California Consumer Privacy Act (CCPA) Compliance Guide: Everything You Need to Know

  • by Arlo Gilbert
California Consumer Privacy Act (CCPA) Compliance Guide: Everything You Need to Know

May 2020 Update: California will vote on a major update to the CCPA in November. That law is called the California Privacy Rights Act ("CPRA"). You can read about those proposed changes here.

You’re officially on the clock

The California Consumer Protection Act (CCPA) is a new consumer data privacy mandate that became effective on January 1, 2020. That means you’ve only had a few months to not only understand it but make sure you, your company and its employees are all doing what they’re supposed to do to stay compliant with the regulation. Keep in mind, while this is a California mandate, almost every company that does business with a California company, has California resident customers, or collects any personal data of a California resident for any purpose (customer or non-customer), must comply.

It’s important to understand that every department within your company is responsible and has the potential to put the company at risk. The risk for noncompliance can be hefty fines, as well as a loss of customer loyalty. 

If you don’t have a legal background, the CCPA verbiage may seem complicated and somewhat confusing. That’s why we want to break it down for you. It’s a critical new regulation that has serious implications. No matter your background or current role, you can’t play the ignorance card. It’s up to every one of us to get this right.

What is CCPA?

The California Consumer Protection Act is often referred to as CCPA. It is a bill the California state legislature passed in 2018, but it didn’t go into effect until January 2020. Just like the EU’s General Data Protection Regulation (GDPR), the CCPA forces the hand of many (but not all) organizations to protect consumers’ right to privacy. While the GDPR protects people in the EU, the CCPA is specific to California consumers. According to the Standardized Regulatory Impact Assessment conducted by Berkeley Economic Advising and Research, LLC, the CCPA regulations will protect over $12 billion worth of personal information that is used for advertising each year in California.

Why do we have CCPA?

The CCPA may seem like a pain for companies, but it’s actually a huge leap forward for consumers who value their privacy. After all, we are all consumers and should care about our personal privacy. With so much of how we interact with businesses and organizations now digital, we share and leave behind incredible amounts of personal data, often data we don’t even realize we have. This is your data. You own it. But up until now, the entities that use your data weren’t held responsible for what they did with your data. The CCPA aims to change that, giving residents of California “new rights” in how their data is collected and used.

Keep in mind that it’s not just personal data like names and addresses. We know that’s public information. Companies are collecting much more than that. We’re talking about credit card numbers, social security numbers, demographics, income, age, political and religious affiliations, and much, much more. This is personal data most people don’t realize companies are collecting, sharing, and selling. For the large part, this data is used to target marketing and advertising campaigns, but it can also get into the wrong hands to steal identities. Either way, the California legislation believes consumers should have certain rights and businesses have certain obligations.

Because of this fact, organizations’ feet are held to the fire. Businesses have to prove they are taking appropriate measures to either protect the data consumers agree to share with them or avoid collecting or sharing the personal data of consumers who decline permission. The required measures are quite lengthy and specific because we all know if they weren’t, there would be too much up for interpretation. 

What are the regulations in CCPA?

Because the CCPA is relatively new, you can imagine issues continually come up. There have already been several proposed modifications to the original regulations. Companies have to remember these regulations are quite fluid. Until those modifications are adopted, we can look at what we know is in place right now. According to California’s Office of the Attorney General , to remain CCPA-compliant, businesses must:

  • Provide notice to consumers at or before they collect personal data
  • Allow consumers to opt-out, read, and delete their personal data from the business’s storage. Businesses must provide a “Do Not Sell My Info” link for opt-out requests
  • Respond to consumer requests within specific timeframes
  • Show consumers privacy settings that signal their choice to opt-out
  • Verify the identity of consumers who ask to read and delete their information, even if they have a password-protected account with the business
  • Disclose financial incentives for retaining or selling the consumer’s personal data and how they the value that data
  • Maintain records of all access requests for 24 months, as well as how the business responded.

What rights does CCPA give consumers?

The CCPA is all about giving consumers specific rights when it comes to their personal data. They have the following new rights:

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
  • The right to delete personal information held by businesses and their vendors;
  • The right to opt-out of the sale of their personal information and direct a business to stop selling their information. Children under the age of 16 must provide opt-in consent. Children under the age of 13 require consent of a parent or guardian.
  • The right to non-discrimination when a consumer exercises a privacy right under CCPA.

