First things first… What is the CCPA?
The California Consumer Privacy Act (CCPA) is a law that protects the privacy of California residents personal information (PI) by regulating how businesses all around the world should handle it.
The CCPA became effective in the United States on January 1, 2020, marking a significant legal milestone. Starting from January 1, 2023, the California Privacy Rights Act (CPRA) will come into full effect, making important amendments and extensions to the CCPA.
The three CCPA thresholds for businesses
The CCPA applies to any business that operates for profit, regardless of where they are based in the world, and processes the personal information of over 50,000 California residents per year. Additionally, the business must have a gross annual income of over $25 million, or make more than 50% of their annual income through selling the personal details of California residents.
According to the CCPA, the sale of PI (personal information) means when a business shares, rents, discloses, transfers, or communicates a consumer’s personal information to another business or third party by electronic or other means, orally or in writing. According to 1798.140.t1, a contract involves exchanging money or something else of value.
If a business shares a similar branding, such as a shared name or trademark, with another company that is responsible for CCPA compliance, then that business will also need to meet CCPA compliance requirements.
The CCPA grants California residents, also known as consumers, the power to opt out of having their data sold to third parties. They also have the right to request disclosure of any data already collected and to ask for the deletion of said data.
California residents also have the privilege of receiving notifications and receiving equal services and pricing. This means that they cannot be treated unfairly based on their decision to exercise their rights.
Not following the CCPA guidelines can lead to penalties for businesses, with each violation resulting in a fine of $7500 and $750 in civil damages for each user affected.
What does the CCPA mean for my website?
If your company meets any of the three CCPA thresholds and has an online presence, there are certain changes you need to make to your website.
Your website needs to let users know about the types of personal information it collects and why, either before or during the data collection process.
It is important for your website to have a link labeled “Do Not Sell My Personal Information” that users can click on to opt out of any third-party data sales.
If your website has users who are minors under the age of 16, you need to get their consent before selling or sharing their personal information with third parties. For those under 13, their parent or legal guardian must give their consent for them.
To keep your business up-to-date, make sure to update your website’s privacy policy. Include details about your customers’ rights and how they can use them. Make sure to update your privacy policy every year with a list of the personal information categories your company collects, sells, and/or discloses.
If a customer requests disclosure of the personal information your business has collected, it’s important to provide them with the requested information free of charge. This includes records of personal information collected in the past year, including the source and commercial purposes. These are the groups of outside parties with whom the information has been shared.
Your business cannot discriminate against consumers who choose to exercise their right to request disclosure, correction or deletion of their information.
Could you tell me what personal information means?
The CCPA defines personal information as any data that can identify or describe a particular consumer or household, or could potentially be linked to them directly or indirectly.
According to the CCPA, personal information encompasses direct identifiers like social security numbers, real names, and postal addresses, as well as unique identifiers such as account names, IP addresses, and cookies. Biometric data such as voice and face recordings, geolocation data like location history, and internet activity are also considered as personal information. The data collected during activity, such as browsing history, search history, and interaction with webpages or apps, can include sensitive information such as health data, personal characteristics, behavior, religious or political beliefs, sexual preferences, employment and education data, as well as financial and medical information.
Personal information encompasses data that, even by implication, can potentially identify an individual or a household.
Aggregate and anonymous data isn’t subject to CCPA regulations unless it can be re-identified. This implies that data that isn’t inherently personal information can become so under CCPA if it can be used— either by inference or by being combined with other data — to identify an individual or their data. Home sweet home!
What does the CCPA say about cookies?
Cookies and other website tracking technologies are considered as unique identifiers that fall under the CCPA’s definition of personal information. Cookies are one of the most frequently utilized technologies that websites use to gather personal information about their users.
Cookies that are set by the website itself, also known as first-party cookies, generally gather anonymous information to support essential website functions. They get deleted when the user closes the browser. However, third-party cookies set by tech companies and social media platforms tend to collect more personal and sometimes sensitive data. There is consumer information that can be stored for as long as a century.
Even the data collected on your website via cookies can be considered personal information under the CCPA. This information may not necessarily be personal information on its own, like anonymized analytical information, but when combined with other data, it can be inferred as personal information. When devices are connected and profiles are created, personalized advertisements can be served, which can sometimes identify you personally.
What can businesses and residents in California expect to see change starting on January 1, 2023?
Even for-profit organizations making over US $25 million in annual revenue or getting more than half of their revenue from sharing or selling the personal data of California residents, the new California Privacy Rights Act (CPRA) is applicable. There have been some changes to the California Consumer Privacy Act. One of the thresholds has been raised to 100,000 residents or households, which means that more California residents are now protected. The California Privacy Protection Agency now oversees businesses that process and/or share personal information, including B2B data. A new organization called the CPPA has been created.
The CCPA only covers the selling of personal information, while the CPRA covers data sharing as well. The new regulation expands on existing consumer rights and adds some new ones, such as the right to correction and the right to limit the use of inaccurate data collected about them. Individuals have the right to request information on automated decision-making processes and their likely outcomes when it pertains to their sensitive personal data. They also have the right to opt-out of the use of automated decision-making technology for their personal data. To find out more about these rights, click the link below. Hey there, let’s talk about CPRA and what it covers.
If your company falls under the CCPA/CPRA compliance threshold, you are responsible for any personal data you gather from California residents via your website’s cookies, if it is shared or sold. Customers may ask for disclosure of their collected personal data.
It’s important to be aware of the data that your website collects, how it’s collected, why it’s collected, and who it’s shared with (such as third parties).
For more information about how we compliance with CCPA and how we collect and process personal data, please read our data policy here.