Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

CCPA regulations out - compliance with Cookiebot

Updated March 25, 2021.


On August 14, 2020, the final CCPA regulations were approved and took effect immediately. This means that enforcement of the CCPA is in effect with the Attorney General’s Office as the lead supervisor.

Additional CCPA regulations took effect on March 15, 2021 that further clarify important requirements for your website’s CCPA compliance.

In this blogpost, a walkthrough of some parts of the CCPA regulations for your business to be aware of – plus a simple and automatic way to become CCPA compliant.


Quick summary


What are the CCPA regulations?

The CCPA regulations are a set of detailed clarifications and instructions that specify the practical and technical aspects of how your business obtains compliance with the California Consumer Privacy Act (CCPA).

A set of final CCPA regulations took effect on August 14, 2020 (pdf) and an additional set of amendments and modifications took effect on March 15, 2021 (pdf).

If the CCPA is a legal landscape, then the CCPA regulations are the map, giving detailed directions for navigating California’s data privacy law and showing exactly how to be in compliance with its key provisions, such as providing compliant methods for consumers to submit requests and the correct ways of responding to such consumer requests.

With the approval of the CCPA regulations, enforcement of the California Consumer privacy Act (Act) begins.

If your business hasn’t already become compliant with the CCPA, now is the time to make sure you do.

Become CCPA compliant with Cookiebot consent management platform (CMP)

Scan your website to see if you process data in California


What do the CCPA regulations say?

The CCPA regulations describe in detail the ways in which your business must setup its CCPA compliance, in particular regarding –



CCPA regulations are published - compliance with Cookiebot

CCPA regulations map the practical and technical aspects of CCPA compliance for your business, while Cookiebot CMP provides fully automated CCPA cookie compliance for your website.



Learn more about CCPA compliance with Cookiebot CMP

Learn more about the CCPA and website cookies


How do the CCPA regulations affect my website?

The CCPA regulations are the road map for your business on how to navigate the CCPA and its key provisions.

The CCPA regulations have a huge impact on the daily, digital aspects of your business – e.g. the practical circumstances of collecting personal information (PI) and the practical aspects of responding to consumers exercising their rights over this personal information, collected by you and/or shared with third parties.

With the CCPA regulations, your business is able to make sure that it creates the right setup and framework on its website, in apps or offline for consumers to request access, deletion and opt-outs and for you to respond to such requests in a compliant way.

Overall, the CCPA regulations mandate transparency from your website to its users.

The CCPA requires you to be completely open to consumers about what cookies and trackers are in operation on your website collecting and sharing their personal information.

The CCPA also requires you to be able to take control of your website’s data collection and sharing if consumers opt-out.

Scan for free to see what cookies and trackers are in use on your website

Learn more about CCPA compliance with Cookiebot CMP

Try Cookiebot CMP free for 30 days – or forever if you have a small website



CCPA Compliance with Cookiebot CMP


Cookiebot CMP is a world-leading consent management platform built around a powerful scanning technology that automatically detects and takes control of all cookies, trackers and trojan horses on your website.

Cookiebot CMP does this by simulating real-life users, clicking, scrolling and doing all possible human interactions with your website, to activate all first- and third-party cookies and trackers.

Once all cookies and tracker are detected, Cookiebot CMP automatically puts you and your end-users in control of how personal information collection should happen on your domain.

Cookiebot CMP is cloud-based and highly automated and offers full plug-and-play compliance with GDPR/ePR, CCPA, LGPD and more data privacy law.



CCPA regulations require things of your website, try Cookiebot CMP.

Cookiebot CMP plug-and-play CCPA compliance for your website enables consumers to opt-out of third-party data sales.



Cookiebot CMP provides your website with plug-and-play CCPA compliance by:

Cookiebot CMP has worked since 2012 for more privacy and transparency on our digital infrastructures – respecting the individual user and their private lives without breaking the economic model of the Internet.

Try Cookiebot CMP free for 30 days for full CCPA compliance – or forever if you have a small website.



CCPA regulations - compliance with Cookiebot



CCPA regulations in detail


Let's take a closer look at some of the most important aspects of the CCPA final regulations that have a direct impact on your business’ handling of personal information on its website, app and offline.

