CCPA compliance

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.

The effective date of the CCPA is January 1, 2020. It is the first law of its kind in the United States. 

In short: CCPA compliance requires that businesses enable California residents to opt out of having their personal information sold to third parties, as well as disclosing what data has already been collected and deleting it, if consumers request it.

What does CCPA compliance mean for my website?

If your business meets any of the three CCPA thresholds above and has an online domain, you are required to implement certain changes to your website.

• Your website must inform its users at or before the point of data collection about the categories of personal information that it collects and for what purposes.
• Your website must feature a Do Not Sell My Personal Information link that users can use to opt out of third-party data sales (see below how to implement).
• If your website has minors under the age of 16 among its users, you are required to obtain their opt-in (consent) before you are allowed to sell or disclose their personal information to third parties. If the minor is under the age of 13, a parent or legal guardian must opt in for them.
• Your business must also update its website’s privacy policy to include a description of the consumer’s rights and how to exercise these rights. Your privacy policy must also contain an annually updated list of the categories of personal information that your company collects, sells and discloses.
• If your business receives a verifiable request from a consumer asking for disclosure of their personal information collected, you must provide the consumer free of charge the records of personal information collected in the past 12 months (including sources, commercial purposes and categories of third parties with whom it has been shared).
• Your business is prohibited from discriminating based on a consumer’s choice to exercise their right to opt-out, request disclosure or deletion.

To who does the CCPA apply?

CCPA compliance applies to any for-profit businesses in the world that:

• sells the personal information of more than 50,000 California residents annually
• or have an annual gross revenue exceeding $25 million
• or derives more than 50 percent of its annual revenue from selling the personal information of California residents.

Under the CCPA, California residents (“consumers”) are empowered with the right to opt out of having their data sold to third parties, the right to request disclosure of data already collected, and the right to request deletion of data collected.
Additionally, California residents have the right to be notified and the right to equal services and price (i.e. cannot be discriminated against based on their choice to exercise their rights).
Failure to comply with the CCPA can result in fines for businesses of $7,500 per violation and $750 per affected user in civil damages for businesses.

What is the definition of personal information?

Personal information is defined in the CCPA as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140.o1).
Personal information under the CCPA includes direct identifiers (such as real name, alias, postal address, social security numbers), unique identifiers (such as cookies, IP addresses and account names), biometric data (such as face and voice recordings), geolocation data (such as location history), internet activity (such as browsing history, search history, data on interaction with a webpage or app), sensitive information (such as health data, personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information).
Personal information also includes data that by inference can lead to the identification of an individual or a household.

What does CCPA compliance say about cookies?

If your business meets any of the three CCPA compliance thresholds, you are liable for whatever personal information you collect on California residents through your website’s cookies. Consumers can request disclosure of the PI collected on your website in the past 12 months, as well as request that you delete this data.

You must therefore know what data your website collects, how it collects it and for what purpose, and with whom (third parties) it shares this data.

In compliance with the strong GDPR requirements in place in the EU, Cookiebot’s technology automatically scans your website and finds all cookies and similar tracking technology, then blocks all (apart from strictly necessary ones) until the end-users give their consent to which categories of cookies, they will allow to process their personal information.

How to Implement “Do Not Sell” Requests on Your Website

Adding a Do Not Sell Button to Your Website in compliance with the CCPA, Cookiebot enables a website’s end-users to opt out of having their data sold to third parties through a Do Not Sell My Personal Information link in the website footer and on their cookie declaration:

Cookiebot also supports multiple compliance solutions on the same website through a geotargeting function that detects whether a visitor is from the EU or California, and configures the appropriate cookie banner accordingly.

Check out how to setup CCPA compliance for your website in this article.

More information

State of California Department of Justice

• The right to know about the personal information a business collects about them and how it is used and shared;
• The right to delete personal information collected from them (with some exceptions);
• The right to opt-out of the sale or sharing of their personal information; and
• The right to non-discrimination for exercising their CCPA rights.