Updated November 30, 2020.
California Consumer Privacy Act (CCPA) empowers California residents with new rights over the data they generate every day, and forces companies who do business in the state to play by new rules.
So how does your website obtain CCPA compliance? Which CCPA requirements will impact your website? And how can Cookiebot consent management platform (CMP) help you become CCPA and GDPR compliant?
Find the answers in this article about all things regarding CCPA compliance.
CCPA compliance for websites
The CCPA requires companies and organizations who do business in California to comply with new rules regarding the data their end-users generate on their websites.
The CCPA regulations empower users with new data rights (the first in the US), such as the right to opt-out of having their data sold to third parties; the right to disclosure of what data has been collected of them in the past year; and the right to deletion of that data.
This means that businesses need to know what cookies and other tracking technology is embedded on their websites – both those belonging to their own domains (first party cookies) and those belonging to ad tech companies or social media platforms (third party cookies) that are embedded through plugins, tags and tools.
The California Consumer Privacy Act (CCPA) forms a new legal reality in the intersection of the offline and online, where our daily lives spill into the digital, and – until now – have been commodified and traded for profit by tech companies.
The CCPA creates empowered agency for end-users and real checks-and-balances for businesses trading data in California.
Scan your website for free with Cookiebot CMP to see which cookies are active on your website and what kinds of personal information they process.
CCPA compliance with Cookiebot CMP
In compliance with the strong GDPR requirements in place in the EU, the CookiebotCMP technology automatically scans your website and finds all cookies and similar tracking technology, then blocks all (apart from strictly necessary ones) until the end-users give their consent to which categories of cookies, they will allow to process their personal information.
In compliance with the CCPA, Cookiebot CMP enables a website's end-users to opt out of having their data sold to third parties through a Do Not Sell My Personal Information link on their cookie declaration.
Cookiebot CMP also supports multiple compliance solutions on the same website through a geotargeting function that detects whether a visitor is from the EU or California, and configures the appropriate banner accordingly.
CCPA compliant solution from Cookiebot CMP.
Cookiebot CMP ensures CCPA compliance for businesses by e.g. enabling their end-users to opt out of having their data sold and obtaining their consent ID on the company's website.
Our CCPA configuration implements the mandatory Do Not Sell My Personal Information link.
Cookiebot CMP also enables websites to comply with the specific requirement regarding opt in for minors under 16 years of age.
According to the CCPA, businesses must obtain the opt-in consent from minors age 13-16 (and from parents or legal guardians from minors under age 13) before they are allowed to sell their personal information.
Cookiebot CMP CCPA opt in banner, unfolded with details showing cookies and trackers present.
Cookiebot CMP can be configured and customized to meet the standards of compliance under the CCPA as well as GDPR, depending on where your end-users are located.
This way, Cookiebot CMP ensures that the privacy of your end-users is protected, and the autonomy over their own data enshrined.
Take an in-depth look at the core functions of Cookiebot CMP.
Businesses can sign up for free to Cookiebot CMP today to scan and control their cookies, become GDPR compliant and get familiar with the different opt-in and opt-out functions.
CCPA checklist for compliance
Who exactly is protected by the CCPA? And how does a company obtain CCPA compliance?
In this section, we look at who the law affects and how you obtain CCPA compliance. We provide an overview of the obligations for businesses in a quick CCPA checklist.
A business is exempt from e.g. disclosing personal information or deleting it, if the business cannot verify the consumer making the request.
On August 14, 2020, the final CCPA regulations took effect and form the basis for the Attorney General’s enforcement, which has already begun.
The CCPA regulations specify the practical and technical aspects of how to become compliant with the law.
CCPA requirements for California businesses
To be obligated for CCPA compliance, a company or organization must fall under the definition of business in the CCPA.
According to the CCPA rules, a business is an umbrella term that includes both companies, corporations, associations, partnerships or any other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.
Not all websites or companies will fall under the CCPA's definition of business.
However, to be regarded as a business under the CCPA rules, a company has to meet one of the three following attributes:
- have an annual gross revenue exceeding $25 million,
- derive 50% or more of its annual revenues from selling consumers’ personal information,
- buy, receive, sell, or share the personal information of 50.000 or more California residents, households or devices a year.
This means that if your company is based in, say, Texas or Europe, but buys or sells the personal information of at least 50.000 California residents, your company is liable for CCPA compliance.
It also means that if you have a small business that makes under $25 million a year, or if less than half of your business income relies on selling personal information to third parties, or if your business does not sell more than fifty-thousand Californians’ personal information, the CCPA does not apply to your company.
However, if your business shares common branding with another company that does meet one of the abovementioned thresholds, your business will be subject to CCPA compliance.
This means e.g. having a shared name, service mark or trademark. In such a case, an organization that would not by itself fall under the CCPA rules for businesses, could be forced to obtain CCPA compliance anyway.
