Major CCPA updates you need to know
The California Consumer Privacy Act of 2018 (CCPA) passed into law in June 2018 and entered the enforcement phase on July 1, 2020.
The regulations of the CCPA went into effect on August 14, 2020, and four key amendments to the regulations went into effect on March 15, 2021.
Most for-profit businesses that collect personal information about consumers in California must implement and demonstrate CCPA compliance.
If your organization meets any of the following criteria, you must address and prove CCPA compliance:
- Your organization has gross annual revenue of more than $25 million
- Your organization buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices
- Your organization derives 50% or more of its annual revenue from selling California residents’ personal information.
Consumer privacy rights under CCPA
The CCPA empowers consumers in California with strong rights related to personal privacy, including:
- Right to know what personal information a business collects about them and how it is used and shared/sold
- Right to delete personal information collected from them (though there are some exceptions)
- Right to opt-out of the sale of their personal information and
- Right to non-discrimination for exercising their CCPA rights.
The CCPA regulations appear in the California Code of Regulations (CCR) as five articles in sections §§ 999.300 through 999.341 of Title 11, Division 1, Chapter 20.
These articles are organized around five key themes:
Notices to consumers, including four different types of notices:
i. Notice at collection
ii. Notice of the right to opt-out of sale of information
iii. Notice of financial incentive and
iv. Privacy policy.
Business practices for handling consumer requests, including:
- Methods for submitting and responding to requests the right to know; requests the right to delete; requests the right to opt-out; or requests to opt-in
- Requirements for service providers, training, record keeping and
- Requests to access or delete household information.
Verification of requests, including general rules, accounts, non-account holders and authorized agents
Minors, including minors under 13 years of age, minors 13 to 16 years of age, and notices to minors under 16 years of age and
Non-discrimination in connection with financial incentives and calculating the value of consumer data.
Summary of key CCPA amendments signed in 2019
In 2019 at least 18 bills to amend the CCPA were introduced in the California legislature, with six signed by the governor. These amendments did not signal significant changes for most businesses that had been preparing for compliance with the CCPA, though they aimed to clarify certain issues including:
Employment-related data: One-year carve out for employment-related data provided the data is only used for employment-related purposes.
- Business must still provide a privacy notice at collection of personal information, and consumers retain their rights to take civil action and recover damages following a security breach involving their data
B2B transactions: One-year carve out for business-to-business communications and transactions related to due diligence or providing or receiving a product or service.
- Business must still comply with the CCPA’s do not sell obligations, and consumers retain their rights to take civil action and recover damages following a security breach involving their data
Note: This carve out does not affect marketing or other B2B communications not related to providing or receiving a product or service.
Simplification for online-only businesses: Consumer requests to online-only businesses with direct consumer relationships (B2C) only need to provide an email address for consumers to submit requests.
- This change meant a toll free telephone number is not required.
Alongside these explicit amendments, bill AB-1202 added a separate title to the California Civil Code related to sales of data.
2021 amendments
This bill sought to require registration of data brokers with similar legislation previously enacted in Vermont in 2018.
Under California’s Civil Code section 17.88.99.00 defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
Note: On March 15, 2021 the following amendments to the CCPA regulations went into effect:
§ 999.306. Notice of right to opt-out of sale of personal information
§ 999.315. Requests to opt-out
§ 999.326. Authorized agent
§ 999.332. Notices to consumers under 16 years of age.
Four essential notices to consumers for CCPA compliance
Business must clearly display four types of notices for consumers that explain their rights under CCPA in plain language:
- Notice at collection about the categories of information collected and the purposes for collected data
- Notice of the right to opt-out of sale of information (do not sell)
- Notice of financial incentive for users that opt-in for the collection and potential sale of their information and
- Privacy policy
Notice at collection of personal information
Trust is built on transparency, honesty and maintaining privacy. Therefore a well-recognized best practice for privacy transparency – which can generate trust – is to tell people at the time that you will collect their personal information.
They need to know what personal information will be collected, how it will be used and whether it will be shared and/or sold.
A notice of collection, at the point of collection is described as a just in time notice by the U.S. Federal Trade Commission (FTC), or point of contact notice.
The CCPA regulations adopt this standard and similar requirements under General Data Protection Regulation (GDPR), including making the notice clear, easy to read, accessible to people with disabilities and set apart from any other information shown to the consumer at the same time.
To meet CCPA compliance, businesses that collect personal information directly from consumers must clearly display a point of collection notice that includes:
- Categories of personal information collected
- Purposes (business or commercial) for which the information will be used
- A notice stating if the business sells personal information along with a link (URL) for the online form where consumers can opt-out of the sale of their personal information and
- A link (URL) for the business’s privacy policy.
If a business wants to use any personal information from consumers for any other purpose not described in the point of collection notice they must also:
- Inform those consumers of its intent to use the personal information for secondary purposes
- Explain the secondary purposes and
- Get explicit consent from each of the consumers affected.
Businesses that do not collect personal information directly from consumers, but receive it from a third party must either:
- Get confirmation and proof from the source of the data that a compliant point of collection notice was displayed at the time of collection or
- Comply with the requirements of a notice of the right to opt-out of sale of information (see below).
Notice of the right to opt-out of sale of information (do not sell)
The CCPA regulations introduced a new form of privacy notice widely known as a ‘do not sell notice’.