The following list is a non-exhaustive walkthrough of the CCPA regulations and is not meant as legal guidance.

The CCPA regulations clarify the following important aspects of the CCPA –

The final CCPA regulations in text (pdf)

Additional CCPA regulations from March 15, 2021 (pdf)

List of modifications made to the final CCPA regulations from earlier drafts

Learn more about CCPA and cookies



Notices to consumers


CCPA regulations on notices in general –

On notices to consumers, the CCPA regulations specify the practical and technical aspects of how your business becomes compliant with the CCPA’s requirements for telling consumers what kind of personal information you collect, how and for what purposes.

Every business that seeks compliance with the CCPA must provide several notices on their website, in mobile apps and offline, if relevant – including notice of collection, notice of the right to opt-out, notice of financial incentives (if any), a privacy policy and more.

On the formatting of notices to consumers, the CCPA regulations specify that –



CCPA regulations - become compliant with Cookiebot today.CCPA regulations - become compliant with Cookiebot.CCPA regulations - become compliant with Cookiebot.

California residents have the right to be notified when you collect or share their personal information.



The following notices are required by the CCPA regulations from your business –

Try Cookiebot CMP free for 30 days for full CCPA compliance – or forever if you have a small website.

Scan your website for free to see what cookies and trackers share PI with third parties


CCPA regulations on the notice of collection –

The purpose of the notice at collection is to provide consumers with a timely notice at or before the point of collection about what kind of personal information you will collect and the purposes for which that personal information will be collected and used.

This is one of the core pillars of the CCPA, summarized here by its author and co-sponsor Alistair McTaggart as “Tell me what you know about me. Stop selling it. Keep it safe.”

In other words, telling consumers about your website’s collection, handling and sharing of personal information is the core of the CCPA.

The CCPA regulations specify that a notice on collection –

If a notice of collection is not given to the consumer at or before the point of collection, your business is not allowed to collect personal information from the consumer.

Become CCPA compliant with Cookiebot CMP free for 30 days (or forever, if you have less than 100 subpages)


CCPA regulations on notice of right to opt-out –

Another key part of the CCPA – perhaps its most famous too – is the consumer right to opt-out of having their personal information sold, shared or disclosed to third parties, such as ad tech companies who use it for profiling and behavioral advertisement.

The CCPA regulations specify that the notice of right to opt-out must include a description of the consumer’s right to opt-out and an interactive form by which the consumer can request opt-out, including instructions for the opt-out method.

In addition, the CCPA regulations from March 15, 2021 provide a uniform opt-out icon that your website can use, plus requirements for look and size on your domain. Note that this icon cannot be used instead of posting the notice of right to opt-out, but as an addition (see Section 999.306.f.1 of the March 15, 2021 additional CCPA regulations).

Visit the Attorney General’s website to download the opt-out icon



CCPA regulations determine enforcement - CCPA compliance with Cookiebot.

California residents are entitled to opt-out of any future sales, sharing or disclosure of their PI by your business. Cookiebot CMP enables fully automated CCPA compliance for your website.



A “Do Not Sell My Personal Information” link must be featured on your business’ website homepage or the download and/or landing page in an app (or in the settings menu of the app).

The additional CCPA regulations from March 15, 2021 also spell out in further detail how your website’s methods for letting users submit their opt-out requests need to be easy and require minimal steps.

They include a list of examples of how not to format your opt-out request method, including examples of nudging, double-negatives, non-compliant requirements for the user and more (see Section 999-315.h of the CCPA regulations from March 15, 2021).

Become CCPA compliant with Cookiebot CMP free for 30 days - or forever, if your website is small.


CCPA regulations on notice of financial incentives –

If your business offers financial incentives, e.g. different prices or rates in return for the collection of consumers’ personal information, make sure to provide a notice prior to consumers opting-in to these.

Your notice on financial incentives must include:


Requests from consumers


CCPA regulations on how to submit requests in general –

The California Consumer Privacy Act (CCPA) is the first data privacy law in the US to create rights for citizens to the personal information they generate everyday online.

