When the EU’s General Data Protection Regulation (GDPR) went into effect in 2018, it set new data privacy standards, and California was the first US state to follow its footsteps. The CCPA (California Consumer Privacy Act) was created to help California residents control how companies use their personal information.
We present an in-depth breakdown of the CCPA – what it is, who it applies to, and how to ensure your website’s compliance to prevent facing legal issues.
What is the CCPA?
CCPA, or California Consumer Privacy Act, is a legislation that provides California residents with a level of control over how businesses use the personal information they collect about them. The definition of “personal information” provided by the regulation means any data that can directly or indirectly identify or be related or linked to the user.
The CCPA came into effect on January 1, 2020, and only protects the privacy rights of California citizens. As of January 1, 2023, an extension of the legislation called the California Privacy Rights Act (CPRA) went into effect.
The CPRA introduced stricter requirements for companies that process the personal information of Californians, such as a revised definition of covered organizations, new personal information categories, and expanded user rights.
Who does the CCPA apply to?
CCPA only applies to for-profit businesses that operate in California and process the personal information of California residents. The privacy regulation is applicable to companies that meet at least one of the following statements:
- The gross annual revenue of the company is more than $25 million
- The company sells, buys, or shares the personal information of +100,000 California residents
- 50% or more of the company’s annual revenue comes from selling the personal information of California residents
It’s also important to note that CCPA doesn’t apply to non-profit organizations and government websites.
Why is the CCPA important?
The CCPA is important because it holds companies accountable for their data handling practices and protects the privacy rights of California residents. Here are the main reasons why CCPA compliance is important:
- Legal responsibility. Under CCPA, businesses are required to handle data more responsibly, and it gives consumers some control over their information usage.
- Transparency. CCPA ensures that companies are transparent about their data collection practices with consumers, building trust and prioritizing their privacy.
- Prevents data misuse. The privacy regulation ensures businesses don’t sell or otherwise abuse consumer data without their knowledge or consent.
- Data security. To comply with CCPA, companies must implement the necessary security measures to protect consumer data when it is collected and prevent unauthorized access.
User rights under CCPA
The CCPA provides users with a level of control over their collected data with user rights that companies must comply with. The 6 user rights, as outlined by the CCPA document, are as follows:
- Right to know. Users must be informed about the data collection practices a company has.
- Right to delete. Aside from the exceptions listed in the Civil Code section 1798.105(d), the user has the right to request data deletion.
- Right to opt out. The CCPA requires including a reject button or Do not sell or share link so users can exercise their right to opt out of data selling or sharing with third parties.
- Right to correction. Users can request to change their personal information if it is inaccurate.
- Right to limit. Users may request to limit the use of their personal information.
- Right to non-discrimination. Consumers must not be punished for exercising their rights. For example, providing low-quality or even denying services because of a request to delete data.
While the main user rights were introduced in the CCPA 2018, the right to correct and limit only came into effect with the CPRA implementation in January 2023.
How to become CCPA compliant
CCPA compliance can seem overwhelming but only if you don’t know where to start. Here are the main CCPA requirements summed up:
1. Get a cookie banner
Unlike the EU’s GDPR, CCPA doesn’t require companies to acquire active user consent for personal information protection. However, companies are obligated to implement a banner on their site and disclose the collection of consumers’ personal data and usage of cookies on a website.
A cookie banner should include a clear statement informing about the use of cookies or personal information collection. There must also be a button that users can use to withdraw consent or a “Do not sell or share my personal information” link if the company sells it to third parties.
Here’s an example of how a CCPA-compliant cookie banner could look like:
In terms of cookies, a banner should also provide users with preference management options. You must allow users to accept only essential or certain third-party cookies if they choose to.
If you’re a Shopify store owner, you can add a custom cookie banner to your website in a few clicks with TinyCookie.
TinyCookie lets you customize everything from the design and content to layout and placement. You may also add links to your privacy or cookie policy to ensure consumers easy access.
2. Include a “Do not sell or share my personal information” link
If your company is selling the personal information of California residents, then you must include a “Do not sell or share my personal information” link in the privacy notice (cookie banner) of your website and the privacy policy. You may also include it in your website footer.
The link should lead to a page that would guide users how to opt out of data selling. Here’s an example of Target’s Do not sell page located in their privacy policy:
Once a user selects their state, they’re guided to a form. Here, they have to submit their request by filling out the required information, such as their full name, email address, phone number, and more.
3. Revise your privacy policy
A privacy policy is a legal document or a binding agreement between the company and the user, and it’s required for CCPA compliance. It doesn’t only secure consumers, it also protects your business from penalties and legal or reputational damages.
Like all legal agreements on a website, a privacy policy should be written in plain and simple language. Here are the main requirements on what it should include:
- Data collection reasons. Make sure you state the legal basis for gathering personal data of consumers, such as to provide services, for marketing or analytics purposes, and more.
- What data is collected. Under the CCPA section 1798.100, businesses must provide a transparent list of personal information categories collected when users visit the site.
- How long data is collected for. Note down the retention periods of specific personal data categories.
- Data sharing and selling. If you’re planning to share or sell data to third parties, your privacy policy must disclose this. You must also explain how consumers can opt out of it.
User rights. List what rights users have in terms of their personal information management. According to CCPA, consumer rights include the right to know, delete, opt out, limit, and correct personal information, and the right to non-discrimination. It’s also useful to note the approximate period you may take to respond to user requests.
If you want to accelerate the process, Shopify offers a free and high-quality privacy policy generator for any business. Just make sure you alter it to fit your company.
4. Write a cookie policy
If your website uses cookies, you must include a cookie policy and place it on a separate page or add it as a section in the privacy policy. Let’s go over what a CCPA-compliant cookie policy must state:
- Date and contact information. If you’re adding the cookie policy as a separate page on your website, state the date when the document becomes in effect and provide your company’s contact information.
