The CCPA empowers California residents (referenced as \u201cconsumers\u201d under the law) with several rights regarding their personal information.<\/p>\n\n\n\n
- \n
- Right to know: <\/strong>Consumers can request information about the collection, use, and sharing of their personal data by businesses.<\/li>\n\n\n\n
- Right to delete: <\/strong>Consumers can ask businesses to delete their personal information, with certain exceptions.<\/li>\n\n\n\n
- Right to opt out: <\/strong>Consumers can opt out of the sale to or sharing of their personal information with third parties.<\/li>\n\n\n\n
- Right to nondiscrimination: <\/strong>Businesses cannot discriminate against consumers who exercise their CCPA rights.<\/li>\n\n\n\n
- Right to correct: <\/strong>Consumers can ask businesses to correct inaccurate or incomplete information about them.<\/li>\n\n\n\n
- Right to limit: <\/strong>Consumers can request to limit the use of sensitive personal information collected from\/about them, such as Social Security Number or financial account information, for restricted purposes.<\/li>\n<\/ul>\n\n\n\n
The CCPA regulation took effect<\/a> January 1, 2020, though enforcement by the California Attorney General\u2019s office did not start until July 1 of that year. The CCPA regulation specifies practical and technical aspects of how to achieve compliance.<\/p>\n\n\n\n
What is the California Privacy Rights Act (CPRA)?<\/h3>\n\n\n\n
On November 3, 2020, the California Privacy Rights Act (CPRA)<\/a>, which amended and expanded the CCPA, was passed into law in a general election.<\/p>\n\n\n\n
The CPRA expanded the rights of California residents, created additional business requirements and compliance thresholds, and established the California Privacy Protection Agency (CPPA) to take over enforcement and other functions from the Attorney General.<\/p>\n\n\n\n
The CPRA took full effect on January 1, 2023 and was supposed to become enforceable on July 1, 2023, though applicable to data collected and shared from January 2022. However, due to legal challenges, enforcement did not begin until February 2024.<\/p>\n\n\n\n
![\"Examples](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2020\/11\/CCPA-Privacy-Policy-best-practices.svg\")
<\/figure>\n\n\n\nWhat is personal information under the CCPA? Examples and definition<\/h2>\n\n\n\n
Personal information is the crux of the CCPA\u2019s regulatory function, as it was enacted to protect consumers\u2019 personal information and regulate the collection, use, and sharing of it.<\/p>\n\n\n\n
The CCPA defines personal information as \u201cinformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household<\/em>.\u201d<\/p>\n\n\n\n
Categories of personal information, for example, as outlined in in CCPA privacy policies, include:<\/p>\n\n\n\n
- \n
- direct identifiers (names, addresses, IP addresses, email, Social Security numbers, etc.)<\/li>\n\n\n\n
- sensitive information, i.e. that which could enable particular harm to a person if it was misused, thus requiring certain restrictions and special handling (age, ethnicity, religion, political affiliation, health and healthcare, gender, sexual orientation, etc.)<\/li>\n\n\n\n
- commercial information (credit card history, transaction details, payment info, etc.)<\/li>\n\n\n\n
- geolocation data, if used for the purposes of identifying someone<\/li>\n\n\n\n
- professional, employment, or education information<\/li>\n\n\n\n
- inferences from any of above for the purpose of profiling<\/li>\n<\/ul>\n\n\n\n
Information that is made lawfully available from federal, state, or local government records, information that is made publicly available (e.g. by a person\u2019s online activities), or information that is deidentified or aggregated, is not considered personal information under the law.<\/p>\n\n\n\n
Purposes of collecting personal information<\/h3>\n\n\n\n
Common purposes why businesses may collect personal information include:<\/p>\n\n\n\n
- \n
- to operate, manage and maintain the business<\/li>\n\n\n\n
- to process transactions and provide the consumer with a product or service <\/li>\n\n\n\n
- for product development based on customer feedback and usage data<\/li>\n\n\n\n
- to personalize user experience on websites or apps based on preferences and behaviors<\/li>\n\n\n\n
- for marketing and advertising to target specific customer segments<\/li>\n\n\n\n
- website analytics<\/li>\n\n\n\n
- to comply with legal and regulatory requirements<\/li>\n<\/ul>\n\n\n\n
Who must comply with the CCPA?<\/h2>\n\n\n\n
