What is the California Consumer Privacy Act?

Jess Hennessey
CCPA Compliance
Nov 19, 2019
Quick Summary: The CCPA ultimately provides consumers with transparency about what personal information is being collected from them and gives them more control over what a company can do with it.
laptop on desk displaying analytic data and graphs
Wondering what the CCPA is and what it means for your business? We’ve got the answers.

The California Consumer Privacy Act (CCPA) goes into effect on January 1st, 2020. That’s right around the corner, yet many businesses are still trying to figure out what the CCPA means for their company. If you’ve found yourself asking, “What is CCPA?”, you’ve come to the right place. In this article, we’ll discuss this new law so you’ll know just what to do to ensure your business website is CCPA compliant.

First Things First, What Is CCPA?

In light of recent privacy scandals that have been put into the spotlight, more and more citizens are becoming concerned about their online privacy. 

monitor display showing facebook login screen
The Facebook/Cambridge Analytica proceedings have caused many United States citizens to become more cautious of what data online companies are collecting from them.

Up until the CCPA, there have been no rules on what companies can do with customer data that they collect. This lack of regulation puts consumers at risk in various ways.

For example, when Target and Equifax were hacked, it resulted in millions of consumer’s data becoming compromised. Instances such as these as well as issues such as the Facebook/Cambridge Analytica proceedings have prompted lawmakers around the world to enact legislation that regulates how companies handle consumer data.

If you’re familiar with the General Data Protection Regulation (GDPR) that was put into effect in 2018, the CCPA might sound familiar to you. The GDPR, a European regulation that provides consumer data protection, paved the way for other nations and states to enact similar laws. Such is the case when California drafted its own version of a privacy rights law, coined it the CCPA, and introduced it at the beginning of January 2018.

A short six months after the CCPA was introduced, it was signed into law on June 28th, 2018. The CCPA grants citizens of California extended privacy rights in the name of consumer protection. When the CCPA goes into effect on January 1st, 2020, the massive bill will officially become the most strict set of data privacy regulations in all of the United States.

What Privacy Rights Does The CCPA Provide Consumers?

monitor display showing online shopping website
E-commerce sites that do business with California customers are just one of many types of businesses that need to ensure they are CCPA compliant.

The CCPA is vast when it comes to all the protections it provides consumers. What the CCPA ultimately does is provide consumers with transparency about what personal information is being collected from them and gives them more control over what a company can do with it. 

Here are some key takeaways from the CCPA: 

  • California residents are entitled to know exactly what personal information a company is collecting from them and be able to access it.
  • They will also be informed on whether or not their data is disclosed or sold to
  • In the event their data is being shared with another party, it must be made clear who else will have access to their personal information
  • Consumers will have the right to opt-out of the sale of their personal data
  • Companies must delete consumer data upon request of the consumer
  • It also forbids companies to discriminate against any consumer who exercises their privacy rights

Of course, this is just scratching the surface. It also details requirements about collecting data from minors, as well as what kind of actions consumers can take in the event of a CCPA violation. Which, for the record, allows individual consumers to seek damages of $100 to $750 per incident, or actual damages incurred if greater than $750 total. Fines up to $7500 per incident are also applicable.

What Does “Personal Information” Entail?

A phrase you’ll hear a lot in CCPA discussions is “personal information”. This phrase encompasses a wealth information type as outlined in the CCPA. In fact, the CCPA is very clear in what personal information they are talking about when they use the term.

screengrab of the official CCPA bill on the California Legislative Information website
The CCPA is available to read in full on the California Legislative website.

The CCPA defines “Personal Information” as:

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. “

It goes on to name specific items such as names or aliases, postal addresses, IP addresses, email addresses, account name, social security number, driver’s license number, passport number, education and employment history, and many, many other things.

It even becomes somewhat abstract in that it states personal information also includes data that can be used to create an overview of an individual “consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Additionally, the bill will protect consumer information relating to their purchase history, browser history, and how they interact with websites, apps, and advertisements online.

What Doesn’t The CCPA Consider “Personal Information?”

That’s the real question of the day considering the list seems much shorter than what is covered in the CCPA. Alas, the CCPA states that:

“Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.”

CCPA

In the description from the CCPA above, we’re introduced to another potentially ambiguous term: publically available. Fear not, the CCPA expands on what they consider to be publically available data.

 “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is deidentified or aggregate consumer information.

CCPA

Simply put, that means information that may be publically available in government records, cannot be used for any purpose other than what it was originally intended for.

What Businesses Need To Become CCPA Compliant?

desktop calendar with man writing on one of the dates with an ink pen
Still don’t have a CCPA compliant website? Time is running out fast.

It’s true, not all businesses will technically be required to become CCPA compliant. (The operative word here is technically–more on that in a moment.)

First, let’s go over which types of companies that will need to bring their businesses and business websites up to CCPA standards. 

