Your CCPA Survival Guide
Must-have resources to understand CCPA requirements and become compliant quickly
Unless you’ve been living under a rock, you know that the California Consumer Privacy Act is here. July 1, 2020 marked the start of the enforcement phase of CCPA. This guide provides everything you need to know to make sure your organization is CCPA compliant.
Inside the CCPA Compliance Guide
Why is CCPA important?
What does CCPA stand for?
CCPA stands for the California Consumer Privacy Act.
What is the meaning of CCPA?
The goal of CCPA is to give consumers more control over the personal information that businesses collect about them.
CCPA protects the personal data of consumers who are residents of California, including households and individuals. CCPA covers collection, processing, as well as sale of Personal Information.
What rights does CCPA provide consumers?
CCPA expands consumer rights to include the following:
- To know whether personal data is collected about them
- To know what personal data is being collected about them
- To know specific categories of data a business collects about them
- To know categories of third parties with whom personal data is shared
- To know categories of sources of personal data
- To know the business or commercial purpose of collecting personal information
- To port (move) their personal data
- To say no to the sale (broadly defined as sale or exchange) of their personal data
- To delete their personal data
These CCPA requirements apply to both customers and non-customers.
What are the benefits of CCPA compliance?
Your approach to CCPA is a critical part of the data privacy experience you create for your customers. Every privacy touchpoint should be clear and transparent, so customers understand the process and feel their needs are being addressed. Done well, CCPA compliance can become a competitive advantage that builds trust and brand equity.
If I already comply with GDPR do I need to worry about CCPA?
If you’ve already prepared for GDPR, you won’t have to start over to prepare for CCPA, but that doesn’t mean you have all the bases covered. CCPA has additional requirements and is more prescriptive than GDPR. In particular, differences in the scope of application, nature, and extent of collection limitations, and rules concerning accountability presents different operational challenges for compliance.
What are the CCPA requirements?
What companies does CCPA apply to?
CCPA applies to companies that do business in California and:
- Have annual gross revenue in excess of $25 million alone or
- In combination, annually buys, receive for commercial purposes, sell or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ Personal Information (PI)
These companies will need to be CCPA compliant.
What information is covered under CCPA?
CCPA addresses information that relates to, describes, is capable of being associated with, or could be reasonably linked, indirectly or directly, with a consumer or household.
What are CCPA regulations for privacy notices?
CCPA requires businesses inform consumers at or before the point of collection as to the categories of Personal Information (PI) to be collected and the purposes for which the PI will be used.
What are CCPA requirements for Data Subject Access Requests?
Data privacy laws give people rights to access, change and control the data businesses collect about them. People make their wishes known to businesses in the form of a Data Subject Access Request (DSAR). The laws also require that businesses provide methods for people to register these requests and to respond accordingly. Under CCPA, disclosure includes data covered 12 months before request.
“Data Subject Access Request” has become an umbrella term for this process. A “data subject” is a term originated by GDPR which refers to any person whose personal data is being collected, held or processed. Various privacy regulations use slightly different terminology and indicate different requirements. CCPA uses the term “verifiable consumer request.”
The right to know: The most common type of DSAR involves people seeking to know what data your organization holds about them and your intentions for collecting and using that data.
The right to delete: People have the right to correct their data preferences, as well as the “right to be forgotten” (to have an organization erase their records). These requests are often the most complex types of DSARs to address, as you must make sure any record deletion is completed throughout your data stores in a permanent way.
What is the CCPA Do Not Sell requirement?
CCPA includes a specific right for consumers to opt out of the sale of personal information. This is an important difference between CCPA and the European Union’s GDPR, which requires companies to prompt consumers to “accept” cookies and other tracking technologies before progressing on a website.
Businesses are required to provide two or more methods for submitting requests to opt out, including an interactive web form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” or “Do Not Sell My Info,” on the business’s website or mobile app. Other acceptable methods for submitting these requests include a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled global privacy controls, such as a browser plugin, that communicate the consumer’s choice to opt out of the sale of their personal information.
A business’s methods for submitting requests to opt out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt out.
The opt-out only stops the selling of personal information, and it does not impact other uses of their information.
How does CCPA define “sale” of information?
CCPA’s definition of “sale” applies to the exchange for value of all consumer information, including sharing personal data captured by cookies and other tracking technologies with third parties.
What types of cookies are subject to CCPA’s “Do Not Sell” provision?
First-party cookies allow websites to perform essential functions, like remembering which products you selected for purchase and placed into your shopping cart. For “first-party” cookies, the entity or website storing the cookie on the computer is the entity or site that is being visited.
