This probably isn't your favorite word. After all, CCPA and CPRA and privacy policies in general are extremely complex. And as soon as you're halfway into the topics, it feels like another amendment is coming. Accordingly, compliance with privacy laws can be quite stressful and time-consuming – but must be met if you want to avoid facing fines of $7500 per violation.
Don't worry. We've created a clear guide to CCPA compliance. Follow these steps and compliance is yours for the taking.
A great checklist is waiting for you at the end!
CCPA stands for: California Consumer Privacy Act and refers to a data protection law that standardizes the rights of California consumers. As with the GDPR, the marketplace principle applies here, which means that the CCPA also affects European companies in certain cases. Once you run a profit-oriented business that collects, processes, or sells data from California citizens, you may be required to comply with the CCPA if you meet some additional criteria.
As of January 1, 2023, the CCPA has been amended to include the CPRA (California Privacy Rights Act). We have already informed you about the important changes to the CCPA in 2023.
At this point, it is critical for you to know that consumers have new rights under CPRA, such as the right to correct inaccurate information.
CCPA defines in Section 1798.140. (o) (1) exactly what personal data, or personally identifiable information (PII) is and is not affected.
The usual suspects that you must be aware of include:
Name, address, email address
Social security number
Biometric information
Job data
Educational information
or browsing history
Publicly available information, like that found in government documents or newspaper articles
Personal health information – this data is no less confidential, but is regulated separately under Health Insurance Portability and Accountability Act (HIPAA)
To be CCPA-compliant, it’s best to follow the CCPA rights consumers are held to under Section 1798.100f of the California Consumer Privacy Act.
These are:
Californian consumers have the right to be disclosed by companies exactly what personal information is collected. A request in this regard may be made by consumers up to twice a year. Additionally, an individual must be notified of these intentions at or before the point of data collection.
The right to disclosure/right to know includes the following information:
Categories of personal data
Specific personal information about the individual concerned
Purpose of the data storage
Source of the stored data
To which third parties personal data is disclosed
To inform your consumers about your data processing activities, you can use a pop-up window or banner that appears when a page is first accessed.
Tell your customers that you collect data, for what purpose, and also include links with additional information about your CCPA practices.
Important! Consider the CPRA changes starting January 1, 2023. What worked last year is likely to be outdated this year.
Section 1798.130. of CCPA requires you to provide consumers with two or more methods to contact you to make requests such as disclosures of personal information. Here, you must provide a toll-free telephone number and your website address. If a request is raised, you only have 45 days to comply.
To make it as easy as possible for consumers to practice their CCPA rights, you should place your contact information prominently on your website.
To fully comply with CCPA, you need a privacy policy that complies with current CCPA/CPRA rules and is updated at least every 12 months. The privacy policy should elaborate that data is collected and why. Furthermore, how to deny access to personal data for specific purposes must be stated in the CCPA privacy policy. Do not forget to mention that you do not discriminate against once someone takes away your right for data storage.
You can add the privacy policy as a single page on your website or present it as a pop-up.
To make sure your privacy policy is up-to-date, you should first have a CCPA gap assessment performed.
Under the California Consumer Privacy Act, consent does not have to be obtained for data processing – but consumers must be able to opt out of the sale of personal data to third parties at any time. This right is called the Opt-out right. The opt-out option must include a separate page in your online presence with the mandatory heading, “Do not sell my personal information.”
Create the mandatory opt-out page and preferably link to it in your footer as well as your privacy policy.
This will additionally help your consumers get a good overview of your privacy efforts as well as claim their personal CCPA rights.
Californian consumers have the right to have their data that has been collected by the company deleted, and therefore to “be forgotten.” In certain cases, you do not have to comply with this obligation to delete, namely if it was necessary for your company to continue maintaining the requested data to detect security incidents, comply with legal obligations, or the like, as described in Section 1798.105.
In very few cases will you be able to rely on an exemption, but will be required to delete all data – again within 45 days if you don’t want to risk a penalty. Fast and risk-free action is therefore required.
So make sure your IT team knows exactly where personal data is stored and how to delete it in a CCPA-compliant manner. Establish processes within your organization to delete or anonymize data in a simple, fast and reliable way. A tool can be helpful at this point.
Since the CPRA went into effect in January 2023, consumers have the right to correction, that is, to have inaccurate information about them adjusted. All commercially reasonable efforts must then be made by you – although reasonableness is not specified in the text of the law.
A tool that can automate this process is also a great benefit for complying with this requirement by law.
Everything thought of? Simply check your CCPA compliance against this list:
As you can see, CCPA/CPRA requires quite a bit from you. Not only must personal data be collected securely, but it must also be stored in a way that allows consumers to claim their CCPA rights at any time. Our ultimate guide and checklist provide a good overview of CCPA compliance.
Andreas Springer _Actonic_
Head of Marketing
Actonic GmbH
Germany
2 accepted answers
0 comments