Who has to comply with CCPA?

While every company should value the privacy of its customers and visitors, not every business is required to comply with the CCPA regulations. The Attorney General included rules that exempt some businesses. CCPA only applies to a business if one or more of the following are true:

  • Has a gross annual revenue in excess of $25 million;
  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
  • Derives 50 percent or more of their revenue from selling consumers’ personal information.
  • In addition to the above, businesses that handle the personal information of more than 4 million consumers will have additional obligations.

What happens if we fail to comply?

Fines for non-compliance depend on the offense and other factors. Civil penalties start at $2,500 per violation for non-compliance that is deemed unintentional. For intentional non-compliance, those fines jump to as much as $7,500 per violation. Then, there’s the timeframe in which the business responds. The CCPA states that if a company can “cure” the noncompliance within 30 days of being notified of the offense, they get off with a warning. If they can’t remedy the situation that fast, they are back on the hook and subject to fines. 

Data breaches open up a whole new can of worms, enabling affected consumers the right to take specific action against the offending company.

Interestingly, even with all of the publicity around CCPA, California’s Attorney General hasn’t yet released final regulations or plans for enforcement. That isn’t expected until later this year. The one thing we do know is that the state is, so far, limited in its enforcement capabilities. There are simply not enough resources at this time to make sure companies are complying with the CCPA and managing noncompliance cases. For this reason, it’s expected that some companies may simply take their chances. 

California residents aren’t waiting for companies to figure out how to comply with CCPA regulations, either. There are already consumer class action lawsuits working their way through the court system. Their outcomes are still pending, but the potential litigation is proving a point: companies aren’t going to get away with noncompliance, at least not without a massive cost.

Aside from financial penalties, companies will care about earning the trust of consumers who will demand that they put privacy first. Consumers are becoming more savvy, learning of their rights and requiring companies to adhere to CCPA regulations or suffer the consequences. Protecting consumers’ right to data privacy is the right thing to do and now that the CCPA is in place, companies doing business with a California business or its residents will be forced to comply whether they want to or not.

Do other states besides California have the same regulations?

Good question. There are many who believe consumers’ right to data privacy should be a federal mandate, not solely a state’s decision, and a federal privacy law would establish a consistent standard for all companies. When it comes to sharing data, there really are no borders. Most of the companies impacted by the CCPA have more than California residents as customers and have already taken steps to protect consumer data worldwide because of the CCPA. If the foundation is already there, it is just as easy to include customers from all over the U.S. and beyond.

The point of the regulation is to protect consumer data and be transparent in how data is collected, stored, used, and shared. While no other states have come as far as California, it will likely serve as the model for how all states issue their own regulations if the federal government doesn’t step in with a federal privacy law. Rumor has it that New York and Illinois state will jump on board sometime in 2020 with their own consumer privacy laws.

Who in my company is responsible for ensuring compliance?

This is an interesting question because CCPA compliance is an all-hands-on-deck sort of thing. CEOs and CIOs often lead the charge, but because so many other departments collect and use consumer data, they all must understand the law and take responsibility for what they do with consumer data.

Case in point: marketing. Marketers consistently rely on consumer data to influence their campaigns. Consumer data is precisely what makes companies able to effectively target their marketing efforts to the right people at the right time to increase sales. Every time a consumer is tracked with a website cookie, fills out a form, or makes a purchase online, they are giving the company their personal information whether they realize it or not. And, according to the CCPA, that information is now protected by law. 

Same goes for your sales department. All of that customer data that’s stored in systems such as Salesforce must be protected. If it’s shared with other departments, those departments now have some ownership. You can see how quickly and easily consumer data spreads across the organization.

For this reason, companies should establish a systematic way to adhere to CCPA requirements. That means cleansing and reviewing all databases to ensure the organization can identify consent. It means putting consent popups and policies front and center on your website. It means notifying consumers of how their personal data is collected, stored, used, and shared. Being proactive is the best way to minimize the risk for noncompliance. 

CCPA requirements go beyond your own four walls, as well. If your company shares its customer data to other companies, your company must also prove it has taken appropriate measures to continue to protect the data once it’s in their hands. The web of data sharing and the responsibility of ownership of that data is extensive, complex, and dynamic.

