The California Consumer Privacy Act (CCPA) is a law that enhances privacy rights & consumer protections for residents of the U.S. state of California.
The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.
The three CCPA thresholds for businesses
CCPA applies to any for-profit businesses in the world that sells the personal information of more than 50,000 California residents annually, or have annual gross revenue exceeding $25 million, or derives more than 50 percent of its annual revenue from selling the personal information of California residents.
Sale of PI is defined in the CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” (1798.140.t1).
If a company shares common branding (i.e. shared name, service mark or trademark) with another business that is liable under the CCPA, the company will be subject to CCPA compliance too.
Under the CCPA, California residents (“consumers”) are empowered with the right to opt out of having their data sold to third parties, the right to request disclosure of data already collected, and the right to request deletion of data collected. Additionally, California residents have the right to be notified and the right to equal services and price (i.e. cannot be discriminated against based on their choice to exercise their rights).
Failure to comply with the CCPA can result in fines for businesses of $7,500 per violation and $750 per affected user in civil damages for businesses. The power to enforce the CCPA lies with the office of the Attorney General of California, who has until July 2020 to specify enforcement regulation.
However, the interim period between January and July 2020 is not a grace period, and businesses are liable for civil lawsuits from their data collection and selling from January 1, 2020.
What does the CCPA mean for my website?
If your business meets any of the three CCPA thresholds above and has an online domain, you are required to implement certain changes to your website. Your website must inform its users at or before the point of data collection about the categories of personal information that it collects and for what purposes. Your website must feature a Do Not Sell My Personal Information link that users can use to opt out of third-party data sales.
If your website has minors under the age of 16 among its users, you are required to obtain their opt-in (consent) before you are allowed to sell or disclose their personal information to third parties. If the minor is under the age of 13, a parent or legal guardian must opt in for them.
Your business must also update its website’s privacy policy to include a description of the consumer’s rights and how to exercise these rights. Your privacy policy must also contain an annually updated list of the categories of personal information that your company collects, sells and discloses.
If your business receives a verifiable request from a consumer asking for disclosure of their personal information collected, you must provide the consumer free of charge the records of personal information collected in the past 12 months (including sources, commercial purposes and categories of third parties with whom it has been shared).
What does the CCPA say about cookies?
Cookies and other website tracking technologies are classified as unique identifiers that form part of the CCPA’s definition of personal information. Cookies are one of the most commonly used technologies in the world for websites to collect personal information on end-users.
First party cookies (those set by the website itself) often collect anonymous data for its core functions that is deleted once a user closes the browser, but third party cookies (those set by tech companies and social media platforms) often collect a lot of personal, sometimes sensitive information on consumers that can be kept for up to a hundred years.
Even data collected on your website through cookies that might not in itself constitute personal information (such as anonymized analytics data), but by inference or combination with other data for the purpose of identifying and connecting devices, creating profiles and serving personalized advertisement, can ultimately be considered personal information under CCPA.
If your business meets any of the three CCPA compliance thresholds, you are liable for whatever personal information you collect on California residents through your website’s cookies. Consumers can request disclosure of the PI collected on your website in the past 12 months, as well as request that you delete this data.
You must therefore know what data your website collects, how it collects it and for what purpose, and with whom (third parties) it shares this data.