California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Consumer Privacy Act (CCPA) imposes a lot of new responsibilities on businesses and requires them to change the way they think about consumer data. For the most part, businesses can continue collecting and using personal data as they were before, but they must be more transparent about it and be prepared to respond to consumer requests regarding their rights.
In this chapter, we’ve outlined the major actions a business must take in order to become CCPA compliant, from data mapping to preparing for your first privacy request.
On August 31, 2022, the California legislative session adjourned without having extended the CCPA's exemption for employee and B2B data. This exemption expired on January 1, 2023. Businesses should plan to incorporate employee and B2B data into their CCPA compliance strategy.
Data mapping is the first step to becoming CCPA compliant, and generally the most labor-intensive one as well. During this process, businesses must precisely determine what personal information they are collecting, who they are collecting it from, and who they are sharing it with.
This large task is easier to understand when broken down into two halves: personal information that comes in and personal information that goes out.
Businesses tend to collect a lot of consumer data. In fact, they usually collect more data than they are aware of. That’s why CCPA compliance starts with figuring out who you are collecting personal information from and what categories of personal information you are collecting.
Let’s start with the “who” question. The best way to do this is to identify what groups of consumers you collect information from. Here are some of the most common consumer groups for businesses:
Notice the diversity of groups in this list of examples. Businesses may just be thinking of customers as “consumers,” but the CCPA defines the term simply as any California resident. The CCPA even covers personal information collected for internal or non-commercial purposes, such as from a job applicant.
Identifying the various groups of consumers helps businesses better understand the categories of information they are collecting. Often it is as simple as reviewing the forms used in that particular context. For example, a newsletter subscription may just require an email address, while an online purchase usually involves much more (name, phone number, shipping address, etc.).
Having mapped out your different consumer groups and determined what information you are collecting from them, the next step is to determine which of the information categories are personal information for CCPA purposes. The CCPA defines personal information very broadly, including not just identifiers like names and email addresses, but also IP addresses, search history, geolocation data, and much more. As a practical matter this step is more about finding exceptions, i.e., consumer data that is not personal information. These include:
Creating a thorough and accurate map of your business’s inbound consumer data will make the rest of the CCPA compliance proceed more smoothly. It will also help your team better respond to consumer requests to know and requests to delete.
After you’ve mapped the inbound data, you must next examine each category of disclosures of personal information to outside parties. The CCPA deals extensively with the disclosure of consumers’ personal information, and these disclosures are treated differently according to how they are characterized. The most critical question to ask of any disclosure will be: Is this a sale or sharing of personal information?
Deciding what is or is not a sale or sharing of personal information is important for two reasons. First, if a consumer submits a request to know, the business must disclose the categories of personal information it has sold to or shared with third parties. Second, the CCPA gives consumers the right to opt out of the sale and sharing of their personal information. In order to honor consumers’ opt-out requests, the business must first know which transactions qualify as selling or sharing.
The most important exception to the CCPA’s definition of selling is the disclosure of personal information to service providers. If a vendor qualifies as a service provider, the transfer of personal information to that vendor is not a sale and is not affected by consumer opt-out requests.
The onboarding of vendors to your CCPA compliance system is therefore critically important, and often the most time-consuming part of the whole compliance project. In order to qualify as a service provider, the vendor contract must meet certain requirements, such as prohibiting the vendor from retaining, using, or disclosing consumers’ personal information for any other purpose besides performing the specified service. This means your compliance team will have to examine each vendor contract to see if it contains the necessary language. If it does not, businesses will either have to update the contract or else potentially treat any transfer of information to the vendor as a sale, and thus subject to opt-out requests.
Your business’s data map forms the foundation of all future CCPA compliance. Once it is completed, the rest of the project will be significantly easier.
Keeping consumers informed regarding data collection and their privacy rights is a major component of the CCPA. Once a business has finished its data map, it will need to make some changes to its privacy notices. Fortunately, this is usually a pretty straightforward process.
Most companies that collect consumer data online already have a privacy policy in place on their website. Businesses should take the opportunity at this point to review their existing policy, compare it to the data map they’ve just created, and make any necessary changes. It’s often the case that businesses have made changes to their data collection practices without updating their privacy policy.
The next step is to add a CCPA addendum to the privacy policy. This addendum makes all the necessary disclosures to consumers regarding the collection and use of their personal information. It should be in plain, non-technical language and be reasonably accessible to consumers with disabilities, following recognized industry standards such as the Web Content Accessibility Guidelines version 2.1. Here are the points it should cover:
Once the CCPA addendum is completed, it must be posted at or before any point of collection. For example, if a retailer offers discount codes to consumers in exchange for signing up to receive promotional emails, this is a point of collection. The retailer must include a link to its privacy policy near the point of data collection.
Depending on their practices, businesses may need to include other notices in their privacy policy.
As noted in the previous section, even internal data collection from employees and job applicants is covered by the CCPA. A business must disclose what personal information it is collecting and for purposes it is used. This notice must be given at or before the point of collection (e.g., in the job application or employment agreement).
Businesses that sell or share consumers’ personal information to third parties must provide an additional notice to consumers. This notice can be its own web page or added to the main privacy policy. It must inform consumers:
These businesses must also post a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their homepage. The link should send consumers to this notice.