This notice of the right to opt-out of sale of information is an essential part of CCPA compliance for any business that plans to collect and sell its consumers’ personal information to third parties – these businesses are referred to as ‘data brokers’ in the CCPA.
Like the notice at collection, this do not sell or right to opt-out notice must be clear, accessible to people with disabilities and displayed where it is noticeable by the consumer.
A notice of the right to opt-out of sale of information must meet the following CCPA compliance requirements:
- Clearly explain in plain language a consumer’s right to opt-out — their do not sell right – along with any instructions on how a consumer can exercise this right via a form or authorized agent
- Provide a clear and noticeable link to an online form for consumers to exercise this opt-out right and
- Provide a clear and noticeable link to the business’s privacy policy.
These requirements apply to businesses that mainly interact with consumers via a website and businesses that substantially interact with consumers offline.
Web-based businesses must have a do not sell my personal information link on their homepage. The landing page of this do not sell link should either display the opt-out notice or link to the business’s privacy policy that contains the same information.
CCPA regulations also recommend web-based businesses display a uniform opt-out button or logo along with the notice of the right to opt-out, although these graphics are not compulsory.
Offline businesses, or businesses that mostly operate or interact with their consumers offline, must display the notice of the right to opt-out, including instructions on how consumers can submit a request to opt-out.
The notice must be clearly visible, either as a sign in the area where personal information is collected or on the form used to collect the personal information.
If personal information that may be sold is collected over the phone, the businesses are allowed to tell consumers during the call of their right to opt-out and how to exercise that right.
Businesses that do not sell consumers’ personal information are not required to provide the notice of the right to opt-out. However, they must include a statement in their privacy policy confirming the business does not and will not sell personal information.
Notice of financial incentive
The CCPA regulations explicitly prohibit business from discriminating against consumers for exercising their do not sell rights through any of the following measures:
- Denying goods or services
- Charging different prices/rates
- Providing different levels or quality of goods or services and
- Suggesting to the consumer any of the above measures could happen. California Civil Code § 1798.125.
However the CCPA does not completely exclude all opportunities to offer consumers financial incentives to opt-in.
In some cases, offers of financial incentives to consumers who opt-in are effectively exceptions to two of the measures that would otherwise be prohibited if a customer opts-out.
Businesses that rely on and value personal data are allowed to charge a different price/rate or provide a different level/quality of services and goods if they can prove the difference is reasonably related to the value of consumers’ data provided to the business.
If a business wants to offer a financial incentive for consumers to consent to the collection and value exchange/sale of their personal information, it must clearly display a notice of financial incentive.
Like other notices required for CCPA compliance, this notice must be easy to read and understand. It must be accessible to people with disabilities and noticeable.
A notice of financial incentive must meet the following CCPA compliance requirements:
- It must be easy to understand and empower the consumer to make an informed decision before they consent to the collection and/or sale of their personal information in exchange for a financial incentive
- It must clearly inform the consumer of the right to revoke consent and opt-out at any time and if they exercise this right the business must stop selling the personal information
The notice of financial incentive must include the following information:
- A brief summary of the financial incentive offered
- The terms and affected categories of personal information
- A ‘good faith’ estimate of the value of the consumer’s data used for the financial incentive program, along with a description of how this value is calculated
- Instructions on how to opt-in and opt-out, and
- An explanation of why the financial incentive is permitted under the CCPA.
Privacy policy
Organizations that do business in California must comply with the privacy policies required under California Civil Code section 1798.130, subdivision (a)(5).
The CCPA regulations refer to an online privacy policy, however, the rules also make it clear the privacy policy must cover a business’s privacy practices offline, as well as online.
If the business has a website, it must post its privacy policy online and display a conspicuous link to the detail of its privacy practices on its homepage and at any point where personal data could be collected.
If the business does not have a website, it must make its privacy policy conspicuously available to consumers.
Like other notices required for CCPA compliance, a privacy policy must be written in plain, easy to understand language, avoid technical or legal jargon, be accessible to people with disabilities and noticeable.
It must also be presented in a format that can readily be printed out by a consumer.
The information communicated to consumers in the privacy policy must meet the following CCPA compliance requirements about a consumer’s privacy rights including:
Right to know what personal information is collected, disclosed, or sold to by the business, including:
- Categories and sources of information collected during the past 12 months
- Purpose for which the information was collected and how information is then used and shared/sold
- Whether the business has shared/sold any personal information for a commercial or business purpose within the last 12 months and
- If the information is shared, the categories of information and the categories of third parties that have access to the personal information.
Right to delete – the consumer’s right to request deletion of their personal information, accompanied by instructions on how to request deletion and the processes to confirm deletion
Right to opt-out of the sale of their personal information
Right to non-discrimination for exercising privacy rights
Right to designate an authorized agent to make a request under the CCPA on the consumer’s behalf
Contact information for the person in the business who can give them more information about the organization’s privacy policy and its privacy practices
Date the privacy policy was last updated. Note: the privacy policy is required by the CCPA to have been updated within the last 12 months
If the business uses personal information of four million or more consumers for any commercial purpose including buying, receiving, sharing or selling it. Businesses in this category must publish accurate numbers in their privacy policy to show how many opt-out, deletion and right to know requests the business received, complied within whole or in part and denied during the previous calendar year.
These businesses must also publish the median number of days within which the business substantively responded to requests to these requests.
The CCPA regulations make it clear the privacy policy does not need to be personalized for each consumer and should not contain specific pieces of consumers’ personal information.