To be clear, regardless of whether or not your business is located in California, it is subject to CCPA compliance requirements. The physical location does not matter. So long as it collects and processes data from residents of California the business could be affected by the CCPA. 

In addition to collecting data from California residents, companies which will be subject to CCPA compliance will also meet one or more of the following:

  • Has a gross annual revenue of $25MM or more
  • Acquires personal information from 50,000 or more California residents, households, or devices each year
  • Fifty percent or more of the annual revenue comes from selling personal information on California residents (these businesses often referred to as data brokers)

Don’t Think The CCPA Applies To Your Business?

Although your business may be currently exempt from the laws described in the CCPA, that doesn’t mean you should just forget about it and move on. There’s a big chance that the CCPA is a trendsetter, paving the way for similar legislation across different states and the nation as a whole in the near future. 

In fact, at least nine states have already introduced drafts of bills that are similar to the CCPA. In six of those states’ draft legislation, the proposed laws are essentially identical to the CCPA. 

  • Hawaii 
  • Maryland 
  • Massachusetts
  • New York
  • Mississippi 
  • New Mexico
  • North Dakota
  • Rhode Island
  • Washington

As you can see, American consumers are becoming more aware of their online privacy and are pushing for legislation which gives them more control of it. 

Learn more about California Consumer Privacy Act (CCPA) exemptions.

How To Become CCPA Compliant Before It’s Too Late

As vast as the CCPA is for consumers, businesses needing to become CCPA compliant have quite the project to look forward to. Hopefully, you’ve already started working on updating your policies and website to reflect the requirements being enforced in the law. 

If you still haven’t started taking proper steps to become CCPA compliant, it’s time to get to work. There’s a lot to do! Let’s take a look at some of the best places to get started so your CCPA compliance process goes smoothly. 

Start By Examining and Updating Your Data And Privacy Policies

man typing on laptop computer
Due diligence goes a long way in understanding how the CCPA applies to your business website.

If your company is required to become CCPA compliant, or you’re trying to get ahead of the game and prepare for similar laws likely coming in the future, the first thing you should do is figure out exactly how the CCPA applies to your business.

Take stock of the personal data your company collects from consumers. Make sure you know exactly what kind of personal information you are collecting and whether or not it is covered in the CCPA (it most likely is). 

You should examine your company’s existing data security and privacy policies. Update them to reflect the new procedures you will take to ensure consumer data you’ve collected is secure and in compliance with the CCPA.

Execute A Website Update To Reflect CCPA Compliance Requirements

Once you know all the areas your company needs to make improvements, it’s time to start thinking about what all needs to be done to get your website compliant with the CCPA. This is where it starts to get really labor-intensive. You’ll need to do a complete analysis of your existing site to spot all of the things that will either need to be changed or added. 

Some things to look for include:

Opt-Out Boxes

Anywhere on your website where data is collected, there will also need to be an opt-out box in which consumers can opt-out of having their personal information collected. 

Cookies

If your site collects cookies, you will need to add notifications that alert consumers your site uses cookies. 

Provide Access to Personal Information

Make it clear on your website about how consumers can access their personal data. You will need to include a phone number and a webpage.

Create An Identity Verification Backend

Build a system to quickly and accurately verify the identity of people requesting access to their personal information.

Alerts Consumers Of Policy Changes

Enact a method to alert consumers of data breaches and/or changes to your privacy policy.

An Ounce Of Prevention Is Worth A Pound Of Cure

A group of coworkers at table during a meeting looking at a tv monitor
The first step in becoming CCPA compliant is developing a plan.

The old adage holds true even in these modern times. Especially when it comes to getting your business website CCPA compliant. We can’t stress having a plan enough.

In addition to having a plan for project management, you should incorporate a plan to maintain CCPA compliance as well as what steps you will take in case of an incident.

For example, who on your team will be responsible for executing consumer requests relating to the CCPA?

Who will man the telephone line you will provide for consumers to call in with questions relating to the personal information your company has collected on them?

In the event of a CCPA violation within your company, what protocol needs to be followed and who will oversee it?

On top of all that, you should also have a plan to train your employees, or whoever will be handling the data, on the protocol they need to follow to be CCPA compliant. The focus should be on processing consumer requests in a timely and appropriate manner.

DIY or Outsource Your CCPA Compliance Project?

Becoming CCPA compliant is a highly technical matter and one that will take some time to complete. As such, we recommend working with a professional to tackle your company’s CCPA compliance process.

Working with a professional who knows what the CCPA entails and exactly how to go about getting your business and website up to speed streamlines the process immensely. Outsourcing the project to a well-versed professional will likely save you money, time, and the headache of trying to sort it all out on your own. 

It’s best to tackle it now before the law goes into effect. Once the CCPA goes into effect, companies will have precisely six months to become fully compliant. With so many things to do to become CCPA compliant, those six months go by fast.

Don’t get caught with a non-compliant CCPA website. Contact us now for a consultation.

Continue Reading

Whitepaper - Build a Digital Marketing Strategy That Gets Results