CCPA compliance for California businesses
Here is a non-exhaustive CCPA compliance checklist to inform you of some of the key requirements.
According to the CCPA, a business must –
- Feature a Do Not Sell My Personal Information link on their website that users can use to opt-out of third party data sales.
- Provide a notice at or before the point of collection informing the consumer of the categories of personal information that the company collects and for what purpose.
- React to an opt-out request within 15 days by stopping further selling and notifying all parties to whom it has sold the personal information in the previous 90 days.
- Obtain opt-in consent from minors age 13 to 16 before selling their personal information, and opt-in consent by parents or legal guardians from consumers under the age of 13.
- Provide consumers free of charge records of the personal information collected in the past 12 months (including sources, commercial purposes and categories of third parties with whom it has been shared) if a consumer requests disclosure or deletion.
- Respond within 10 days of receiving requests for disclosure or deletion with information on how the request will be processed. Substantive responses must be given to the consumer within 45 days of receiving a verified request.
- Include two steps for a deletion request, whereby the consumer can submit the request and subsequently agree to the personal information to be deleted.
- Only offer financial incentives (e.g. different prices, rates and quality) for goods and services if the differences are reasonably related to the value provided to the business by the consumer's data.
- Refrain from discriminating based on a consumer's choice to exercise their rights to opt-out, request disclosure or deletion.
- a description of the rights (opt-out, disclosure, deletion) and how to exercise these rights.
- a list of the categories of personal information that the business collects, sells and discloses, and to update this list every 12 months.
- a toll-free phone number or, if a business operates solely online, a link on the website through which the consumer can exercise their rights.
Cookiebot CMP enables CCPA compliance.
With the Cookiebot CMP technology, websites can manage user consents and requests for opt-outs of data sales, as well as get a full overview of all cookies and trackers.
Cookiebot CMP offers CCPA and GDPR compliance for US websites.
CCPA rights Californian residents
To be protected by the CCPA, a consumer has to be a natural person who is a California resident, defined as an individual:
- who is in the State for other than a temporary or transitory purpose,
- who is domiciled in the State who is outside the State for a temporary or transitory purpose.
In other words, for the CCPA to apply, you have to have residency in California to qualify as a consumer according to the law.
If you do qualify as a consumer protected under the new privacy law, the CCPA empowers you with the following rights:
- Right to opt-out of having personal data sold to third parties.
- Right to disclosure of personal data collected in the last 12 months.
- Right to deletion of personal data collected in the last 12 months.
- Right to equal services and price.
According to the CCPA regulations, any discrimination against consumers based on their choice to exercise their rights is strongly prohibited.
CCPA compliance vs GDPR compliance
Cookiebot CMP is a leading consent management platform in the world, enabling GDPR compliance for hundreds of thousands of websites every day.
The main difference between the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the EU is that the latter requires data controllers and processors to meet one of six legal bases prior to the processing of personal data.
The first of these is with the consent of the user, meaning that a website must obtain prior consent from a user before any processing of their personal information can take place.
The CCPA protects California residents, while the GDPR protects anyone who happens to be inside the EU at the time of data collection.
Cookiebot CMP is built to enable full GDPR compliance by controlling a website’s data processing through the consent of the users.
The CCPA doesn’t have a framework of legal bases that businesses must first meet in order to process data, but by using Cookiebot CMP, companies and websites in California can ensure that their users will not experience unwanted data harvesting by - and selling to third party tech companies.
Cookiebot CMP can be configured to meet the requirements of both the CCPA and the GDPR, depending on where in the world your end-users are located.
This way, website owners using Cookiebot CMP can be confident about meeting the compliance standards for the data law relevant for exactly them, whether it be in California or the European Union.
The CCPA is the first major privacy law outside of the European Union, but it is definitely not the last.
A privacy awakening is upon us and data laws are emerging in many other states in the US, as well as around the world.
Cookiebot CMP follows this global development closely, as we continue to develop our technology to support future data privacy laws.
Try Cookiebot CMP free for 30 days... or forever if you have a small website.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a state-wide law that regulates how personal information of California residents are allowed to be used and shared by businesses. The CCPA require businesses to enable users to opt out of having their data sold to third parties, and to inform users of what kinds of cookies their websites use that process personal information.
Are cookies personal information under the CCPA?
Under the CCPA, personal information includes cookies and trackers that collect IP addresses, browser history, search history and Unique IDs that can be used to identify an individual user. Third-party cookies, like statistics or marketing cookies, often use Unique IDs that make an individual user identifiable across the Internet.
Who is liable for CCPA compliance?
A business is defined in the CCPA as a company or organization that meets at least one of the three following thresholds: have an annual gross revenue of more than $25 million, derive 50% or more of its annual revenues from selling consumers’ personal information, or buy, receive, sell or share the personal information of more than 50.000 California residents annually.
How can a website become CCPA compliant?