You may have seen a lot of chatter online about the CCPA law. Much like GDPR, it’s been discussed a lot but many people are still unsure as to what it means.
The CCPA stands for The California Consumer Online Privacy Act. It is California’s newest privacy law, and is essentially California’s version of the European GDPR.
CCPA and GDPR are similar, however GDPR has some stricter controls in terms of minimising the data collected to be only what is required and requiring a valid reason to collect data. However, even if your business is currently GDPR-compliant, that doesn’t mean it will automatically be CCPA-compliant.
The aim is to enhance consumer privacy rights for residents of California in the United States, and applies to you if you have a business targeting Californian consumers. That is if you collect and process data from California residents.
It goes into effect on January 1st 2020 but becomes fully enforceable on July 1st, 2020. After this date if you are found to not be compliant then you may be fined $7,500 per California user.
How do I comply with CCPA?
In order to comply with the CCPA, businesses have to be more upfront about what they collect and how it’s used. It places several new requirements on businesses, this includes
- allowing California residents to opt out of having their personal information sold to third parties
- disclosing what data has been collected
- allowing California residents to request their data be deleted
Personal information or data covers your name, username, password, phone number and physical address. It also includes information used by companies to track your online behaviour and information that can be used to characterise you.
Cookiebot have also put together this list with the main requirements
- Feature a Do Not Sell My Personal Information link on their website that users can use to opt-out of third party data sales.
- Provide a notice at or before the point of collection informing the consumer of the categories of personal information that the company collects and for what purpose.
- React to an opt-out request within 15 days by stopping further sellingand notifying all parties to whom it has sold the personal information in the previous 90 days.
- Obtain opt-in consent from minors age 13 to 15 before selling their personal information, and opt-in consent by parents or legal guardians from consumers under the age of 13.
- Provide consumers free of charge records of the personal information collected in the past 12 months (including sources, commercial purposes and categories of third parties with whom it has been shared) if a consumer requests disclosure or deletion.
- Respond within 10 days of receiving requests for disclosure or deletion with information on how the request will be processed. Substantive responses must be given to the consumer within 45 daysof receiving a verified request.
- Include two steps for a deletion request, whereby the consumer can submit the request and subsequently agree to the personal information to be deleted.
- Only offer financial incentives (e.g. different prices, rates and quality) for goods and services if the differences are reasonably related to the value provided to the business by the consumer’s data.
- Refrain from discriminating based on a consumer’s choice to exercise their rights to opt-out, request disclosure or deletion.
- a description of the rights (opt-out, disclosure, deletion) and how to exercise these rights.
- a list of the categories of personal information that the business collects, sells and discloses, and to update this list every 12 months.
- a toll-free phone number or, if a business operates solely online, a link on the website through which the consumer can exercise their rights.
Useful tools for CCPA compliance
Cookiebot have a free scanner to see how your website tracks and handles personal information. And if you’re looking to learn more, then Iubenda will be holding a webinar on Thursday, January 9th 2020 at 5:00PM GMT, and Hashtag Legal created a CCPA FAQ.