Updated November 25, 2019.
California Consumer Privacy Act (CCPA) took effect on January 1, 2020.
It empowers California residents with new rights over the data they generate every day, and forces companies who do business in the state to play by new rules.
So how does your website obtain CCPA compliance? Which CCPA requirements will impact your website? And how can Cookiebot help you become CCPA and GDPR compliant?
Find the answers in this article about all things regarding CCPA compliance.
The CCPA forces companies and organizations who do business in California to comply with new rules regarding the data their end-users generate on their websites.
The CCPA regulations empower users with new data rights (the first in the US), such as the right to opt-out of having their data sold to third parties; the right to disclosure of what data has been collected of them in the past year; and the right to deletion of that data.
This means that businesses need to know what cookies and other tracking technology is embedded on their websites – both those belonging to their own domains (first party cookies) and those belonging to ad tech companies or social media platforms (third party cookies) that are embedded through plugins, tags and tools.
The CCPA regulations form a new legal reality in the intersection of the offline and online, where our daily lives spill into the digital, and – until now – have been commodified and traded for profit by tech companies.
The CCPA regulations create empowered agency for end-users and real checks-and-balances for businesses trading data in California.
In compliance with the strong GDPR requirements in place in the EU, Cookiebot’s technology automatically scans your website and finds all cookies and similar tracking technology, then blocks all (apart from strictly necessary ones) until the end-users give their consent to which categories of cookies, they will allow to process their personal information.
In compliance with the CCPA, Cookiebot enables a website's end-users to opt out of having their data sold to third parties through a Do Not Sell My Personal Information link on their cookie declaration.
Cookiebot also supports multiple compliance solutions on the same website through a geotargeting function that detects whether a visitor is from the EU or California, and configures the appropriate banner accordingly.
Cookiebot's CCPA compliant cookie declaration in California.
Cookiebot ensures CCPA compliance for businesses by e.g. enabling their end-users to opt out of having their data sold and obtaining their consent ID on the company's website.
Our CCPA configuration implements the mandatory Do Not Sell My Personal Information link.
Cookiebot also enables websites to comply with the specific requirement regarding opt in for minors under 16 years of age.
Cookiebot CCPA opt in banner enabling businesses to obtain the consent of minors.
According to the CCPA, businesses must obtain the opt-in consent from minors age 13-16 (and from parents or legal guardians from minors under age 13) before they are allowed to sell their personal information.
Cookiebot CCPA opt in banner, unfolded with details showing cookies and trackers present.
Cookiebot can be configured and customized to meet the standards of compliance under the CCPA as well as GDPR, depending on where your end-users are located.
This way, Cookiebot ensures that the privacy of your end-users is protected, and the autonomy over their own data enshrined.
Take an in-depth look at the core functions of Cookiebot.
Businesses can sign up for free to Cookiebot today to scan and control their cookies, become GDPR compliant and get familiar with the different opt-in and opt-out functions.
Who exactly is protected by the CCPA? And how does a company obtain CCPA compliance?
In this section, we look at who the law affects and how you obtain CCPA compliance. We provide an overview of the obligations for businesses in a quick CCPA checklist.
A business is exempt from e.g. disclosing personal information or deleting it, if the business cannot verify the consumer making the request.
The verification criteria will be defined in the Attorney General’s regulation no later than July 2020.
However, the Attorney General published in October 2019 a set of CCPA draft regulations meant to shed light on how enforcement of CCPA compliance will come to look.
Take a look at the proposed CCPA AG regulations here.
To be obligated for CCPA compliance, a company or organization must fall under the definition of business in the CCPA.
According to the CCPA rules, a business is an umbrella term that includes both companies, corporations, associations, partnerships or any other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.
Not all websites or companies will fall under the CCPA's definition of business.
However, to be regarded as a business under the CCPA rules, a company has to meet one of the three following attributes:
This means that if your company is based in, say, Texas or Europe, but buys or sells the personal information of at least 50.000 California residents, your company is liable for CCPA compliance.
It also means that if you have a small business that makes under $25 million a year, or if less than half of your business income relies on selling personal information to third parties, or if your business does not sell more than fifty-thousand Californians’ personal information, the CCPA does not apply to your company.
However, if your business shares common branding with another company that does meet one of the abovementioned thresholds, your business will be subject to CCPA compliance.
This means e.g. having a shared name, service mark or trademark. In such a case, an organization that would not by itself fall under the CCPA rules for businesses, could be forced to obtain CCPA compliance anyway.
Here is a non-exhaustive CCPA compliance checklist to inform you of some of the key requirements.
According to the CCPA, a business must –
Cookiebot enables CCPA compliance.
With the Cookiebot technology, websites can manage user consents and requests for opt-outs of data sales, as well as get a full overview of all cookies and trackers.
Cookiebot offers CCPA and GDPR compliance for US websites.
To be protected by the CCPA, a consumer has to be a natural person who is a California resident, defined as an individual:
In other words, for the CCPA to apply, you have to have residency in California to qualify as a consumer according to the law.
If you do qualify as a consumer protected under the new privacy law, the CCPA empowers you with the following rights:
According to the CCPA regulations, any discrimination against consumers based on their choice to exercise their rights is strongly prohibited.
Cookiebot is a leading consent management platform in the world, enabling GDPR compliance for hundreds of thousands of websites every day.
The main difference between the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the EU is that the latter requires data controllers and processors to meet one of six legal bases prior to the processing of personal data.
The first of these is with the consent of the user, meaning that a website must obtain prior consent from a user before any processing of their personal information can take place.
The CCPA protects California residents, while the GDPR protects anyone who happens to be inside the EU at the time of data collection.
Cookiebot’s consent management platform is built to enable full GDPR compliance by controlling a website’s data processing through the consent of the users.
The CCPA doesn’t have a framework of legal bases that businesses must first meet in order to process data, but by using Cookiebot, companies and websites in California can ensure that their users will not experience unwanted data harvesting by - and selling to third party tech companies.
Cookiebot can be configured to meet the requirements of both the CCPA and the GDPR, depending on where in the world your end-users are located.
This way, website owners using Cookiebot can be confident about meeting the compliance standards for the data law relevant for exactly them, whether it be in California or the European Union.
The CCPA is the first major privacy law outside of the European Union, but it is definitely not the last.
A privacy awakening is upon us and data laws are emerging in many other states in the US, as well as around the world.
Cookiebot follows this global development closely, as we continue to develop our technology to support future data privacy laws.