Additionally, businesses that sell or share personal information collected while interacting with the consumer offline must provide an offline disclosure of their right to opt out and instructions for making a request. If a business operates a brick-and-mortar store, they can fulfill this obligation with a disclosure on the forms used to collect the information, or by posting signage in the area. If the information is collected over the phone, the business may orally inform the consumer of their opt-out rights.
There are special rules for the sale or sharing of personal information from consumers who are between the ages of 13 and 15, and for consumers under the age of 13. If your business has knowledge that it sells or shares the personal information from consumers in these age groups, it must provide a process for obtaining their affirmative consent (or their guardian’s consent) to opt in, and also describe this process in the privacy notice.
Businesses cannot discriminate against consumers for exercising their CCPA rights, but they can offer consumers financial incentives for opting in to the use and sale or sharing of their personal information. They can also charge a different price to consumers who opt out, as long as the price difference is related to the value provided to the business by that consumer’s personal information. Businesses that do either of those things must explain it in their privacy notice.
Businesses that buy, receive, sell, or share the personal information of 10 million or more consumers per year must compile and disclose additional information in their privacy policy. They must tell consumers how many privacy requests they received in the previous year, as well as how many of those requests were denied, complied with in part, and complied with in whole. They must also disclose the median number of days they took to respond to privacy requests.
With all the necessary privacy notices out the way, the final component of CCPA compliance is responding to privacy requests from consumers. Businesses should already have a plan in place for handling these requests before they ever receive one. Going through a few trial runs will help identify any gaps in the system and ensure that requests can be processed in a timely manner.
This section does not include a detailed description of each privacy right—you can find that in Chapter 2—but rather identifies the key issues that businesses should be aware of when responding to each type of privacy request.
Because there are security concerns associated with disclosing personal information, requests to know must be verifiable. When determining the level of verification necessary, businesses should take into account the sensitivity of the information. For requests to know less sensitive personal information, an email verification is usually sufficient. Requests to know more sensitive information may require additional security steps, or perhaps an account login if they have an online account (businesses cannot require a consumer to create an account in order to process the request).
There are also several types of specific information that a business cannot disclose to the consumer. These are:
In these cases, the business should just describe the type of information collected.
Businesses must acknowledge receipt of the request to know within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.
Requests to delete personal information involve many of the same issues as requests to know. Like requests to know, businesses must verify the request before complying. The level of verification required depends on the type of information being deleted. For example, before deleting sensitive information such as family photos, the business must verify the consumer’s identity to a higher degree of certainty.
Complying with the deletion request does not necessarily require deleting the information. Deidentifying or aggregating the data—changing it so it can no longer be linked to a specific individual—also fulfills the business’s obligation. If the business determines that it does not need to delete because one of the CCPA’s exceptions applies, it must inform the consumer of this decision.
Businesses must also notify service providers, contractors, and third parties of the request to delete, unless notification would be impossible or involve disproportionate effort.
Businesses must acknowledge receipt of the request to delete within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.
Businesses must provide at least two methods to submit opt-out requests, including an interactive form accessible via its “Do Not Sell or Share My Personal Information” link. Websites must also treat opt-out preference signals such as Global Privacy Control as valid requests to opt out.
Businesses may give customers the option to opt out of specific types of information selling, as long as there is a prominent option that opts out of the sale of all personal information. Once a consumer has opted out, the business must wait at least 12 months before asking them to opt in again.
The opt-out request must be easy to execute and require minimal steps. CCPA regulations offer several example of prohibited practices:
Unlike requests to know and delete, requests to opt out do not need to be verified. However, businesses can deny a request if they have a good-faith, reasonable, and documented cause to believe the request is fraudulent.
Businesses must comply with a request to opt out within 15 days of receiving it.
Businesses must respond to consumer requests to correct inaccurate personal information. Similar to requests to know and requests to delete, requests to correct must be verifiable. Businesses have 45 days to comply with the request, though that may be extended to 90 days if reasonably necessary and the consumer is notified. Businesses are only required to make “commercially reasonable efforts” to correct the information.
The CCPA now gives consumers the right to limit use and disclosure of their sensitive personal information. This addition brings the California law closer in line with the data privacy protections of the European Union’s privacy law, the General Data Protection Regulation (GDPR).
In order to respond efficiently to a request to limit, businesses should identify in advance what sensitive personal information they process, and the necessary procedures for limiting its use.
Consumers may submit privacy requests through an authorized agent. In order to maintain data security, businesses may require the agent to prove it has signed permission to make the request. It may also require the consumer to:
These requirements would not apply when the consumer has provided the agent with power of attorney.
The CCPA also imposes cybersecurity requirements on businesses that collect personal information. The law creates a private right of action for consumers in the event of a data breach where nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices.
In order to avoid potential class-action lawsuits, businesses should encrypt and redact consumers’ personal information wherever possible, and implement and maintain reasonable data security procedures. Neither the law nor the regulations give specific guidance on what security measures are required, so it is likely to depend on the situation and personal information involved.
With a complete data map, updated privacy notices, and practiced responses to privacy requests, CCPA compliance is a very manageable goal. For the most part, becoming CCPA compliant is a one-time process, coupled with the handling of privacy requests as they come up. There are a few ongoing, periodic tasks that businesses must perform in order to maintain their compliance.
The next chapter, “Staying CCPA Compliant,” discusses these maintenance tasks and gives businesses a sense of how much effort is involved.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.