Third-party cookies are referred to as advertising cookies or behavioral advertising cookies. These are data files installed by another program, such as an advertisement that is presented on the site but is not owned or controlled by the site owner, or that is separate and distinct from the site that is being visited. Third-party cookies are often used by advertising agencies and track consumer activity across sites.
Third-party cookies are subject to CCPA’s “Do Not Sell” provision. To be CCPA compliant, you must have the ability to stop using third-party cookies when a consumer opts out of the sale of their personal data. You can do this by creating suppression lists of people who opted out of the sale.
What response time does CCPA require?
CCPA requires that businesses must comply with an opt-out request within 15 business days.
When you receive a consumer’s request to access or delete, CCPA requires that you confirm receipt of their request within 10 business days. At that time you must also provide general information about your verification process and when they should expect a response.
CCPA specifies that businesses must respond to requests to access or delete within 45 calendar days. If you cannot verify the consumer within the 45-day time period, you may deny the request. If necessary, businesses may take up to an additional 45 calendar days to respond to the consumer’s request, for a maximum total of 90 calendar days, as long as you provide the consumer with an explanation of the delay.
Where can I find a link to the CCPA full text?
You can find more information about CCPA, including full text of the law on the California Attorney General’s website.
What is CCPA 2.0?
Since CCPA became law in early 2020, the California Attorney General has made a number of modifications to clarify how businesses should implement privacy requirements. As CCPA continues to evolve and new laws for California and other states emerge, you must continue to update and tailor your privacy operations.
California also has a ballot initiative for significant legislative updates to CCPA, known as the California Privacy Rights Act (CalPRA) on the docket for November 2020. If CalPRA passes, it will provide consumers with more rights and create a privacy agency to issue guidance and regulations.
What are CCPA exemptions?
In responding to a request to know, a business is not required to search for Personal Information if all the following conditions are met by the business:
- Does not maintain the Personal Information in a searchable or reasonably accessible format
- Maintains the Personal Information solely for legal or compliance purposes
- Does not sell the Personal Information and does not use it for any commercial purpose
Consumers have the right to deletion of their PI, except when it is necessary to:
- Complete the transaction for which the PI was provided or perform a contract with the consumer
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity and prosecute those
- Debug to identify and repair errors that impair existing intended functionality
- Exercise free speech (of business or another consumer) or other rights
- Comply with the California Electronic Communications Privacy Act
- Engage in public or peer-reviewed research in the public interest
- Enable internal uses reasonably aligned with the expectations of the consumer based on their relationship with the business
- Comply with a legal obligation
- Use consumer’s PI, internally, in a lawful manner that is compatible with the context in which the consumer provided the information
What are the risks of non-compliance?
When does enforcement of CCPA begin?
Enforcement of CCPA by the California Attorney General began July 1, 2020.
What fines and penalties are under enforcement?
Under CCPA your business can be found non-compliant and penalized. Fines are enforced by the California Attorney General and can reach up to $7,500 per violation (in the case of intentional violations). Non-intentional violations are subject to a $2,500 maximum fine.
What is a CCPA data breach?
Mistakes in the DSAR process – even unintentional ones – can cause a data breach. For example, sending personal data to the wrong individual constitutes a data breach. A CCPA data breach opens the possibility of a private right of action under CCPA, which will exponentially increase your risk and financial liability. With damages in individual or class action lawsuits ranging between $100 and $750 per violation, costs could escalate quickly.
What steps do I take to become CCPA compliant?
How should I adjust my website to comply with CCPA?
Your front-end data privacy interface should be a one-stop shop that builds consumer trust. By setting up a branded Trust Center, you can share all privacy information with consumers in a central place on your website. A comprehensive Trust Center should include:
- Any state privacy policies that apply, such as CCPA
- A way for consumers to submit DSARs to access or delete their personal information from your systems
- An “opt-out” button so consumers can easily request that you do not sell their personal data
- A way to capture, validate and retain DSARs and enact Do Not Sell requests
- Your company’s branding and logo to assure consumers that you’re taking responsibility for their privacy journey
How do I comply with CCPA’s Do Not Sell requirement?
Consent management involves the disclosure of obligations that need to be front and center on your website and wherever else you collect consumer data. This is typically a webpage link asking consumers to opt in or opt out of sharing some or all aspects of their personal data, including information collected by cookies, pixels, and other tracking technologies.
Fortunately, CCPA’s “Do Not Sell” rule doesn’t need to be a permanent, all-or-nothing choice. You may offer consumers the choice of “opting down” instead of completely “opting out” by allowing their data to be shared with some third parties but not others. You can also present the choice to opt out of sale for certain categories of personal information, as long as a global option to opt out of the sale of all personal information is more prominently presented than the other choices.