A for-profit entity that does business in California and handles personal information of California residents must comply with the CCPA if it meets any one of the following criteria:<\/p>\n\n\n\n
- \n
- gross annual revenue of over USD 26,625,000<\/li>\n\n\n\n
- buys, sells, or shares the personal information of 100,000 or more California residents or households<\/li>\n\n\n\n
- derives 50 percent or more of their annual revenue from selling California residents\u2019 personal information.<\/li>\n<\/ul>\n\n\n\n
Companies that meet any of these conditions must comply with the CCPA, even if the business is not located in California. It only matters if the people whose data is being processed are located in that state.<\/p>\n\n\n\n
The CCPA\/CPRA also apply to data brokers, defined by the California Civil Code<\/a> as \u201ca business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.\u201d<\/em><\/p>\n\n\n\n
Businesses that are required to comply with the CCPA must notify consumers about data that is collected, how, for what purposes, and who may have access to it. They must also notify consumers about their rights and how they can exercise them via a privacy policy or privacy notice. Typically this is a page on a website.<\/p>\n\n\n\n
CCPA privacy notices requirements<\/h2>\n\n\n\n
There are two types of privacy notices required under the CCPA: a \u201dnotice at collection\u201d and a \u201dprivacy policy\u201d.<\/p>\n\n\n\n
The notice at collection requires you to inform consumers, at or before the point of collection of personal information, about:<\/p>\n\n\n\n
- \n
- categories of personal information, including sensitive personal information, that you will collect<\/li>\n\n\n\n
- purpose(s) for which you will collect or use the personal information<\/li>\n\n\n\n
- how long you will keep each category of personal information<\/li>\n<\/ul>\n\n\n\n
If you sell consumers\u2019 personal information, your notice at collection must include a link to a web page that enables consumers to exercise their right to opt out of sale, sharing, targeted advertising, or profiling. The link must use the specific words \u201cDo Not Sell or Share My Personal Information\u201d. In most cases it is not required to obtain prior consent before collecting and processing personal information, though there are exceptions.<\/p>\n\n\n\n
The notice at collection must also link to your privacy policy, which provides more detail about how you collect and use consumers\u2019 personal information (including sale or sharing), consumers\u2019 rights, and how to exercise them.<\/p>\n\n\n\n
Personal information from consumers online is often collected through the use of tracking technologies such as cookies<\/a>. A cookie banner<\/a> can be used to fulfill the notice at collection requirements by providing clear information about cookie usage and opt-out options, and directing users to the full CCPA privacy notice or policy for more details.<\/p>\n\n\n
\n\n\n\n\n Achieve compliance with Cookiebot CMP \u2013 implement CCPA-specific settings on your cookie banner <\/h2>\n <\/div>\n
\n\n\n \nSign up for a free trial<\/span><\/a>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n<\/div>\n\n\n\nCCPA privacy policy requirements<\/h2>\n\n\n\n
If you collect or process data from European Union (EU) residents, your website may already have a privacy policy, which is also a requirement of other international data privacy laws like the EU\u2019s General Data Protection Regulation (GDPR)<\/a>, which preceded and influenced the CCPA.<\/p>\n\n\n\n
However, the CCPA has specific requirements for what your privacy policy must include. To achieve CCPA compliance<\/a>, you\u2019ll need to amend and update your privacy policy to reflect California law or publish a separate privacy policy for the processing of personal information belonging to California residents.<\/p>\n\n\n\n
Let\u2019s look at the CCPA\u2019s privacy policy requirements.<\/p>\n\n\n\n
1. Easy for consumers to access<\/h3>\n\n\n\n
Companies must provide a clear and prominent link to your privacy policy on the website, and the link must include the word \u201cprivacy\u201d in it. \u201cPrivacy Policy\u201d, \u201cCalifornia Privacy Policy\u201d, or \"California Privacy Rights\" are all acceptable under the CCPA.<\/p>\n\n\n\n
The privacy policy should be accessible and legible regardless of the device consumers using, including smartphones, tablets, and desktop computers. It should also be reasonably accessible to consumers with disabilities.<\/p>\n\n\n\n
2. Include information about consumer rights<\/h3>\n\n\n\n
The privacy policy must inform consumers about their rights under the CCPA and how they can exercise these rights.<\/p>\n\n\n\n