What are cookie consent requirements?

We live in a world of cookies. Unfortunately, it’s not of the sweet kind. We’re talking about the technical cookies every website and mobile application now uses to learn about visitor habits. These cookies aren’t all bad. In fact, they create an easier user experience (like remembering what you put in your online shopping cart) and track consumers for marketing purposes. It’s the latter reason that makes cookies a sticking point when it comes to the CCPA.

The CCPA wants companies to be more transparent in how they collect and use consumer data, making sure consumers are aware it’s being used. If your website uses cookies, you must let your visitors know. You can’t hide your cookie policies somewhere in an ocean of legal jargon on a hard-to-find webpage. Companies have to remember the data cookies collect is not theirs. It is their customers/visitors and they are the ones that have control.

Cookie consent requirements mean companies have to use clear language in an obvious location to inform visitors of their cookie policies - before their information is collected. Visitors must be given the capability to accept or decline the terms. 

You’ve probably already seen popup boxes as you land on webpages. It’s up to the company to make those popup boxes actionable and the visitor’s response traceable. You must disclose you use cookies, say why you use them, and allow visitors to provide or decline consent. If the visitor opts-out, declining the use of cookies, you must be able to disable cookies and keep a record of that visitor’s choice.  

What about privacy policies?

Just like cookie consent, CCPA requires companies to disclose their privacy policies. Since the majority of consumers aren’t clear about the purpose of privacy policies, companies are required to spell them out. Consumers aren’t alone in their uncertainty. Unfortunately, many companies aren’t necessarily clear about how they treat consumer data, particularly once they’ve passed it to vendors and other third parties who may use that data in their own ways. Complicating matters, privacy policy laws vary from state to state and often change. Most companies don’t have the resources to keep track of it all, much less ensure they are adhering to CCPA guidelines. The CCPA requires that privacy policies contain certain information and must be updated annually.

And just like cookie consent, consumers must be notified that their personal information is being collected and why. They then need to be given the ability to accept or decline - and that includes third-party cookies that may be embedded on your site. You have to keep track of your users’ preferences, even if you aren’t entirely sure what is being collected or who is doing the collecting.

Is there an easy way to comply with CCPA?

So glad you asked. Yes, there is. The CCPA simply provides the guidelines and the penalties for noncompliance. The measures a company takes to adhere to the law is up to them. You can choose to do it manually, coding pop-up consent boxes, tracking consumer preferences, and managing vendors’ use of the data you share, or you can automate it.

A single line of JavaScript on your website instantly brings your website into compliance with any data privacy law, even if it uses third-party cookies, shares data with companies in other states or countries, or privacy laws change. All consents and revocations are recorded and searchable with a click for responsible data governance.

There are also free and paid, open-source resources to make building cookie notices a breeze. Again, it uses automation to effortlessly manage consents, even changing the language to that of the visitor and then tracking consents for auditable record keeping.

When it comes to your vendors, do you know what they’re doing with the data you’ve shared with them? If you don’t want to break the law, you need to know. Depending on the number of vendors you have, this task can be virtually impossible because most vendors aren’t disclosing how they use or share that information either. With CCPA, you can’t just share or sell your consumer data to vendors and third parties and be done. It is your responsibility to keep consumers’ data secure and comply with their wishes about how their data is used.

Since you have continued ownership of your consumer data, it’s important to partner with vendors who share in your commitment to protect consumer privacy rights. You can know this if you automate how you monitor privacy practices among your current and prospective vendors. Osano’s automated solution is able to combine legal experts and AI technology to sift through all of the legal jargon to boil down exactly how each vendor treats consumer data and give each vendor a risk score. You can even see how their vendors and their vendors’ vendors treat that data - all in one place with a click. It’s a quick and easy way to evaluate vendors and ensure they’re doing as much as they can to protect the data you’ve shared with them. This will prove valuable in the event you are audited.

As the saying goes, it’s not a matter of if but when. The CCPA is a good thing and it is highly likely more states will draft their own privacy laws in the near future. The sooner your company jumps on board, prioritizing the initiative and putting mechanisms in place to support it, the sooner you can move forward with the confidence you are contributing to the greater good.

About The Author · Arlo Gilbert

Arlo Gilbert is the CEO & co-founder of Osano. An Austin, Texas native, he has been building software companies for more than 20 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.