What You Need to Know About California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) went into effect on January 1. It is the first major U.S. data protection law which many compare to the European General Data Protection Regulation (GDPR), enforced in May 2018.

Let's take a look at what marketers need to know and to do to be CCPA ready.

What is CCPA?

The California Consumer Privacy Act is a California consumer protection policy, which gives state residents the right to know what personal data companies collect on them and how it’s planned to be used; request not to sell the information to third parties; request to delete all the information.

The full impact of the new act is not entirely clear yet, because regulations that enforce the law are still being finalized. However, companies in California and beyond are already trying to meet the requirements to continue their business in one of the most populous U.S. states.

How CCPA Defines Personal Information

According to CCPA, personal data is any piece of information that identifies (relates to, describes, directly or indirectly characterizes) a particular consumer:

For example, cookies may be considered personal data and therefore are also regulated by the law. You will need to list what information you collect about the user and how you plan to use it. The cookie policy can be included in the general privacy policy and by far doesn’t require a separate page or banner.

CCPA vs. CalOPPA and Other Privacy Laws

CCPA won’t replace the California Online Privacy Protection Act (CalOPPA) or other data protection laws that will continue functioning. To run business in California, you’ll have to comply with all the existing laws.

The difference between CalOPPA and CCPA lies in the types of collected data and collection methods:

CalOPPA CCPA
The privacy policy should state:
  • How the website responds to "don't track data" requests.
  • The date when the privacy policy came into force.
  • How users will be informed of any changes to the privacy policy.
  • Information about the sale of user data to third parties, and how to opt out.
  • Methods to verify the identity of the person who requests access to the data, or requests to change or delete the data.
  • How such requests are to be submitted?
  • Who the law is applicable to?
The law applies to any company in the world if it:
  • collects personal information about California residents on the website or via online service;
  • uses the collected data for personal purposes. For example, the law won't apply to Internet providers because they transfer or store personal information for third parties.
  • collects personal information about California-based citizens;
  • meets at least one of the three indicators:

 - annual gross income at least $25 million;

- collected personal information about at least 50,000 Californians, California households and/or devices per year;

 - 50% of annual income from the sale of personal information about Californians.

  • the law is mainly intended for social networks, brokers and large corporations. These requirements don’t apply to individuals, non-profits, or small and medium-sized companies.
Getting prior consent

Doesn’t require prior consent.

Requires prior consent only from the under-aged before selling their personal data. For users under 13, the consent of their parents or guardians is required

Active option "Do Not Sell My Personal Information"
Optional. Obligatory. A click on the button means you are not allowed to sell the corresponding data.

Penalties for Non-Compliance

You create. We deliver.

Get Started

Prior Consent Before Data Collection

Unlike many other privacy laws, CCPA doesn’t require you to get prior consent before collecting and processing user data, except for the under-aged.

For users aged 13-16, you must obtain permission directly from them before selling their personal information. For users under 13, you must obtain permission from their parents or guardians.

You can ask for permission every time an under-aged Californian visits your website, or just before selling the data. Selling data without consent violates the user's rights and entails a fine.

Note. Selling data doesn’t necessarily presuppose a money transaction or payment. This term covers any action with a database, including transferring or disclosing user's personal data.

Make sure you retain every consent you have received from the under-aged and their parents. It would be smart to retain any consent received.

Does Your Privacy Policy Comply with CCPA?

A privacy policy is a document that explains to users how their data is to be processed and used. It can also provide the information on privacy rights.

Make sure your privacy policy meets the following CCPA compliance checklist:

According to Digital Trends 2020 by Accenture, 69% of users would stop interacting with the company that is too aggressive while collecting personal data.

GDRP vs. CCPA: What to Follow

You might have already been following some CCPA requirements if you had complied with the GDPR rules. However, there are things you'll have to work on:

Note that GDPR limits the collection of data on religion, ethnicity, sexual preferences, genetic and biometric data, etc., while CCPA has no such restrictions.

How to Get CCPA Ready

1. Consider the location of your subscribers.

If you don't know your subscribers reside in California, you still need to follow the law. Specify their location so as not to get into trouble.

For example, in the subscription/registration form, ask subscribers to indicate their country of residence, or determine it using geolocation. For users from EU countries, Canada or other places where data laws require confirmation, add a checkbox that affirms familiarization with the rules.

2. Be ready to delete data upon request.

The law allows Californians to require you to delete all the personal information partially or in full. This clause is also a key element of GDPR.

3. Notify your customers of changes in Privacy Policy.

Send active users and subscribers an email notifying on that you have updated your Privacy Policy

Alternatively, instead of a separate email, add a corresponding section to the footer of your regular campaigns.

4. Consider other regulations.

Make sure you comply with the regulations from all countries where you have subscribers.

CASL - Canada’s anti-spam legislation (2014);

PDPB Indian - Personal Data Protection BIll (2018);

GDPR EU - General Data Protection Regulation, European Union (2018).

Also, provide well visible information about privacy policy updates straight on the website.

5. Prepare your website for CCPA.

It is better to prepare in advance, because soon other states can pass similar laws. Massachusetts, Maryland, Washington, D.C., and other U.S. states are already discussing the adoption of their own privacy and data protection laws. We promise to keep you up to date with all the updates.

More information on CCPA: Learn about the California Consumer Privacy Act (CCPA) and how to become compliant.

🔒 GDPR, CCPA, CASL Compliant. Your data is safe and secure with us.