- “Cookie” definition. Not every user is going to be familiar with what a cookie is, so you must educate them with a clear definition. It ensures the clarity and transparency of the legal document.
- Consent information. Provide transparent information on what users are agreeing to when they accept the use of cookies on your website.
- Withdrawal options. Explain in simple terms the easiest ways for users to opt out of data collection, sharing, or selling.
- Cookies used. Type down the full list of cookies you use, including their types, expiry dates, and purposes.
If you’re not sure what cookies are used on your website, leverage a cookie scanner tool. Here’s an example of how the TinyCookie cookie scanner looks like on Shopify:
A cookie scanner provides you with a full list of cookies used on your site, including the provider and expiry date, so you don’t have to look for them in developer tools.
5. Protect consumer data
California resident data collection comes with a security responsibility. Under CCPA, businesses must implement data protection practices or face penalties depending on the severity of violations. Here’s a quick plan on how to ensure consumer data security:
- Update your policies. If your data collection practices change, make sure you update the privacy or cookie policies as soon as possible and inform your users about the alterations.
- Perform data inventory. Keep a list of all the data you’ve collected about your consumers. If you use specific tools for keeping inventory, review their data handling practices to ensure they comply with CCPA.
- Audit your agreements. If you’re sharing or selling user data to other companies, regularly review the agreements you have with these companies to ensure security.
- Improve your cybersecurity posture. Review the security tools used by your business and upgrade if necessary. For example, you can adopt encryption tools and secure data transfer protocols. To prevent unauthorized access, you may even get antivirus software and IDs for your employees.
- Create data protocols. Secure data by creating a clear system where users can easily practice their rights and create protocols for your employees to ensure there are no vulnerability spots.
- Train your employees. If you provide your employees with continuous data protection and CCPA compliance training, you can seal another vulnerability. It helps make sure unauthorized access doesn’t happen due to a lack of employee awareness.
Penalties for non-compliance
There are many reasons businesses can face CCPA fines or penalties, including not providing a withdrawal option, non-consensual collection of children’s data, data breaches, and more. Depending on the severity of violations, there are two types of fines:
- For non-intentional violations. Unintentional violations refer to infringements that happen due to a lack of understanding of the CCPA. Sometimes, companies may get a 30-day cure period. In other cases, fines can go as high as $2,500 per violation.
- For intentional violations. When companies disregard the CCPA requirements consciously, it’s an intentional violation that results in fines as large as $7,500 per violation.
It’s also important to mention that CCPA fines can result from class action taken against a company. There aren’t many violations businesses can be sued by consumers for – one of the exceptions is a data breach. Statutory damages can reach up to $750 per violation.
The biggest CCPA fine up to date has been issued to Zoom. The communication technologies company received a $85 million fine for failure to protect user data. It led to meeting disruptions caused by hackers and the company sharing personal data on platforms like Google.
CCPA vs other privacy laws
CCPA and other privacy laws, like GDPR, PIPEDA, APPI, and LGPD, have some differences and similarities between them. The main difference is that CCPA doesn’t require acquiring active user consent, while others do. Let’s take a look at how the most popular privacy laws compare to CCPA.
|
CCPA |
GDPR |
PIPEDA |
APPI |
LGPD |
|
|
Who is protected |
California residents |
EU citizens |
Canada residents |
Australian residents |
Brazil residents |
|
Requires active user consent |
No |
Yes |
Yes |
Yes |
Yes |
|
Default age of consent |
16 |
16 or 13 (depends on the member state) |
n/a |
Consumers under 18 that are mature enough to understand it |
13 |
|
Fine size |
Up to $7,500 per intentional violation |
Up to €20 million or 4% of global annual turnover |
Up to $100,000 CAD per violation |
Up to JPY 1 million (around $6,890) |
Up to 2% of the company's net revenue, max 50 million BRL (around $8 million) |
While privacy regulations have some laws and nuances specific to them, many of the main requirements are the same or similar. Here are the main similarities:
- While CCPA doesn’t require active consent, it’s still obligatory, like with other privacy laws, to inform users about the collection of their data upon their entrance to a website and include a privacy and cookie policy.
- Users must be presented with an easy option to withdraw consent to personal data processing no matter which privacy regulation the business complies with.
- With data collection and sharing or selling, businesses have the responsibility to protect the data of their consumers under any privacy law.
- Most privacy regulations note the user rights to access, rectification, or deletion of their personal information.
Conclusion
Understanding and complying with the requirements of the CCPA is crucial for building consumer trust and fostering ethical business practices as well as a privacy-conscious society. All it takes is a compliant cookie banner, privacy policy, and data security measures to ensure a company is already better aligned with regulatory and consumer expectations.
The CCPA is already helping shape the future of privacy laws, and it’s likely that the demand for data transparency will only grow. So, staying informed and trying to proactively comply with the law will benefit not just consumers but also the companies.
Frequently asked questions
Under CCPA, consumers have the right to delete, know, opt out, correct, or limit the use of their personal information. They can exercise their rights by sending a request to the company. If the request is ignored, users can file a formal complaint with the California Attorney General.
Yes, the CCPA applies to businesses that operate outside of California but still collect the personal information of its residents. Unless the company doesn’t make $25 million in gross annual revenue, sell data of over 100,000 California residents, or make over 50% of annual revenue through data selling – then, the CCPA does not apply to it.
The General Data Protection Regulation (GDPR) is a privacy law of the European Union that protects the personal data of EU residents, while the CCPA is a US state law that secures California residents. The main difference between GDPR and CCPA is that the former requires acquiring explicit user consent for data collection, while CCPA doesn’t.