Some rights, such as the right to delete, correct, or access information, require provision of two methods by which consumers can exercise their rights, which the privacy policy must communicate. An exception to this requirement is businesses that operate exclusively online, which only need to provide an email address for submitting these requests.<\/p>\n\n\n\n
The \"Do Not Sell or Share My Personal Information\" link should also be included in the privacy policy to enable consumers to opt out of the sale of their personal information. Businesses that process sensitive personal information have to implement a link reading \u201cLimit the Use of My Sensitive Personal Information\u201d or comparable as long as it enables consumers to opt out or limit disclosure of their sensitive personal information.<\/p>\n\n\n\n
![\"Cookiebot](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2020\/11\/CCPA-Privacy-Policy-Requirements.svg\")
Cookiebot CMP enables CCPA compliance, including the required Do Not Sell link.<\/figcaption><\/figure>\n\n\n\n 3. Inform consumers about how you use their personal information<\/h3>\n\n\n\n
A CCPA privacy policy must provide details about your personal information handling and privacy practices, including:<\/p>\n\n\n\n
- \n
- categories of personal information collected in the last 12 months<\/li>\n\n\n\n
- categories of sources from where personal information is collected<\/li>\n\n\n\n
- specific purposes for which personal information is used<\/li>\n<\/ul>\n\n\n\n
Companies that disclose, sell or share personal information must also inform consumers about:<\/p>\n\n\n\n
- \n
- categories of personal information disclosed, sold, or shared in the last 12 months<\/li>\n<\/ul>\n\n\n\n
- \n
- to whom the personal information was disclosed, sold, or shared<\/li>\n\n\n\n
- specific purposes for which the disclosure, sale, or sharing was done<\/li>\n\n\n\n
- whether the company has actual knowledge of the sale or sharing of personal information of minor consumers under the age of 16 years<\/li>\n<\/ul>\n\n\n\n
Personal data of children (minors) does require prior consent from a parent or legal guardian before collection or processing. If consent is declined, the request cannot be made again for 12 months.<\/p>\n\n\n\n
Selling has a broad definition in the CCPA that includes disclosure and sharing personal information \u201cfor monetary or other valuable consideration\u201c<\/em>. Categories of personal information that companies disclosed to third parties, e.g. through third-party cookies<\/a> on the website, should, therefore, be included in the privacy policy even if the company did not make money from sharing the personal information.<\/p>\n\n\n\n
4. Update every 12 months<\/h3>\n\n\n\n
The CCPA requires companies to review and update their privacy policy every 12 months so that consumers are made aware if the business starts collecting new categories of personal information, or if it starts collecting personal information with a different purpose than before.<\/p>\n\n\n\n
If there are changes to how you handle consumers\u2019 personal information in the interim, it is good practice (though not legally required) to update your privacy policy at the time of the change so that it always reflects the current state of your privacy practices.<\/p>\n\n\n\n
Your CCPA privacy policy should also include the date on which it was last updated.<\/p>\n\n\n\n
5. Easy to understand<\/h3>\n\n\n\n
Write the privacy policy in clear, straightforward language that anyone can understand without requiring specialized legal knowledge. Ensure that it\u2019s easy for consumers to navigate, using clear headings and subheadings to organize the information effectively.<\/p>\n\n\n\n
If the website caters to a multilingual audience, the company must provide the privacy policy in all the languages offered on the site.<\/p>\n\n\n\n
CCPA vs GDPR privacy policy requirements<\/h2>\n\n\n\n
The GDPR, one of the world\u2019s most stringent privacy laws, requires businesses to have a privacy policy regarding the processing of personal data of EU residents. Both the GDPR and CCPA require that privacy policies be written in simple language that is easy for anyone to understand without requiring technical or legal knowledge. However, there are also several differences between their requirements.<\/p>\n\n\n\n
- categories of personal information disclosed, sold, or shared in the last 12 months<\/li>\n<\/ul>\n\n\n\n
- Right to delete: <\/strong>Consumers can ask businesses to delete their personal information, with certain exceptions.<\/li>\n\n\n\n