The CCPA came into effect January 1, 2020. It was the first comprehensive modern data privacy law in the United States. The California Privacy Rights Act (CPRA) came into effect January 1, 2023, amending and expanding the CCPA. Learn more about the CPRA.
When does CCPA apply?
The CCPA applies to for-profit businesses, regardless of where they are located in the world, that:
- process the personal information of more than 50,000 California residents annually, or
- have a gross annual revenue exceeding US $25 million, or
- derive more than 50 percent of annual revenue from selling the personal information of California residents
Sale of personal information (PI) is defined in the CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” (1798.140.t1).
Under the CCPA, California residents (“consumers”) are empowered with the right to opt out of having their data sold to third parties, the right to request disclosure of data already collected (right of access), and the right to request deletion of data collected.
Additionally, California residents have the right to be notified and the right not to be discriminated against if they choose to exercise their rights.
Failure to comply with the CCPA can result in fines for businesses of US $7,500 per violation and US $750 per affected user in civil damages.
How to make your website CCPA-compliant?
If your business meets any of the three CCPA thresholds and has a website, you are required to implement certain notifications and functionality.
Your website must inform users at or before the point of data collection about the categories of personal information that it collects and for what purposes.
Your website must feature a Do Not Sell My Personal Information link that users can use to opt out of third-party data sales. (Note: since the implementation of the CPRA the notice must now read “Do Not Sell Or Share My Personal Information”.)
If your website has visitors or customers who are minors under the age of 16, you are required to obtain their opt-in (consent) before you are allowed to sell or disclose their personal information to third parties. If the minor is under the age of 13, a parent or legal guardian must consent for them.
If your business receives a verifiable request from a consumer asking for disclosure of their personal information that you have collected, you must provide to the consumer free of charge the records of personal information collected in the past 12 months, including sources, commercial purposes and categories of third parties with whom it has been shared.
Your business is prohibited from discriminating against a consumer based on their choice to exercise their right to opt out, request disclosure, correction or deletion.
What is personal data?
Personal data or personal information is defined in the CCPA as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140.o1)
Personal information under the CCPA includes:
- direct identifiers, such as real name, postal address, or social security numbers
- unique identifiers, such as cookies, IP addresses, or account names
- biometric data, such as face and voice recordings
- geolocation data, such as location history
- internet activity, such as browsing history, search history, data on interaction with a web page or app
- sensitive information, such as health data, personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information
Personal information also includes data that by inference can lead to the identification of an individual or a household.
Aggregate and anonymous data is exempt from the CCPA, unless it is in any way re-identifiable. This means data that in itself is not personal information can become so under the CCPA if it can be used — by inference or by combination with other data — to identify an individual or a household.
What does the CCPA say about cookies?
Cookies and other website tracking technologies are classified as unique identifiers that form part of the CCPA’s definition of personal information. Cookies are one of the most commonly used technologies for websites to collect personal information on end users.
First-party cookies, set by the website itself, often collect anonymous data for core website functions. They are deleted once a user closes the browser. Third-party cookies, like those set by tech companies and social media platforms, often collect a lot of personal — sometimes sensitive — information on consumers that can be kept for up to a hundred years.
Data collected on your website through cookies can ultimately be considered personal information under the CCPA. This information might not in itself constitute personal information, e.g. anonymized analytics data, but it can become personally identifying by inference or in combination with other data, for the purpose of identifying and connecting devices, creating profiles and serving personalized ads.
What changed for businesses and residents of California on January 1, 2023?
The new California Privacy Rights Act (CPRA) also applies to for-profit organizations that:
- have an annual gross revenue of more than US $25 million, or
- derive more than 50 percent of their annual revenue from selling or sharing the personal information of California residents.
However, the CPRA changed one of the three thresholds from the CCPA, The minimum number of California residents or households whose personal information is processed and/or shared by these businesses has increased to 100,000. Under the CPRA, B2B data is also covered, and the California Privacy Protection Agency (CPPA), the authority for oversight and enforcement, has been established
While the CCPA only covered selling of personal information, the CPRA includes sharing data. The regulation also expands and modifies consumers’ existing rights while adding several new ones:
- right to correction, to have inaccurate data collected about them be corrected,
- right to limit use of data categorized as sensitive personal information
- right to request information about automated decision-making and likely outcomes of use of such processes
- right to opt out of the use of automated decision-making technology with regards to their personal information
Organizations that meet any of the CCPA/CPRA compliance thresholds are liable for personal information collected on California residents via their website’s cookies, if the information is sold or shared. Consumers can request disclosure of their personal information collected on a website in the past 12 months, as well as request correction or deletion of this data (with some exceptions).
Organizations must know what data their website collects, how it’s collected, for what purpose, and with whom (third parties) it shares this data.
Our Consent Management Platform (CMP) helps to achieve and maintain compliance with the European GDPR and ePrivacy Directive, the CCPA and CPRA, and other regulations.
The CMP technology deep scans your website to uncover all cookies and tracking technologies, then automatically controls them so you and your end users know what personal information is collected, for what purposes, and what third parties it is shared with, if users consent.
We also enable CCPA and CPRA compliance for businesses by implementing the required Do Not Sell Or Share My Personal Information link with the cookie declaration generated by the scanner, as well as offering opt in/out banners needed for the consent of minors under age 16.