In turn, the CCPA regulations clarify the practical and technical aspects of how your business must enable consumers to exercise their rights, e.g. by submitting requests to your business for gaining access to or having deleted collected personal information, or to opt-out entirely of any selling, sharing or disclosure of their personal information that your business might make to third parties.



CCPA regulations are released - CCPA compliance with CookiebotCCPA regulations released - compliance with Cookiebot.

CCPA regulations map the practical and technical aspects of CCPA compliance for your business, while Cookiebot provides fully automated CCPA cookie compliance for your website.



There are three main requests that consumers can make to your business based on the CCPA:

The CCPA mandates different approaches for how your business must enable consumer to submit requests – these differences have to do with whether your business operates exclusively online and which type of request the consumer is making.


How consumers should be able to submit requests

If your business operates exclusively online, providing an email address is enough as a valid method for consumers to submit requests to your business to, e.g. to know what personal information you have collected or to have collected data deleted.

If your business doesn’t operate exclusively online, you must provide at least two ways for consumers to requests access, including a toll-free telephone number. This means, for example, an email address on your website and a toll-free telephone number for consumers to call, if they don’t interact with your business through its website.

If consumers only wish to request deletion of collected personal information and not request access, your business must still provide at least two methods, however it doesn’t have to be toll-free number, but can be a link on your website, an email address etc.

Important to note is that your business is not allowed to disclose a consumer’s social security number, driver’s license, bank account number, health insurance identification number, account passwords or unique biometric data among others.

However, your business must tell whether it has collected such personal information or not.

Become CCPA compliant with Cookiebot CMP free for 30 days (or forever, if your website has less than 100 subpages)


CCPA regulations on verifying consumer requests –

Your business must establish, document, and comply with a reasonable method for verifying that the consumer making the request (e.g. gain access to collected data or a request to have it deleted) is in fact the consumer whose personal information your business has collected.

The CCPA regulations suggest that you –



CCPA regulations are final - get compliance with Cookiebot.

The CCPA regulations say that third-party identity verification services are valid for your business to use, i.e.  independent companies offering the service of verifying the identity of the consumer making a request to your business.



The additional CCPA regulations from March 15, 2021 also specifies how your business may require an authorized agent to provide verification of a consumer request, as well as details of what you may require from a consumer in order for them to verify their request (see Section 999.326 in the CCPA regulations from March 15, 2021).

The CCPA regulations also suggest that businesses may use a two-step request process for deletion, whereby the consumer submits their request and then subsequently confirms that they wish their personal information deleted.

Requests cover the last 12-month period of collection.

Your business must confirm received requests within 10 business days and tell the consumer about your process for handling the request, e.g. the verification process and estimated time of response.

A consumer request to access or have deleted their personal information must be handled within 45 days.

Become CCPA compliant with Cookiebot CMP free for 30 days – or forever if you have a small website.


CCPA regulations on requests to opt-out –

One of the core features of the California Consumer Privacy Act (CCPA) is the right of consumers to opt-out of having their personal information sold, disclosed or shared to third parties.

The CCPA regulations specify that they must include at least two ways for consumers to request opt-out, including the mandatory “Do Not Sell My Personal Information” link on websites and in apps. Other ways include email addresses, toll-free numbers and more.

If consumers use global privacy controls, such as browser privacy settings and plug-ins, these must be treated by your business and its website as a valid request to opt-out.



Cookiebot CMP enables CCPA compliance with CCPA regulations.

Cookiebot CMP enables CCPA compliance through automated control of cookies and trackers, including the CCPA-specific opt-out link for California residents.



Your business must respond to an opt-out request within 15 business days.

If consumers want to opt-in again after having opted out, your business must use a two-step verification process: the consumer requests opt-in and then subsequently confirms their choice.


Financial incentives


CCPA regulations on financial incentives vs discrimination –

The CCPA regulations clarify how the CCPA, especially its options for offering financial incentives, is not to be used in discriminatory ways towards consumers by your business.

The CCPA’s main point is that discrimination is taking place if a business treats a consumer differently because they exercised one of their CCPA rights, e.g. the right to opt-out of third-party data selling and sharing.

The CCPA regulations have several examples of this, e.g. a music streaming platform that offers two plans: one free and one premium.

