opt-in to such. The CCPA regulations specify that this can be done in several ways:



CCPA regulations explain the practical aspects of compliance.Compliance with Cookiebot - see the final CCPA regulations.

Minors must opt-in by default to third-party data sales, not opt-out as adult California residents.



If the consumer is between the age of 13 and 16, they must also opt-in before you are allowed to sell, share or disclose their personal information – however, no parent or guardian is needed in the process.


Requirements for privacy policies


CCPA regulations on how to craft your website’s privacy policy

Your privacy policy is your business’ statement on matters of user privacy, handling of data and so on.

Your privacy policy must inform consumers of the collection, use, disclosure, and sale of personal information, and of the rights of consumers regarding their own personal information.

Your website’s CCPA privacy policy must be available online through a link on the homepage.

A CCPA privacy policy must include (non-exhaustive list):

Learn more about the CCPA and your website’s privacy policy


Summary


So, what now?

The final CCPA regulations have been approved by the Office of Administrative Law and enforcement by the Attorney General of California will begin!

If your business hasn’t already become compliant with the CCPA, now is the time to make sure you do.

Cookiebot offers CCPA compliance when it  comes to your website’s cookies and tracking, along with compliance with the EU GDPR/ePR, Brazilian LGPD and more data privacy laws around the world.

Sign up to Cookiebot free for 30 days to experience plug-and-play compliance for your website

Scan your website to see what cookies and trackers are in operation


FAQ


What is the CCPA

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that governs the collection, sharing and selling of the personal information of California residents. It took effect on January 1, 2020 and enforcement began in August 2020.

Learn more about CCPA compliance


What are the CCPA regulations?

The CCPA regulations are a set of clarifications and instructions of enforcement for the practical and technical aspects of compliance with the California Consumer Privacy Act (CCPA). They form the basis of the Attorney General’s enforcement of the CCPA and specify how businesses must live up to the law’s provisions.

Become CCPA compliant with Cookiebot free for 30 days – or forever if you have a small website.


What is personal information?

Personal information (PI) is defined in the California Consumer Privacy Act (CCPA) as any kind of information that can identify a living individual, either directly (via names and addresses) or indirectly by inference (via online search history and digital behavior).

Learn more about the CCPA and personal information


How can my website be CCPA compliant?

Using a consent management platform (CMP) that automatically scans your website and detects all cookies, trackers and third-party trojan horses is a simple and easy way for your business to become CCPA compliant. Take control of the processes through which your website collects personal information and offer true transparency to your customers.

Try Cookiebot free for 30 days – or forever if you have a small website.


Resources


Try Cookiebot free for 30 days – or forever if you have a small website

Scan your website for free to see what cookies and trackers are in operation

CCPA compliance with Cookiebot

CCPA and cookies

CCPA final regulations in text (PDF)

List of modifications made to the final CCPA regulations

Office of the Attorney General of California

IAPP on the final CCPA regulations

IAPP: How to limit exposure and minimize your risk under the CCPA

IAPP: CCPA and employer data, a compliance checklist

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free