If, the CCPA regulations speculate, the streaming platform only allows paying consumers to opt-out of third-party personal information sales, discrimination is taking place, and your business is non-compliant.



CCPA regulations explain the practical aspects of compliance.CCPA regulations explain practical aspects of compliance.

While financial incentives are legal under the CCPA, discrimination of consumers and their rights to data privacy is not.



They key point about financial incentives in the CCPA is that your business is only allowed to offer them (or price differences or different rates) if they are reasonably related to the value of the consumer’s data.

The CCPA regulations clarify this by listing in detail how to calculate the value of consumer data.

In calculating the value of consumer data, your business must take into account at least one of the following methods:

Become CCPA compliant with Cookiebot CMP free for 30 days – or forever if you have a small website.


Consumers under 13


CCPA regulations on consumer under 13 years –

If your business has consumers under the age of 13, you must only sell, disclose or share their personal information after having obtained their opt-in to such. The CCPA regulations specify that this can be done in several ways:



CCPA regulations explain the practical aspects of compliance.Compliance with Cookiebot - see the final CCPA regulations.

Minors must opt-in by default to third-party data sales, not opt-out as adult California residents.



If the consumer is between the age of 13 and 16, they must also opt-in before you are allowed to sell, share or disclose their personal information – however, no parent or guardian is needed in the process.


Requirements for privacy policies


CCPA regulations on how to craft your website’s privacy policy

Your privacy policy is your business’ statement on matters of user privacy, handling of data and so on.

Your privacy policy must inform consumers of the collection, use, disclosure, and sale of personal information, and of the rights of consumers regarding their own personal information.

Your website’s CCPA privacy policy must be available online through a link on the homepage.

A CCPA privacy policy must include (non-exhaustive list):

Learn more about the CCPA and your website’s privacy policy


Summary


So, what now?

The final CCPA regulations have been approved by the Office of Administrative Law and enforcement by the Attorney General of California has begun!

Additional CCPA regulations took effect on March 15, 2021

Cookiebot CMP offers CCPA compliance when it  comes to your website’s cookies and tracking, along with compliance with the EU GDPR/ePR, Brazilian LGPD and more data privacy laws around the world.

Sign up to Cookiebot CMP free for 30 days to experience plug-and-play compliance for your website

Scan your website to see what cookies and trackers are in operation


FAQ


What is the CCPA

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that governs the collection, sharing and selling of the personal information of California residents. It took effect on January 1, 2020 and enforcement began in August 2020.

Learn more about CCPA compliance


What are the CCPA regulations?

The CCPA regulations are a set of clarifications and instructions of enforcement for the practical and technical aspects of compliance with the California Consumer Privacy Act (CCPA). They form the basis of the Attorney General’s enforcement of the CCPA and specify how businesses must live up to the law’s provisions.

Become CCPA compliant with Cookiebot CMP free for 30 days – or forever if you have a small website.


What is personal information?

Personal information (PI) is defined in the California Consumer Privacy Act (CCPA) as any kind of information that can identify a living individual, either directly (via names and addresses) or indirectly by inference (via online search history and digital behavior).

Learn more about the CCPA and personal information


How can my website be CCPA compliant?

Using a consent management platform (CMP) that automatically scans your website and detects all cookies, trackers and third-party trojan horses is a simple and easy way for your business to become CCPA compliant. Take control of the processes through which your website collects personal information and offer true transparency to your customers.

Try Cookiebot CMP free for 30 days – or forever if you have a small website.


Resources


Final CCPA regulations from August 14, 2020 (pdf)

Additional CCPA regulations from March 15, 2021 (pdf)

CCPA compliance with Cookiebot

CCPA and cookies

CCPA final regulations in text (PDF)

List of modifications made to the final CCPA regulations

Office of the Attorney General of California

IAPP on the final CCPA regulations

IAPP: How to limit exposure and minimize your risk under the CCPA

IAPP: CCPA and employer data, a compliance checklist

New: Cookiebot™ for Partners 

Deliver automated cookie compliance at scale with Cookiebot™ for Partners.

Make your website’s use of cookies and online tracking compliant today

Try for free