Create suppression lists of people who opted out of sale, based on the information you have about them at the time they opt out. If you only have their cookie or IP address, you may need to ask for more information to confirm their identity so you can connect the dots across your different marketing and advertising systems.
You can check against these suppression lists internally and when communicating with third parties to make sure you respect the wishes of your consumers when selling or sharing data.
How can I verify a Data Subject Access Request?
If you receive a request for information on a person’s data, you need to confirm the person’s authority to make the request.
If your customers already have password-protected accounts, you can confidently match the person making the request to a specific individual. But, if a DSAR comes from an unknown user, confirming who they are and their right to the information is trickier, for several reasons:
- Consumers may not be making requests themselves. Parents may request data on behalf of their minor children or other individuals may be authorized to act on their behalf. Consider a parent wanting to know the history of their son’s personal data collected or shared via an online game.
- Multiple users may be sharing a single device, so relying on device data isn’t sufficient to confirm individual identity. Consider a husband and wife sharing an account for the household.
- You aren’t allowed to ask for any additional personal information from the consumer than what you’ve already got. Doing so constitutes a data breach and increases your liability. Requiring users to provide a copy of an ID document, passport or other official, government-issued document, such as a birth certificate, isn’t allowed.
During the CCPA revision process, the Attorney General clarified:
- Use of a consumer’s credit card security code was eliminated as a method of verification for non-accountholders
- Consumers can’t be required to pay a fee for identity verification
- Businesses must establish, document, and comply with a reasonable method for determining whether a person submitting a request of a child under the age of 13 is the parent or guardian
You’re caught between a rock and a hard place. You can’t say no to all DSARs and you can’t answer them all without more information. This is where a third party can provide verification and authentication to remove the burden.
How do I collect information to comply with consumer requests under CCPA?
Responding to a DSAR typically requires accessing, modifying, and possibly deleting data from the backend data management systems that are hosting personal data.
Most companies have vast file repositories, which often reside in silos. Customer data may be inside CRM systems, marketing databases, product databases, customer care logs, or other repositories. Employee data may live in HR, financial or healthcare systems.
In a typical enterprise, these data stores include structured relational (SQL) databases (e.g., PostgreSQL, Oracle, SAP, MS SQL Server) or semi-structured databases (e.g., MongoDB, Azure CosmosDB, AWS DynamoDB), which typically serve as backend of operational or production processes; data warehouses like Snowflake, Oracle Exadata, Teradata, SAP, etc., that typically serve as the backend of data analytics and machine learning processes; file systems and file shares (e.g., Google Drive, SharePoint); data lakes; CRMs; Enterprise Service Busses (ESBs); and others. For deletion and correction requests, backups, and offline data stores may also be involved.
To identify related files across all systems, you need the capacity to index data and apply relevant metadata to information so it’s trackable and searchable. The faster you can query your data stores automatically, the easier the DSAR process will be.
Manual collection at the scale, speed, and accuracy required for DSARs is virtually impossible. To have that level of granular supervision and control, you need an automatic way to log, classify, and validate repositories of personal data that may be subject to DSARs.
How do I deliver data back to consumers to comply with CCPA?
Providing information in response to requests is part of the DSAR process you must handle with care to avoid a data breach. Only the sender of a request should be able to receive the data in return.
When starting to manage consumer requests, it can be tempting to use existing systems, like email or content management systems (such as SharePoint or Dropbox). But, passing information via unencrypted systems may expose you to a data breach, which dramatically increases your liability.
You should make sure consumer information is sent securely, and encrypted at rest and in-transit, all the way from request to delivery.
What reports do I need to demonstrate CCPA compliance?
There are no CCPA auditors that will demand reports, such as Privacy Impact Assessments. However, you will want to create internal reports that demonstrate your compliance and efficiency. A ticketing system can help you assign requests, or parts of requests, to different people and keep track of each task as the request progresses through your workflow.
If you disclose personal information to third parties, you’ll need to be able to send a deletion request to all of the downstream parties who received that information. Even more challenging, you must be able to track back to the data stores’ sources and request that the personal information has been deleted.
Your suppression lists need to be updated and applied internally and by third parties on an ongoing basis. This includes checking new DSARs against them and restricting the data of consumers who have opted out of having their data shared with third-party advertising platforms and ad networks.
How much should I expect CCPA compliance to cost?
By 2021, 80% of the negative financial impact of the CCPA will come from failure to implement a scalable subject rights workflow, according to Gartner Research. Gartner found that the majority of organizations receiving DSARs are taking a full working week to respond to each, at an average cost of over $1,400.[i]
The experience of companies complying with GDPR warns of the potential impact of CCPA. To address requirements of GDPR, Microsoft launched a self-service portal where customers could register access requests. In the first year, it received 18 million requests and 6.7M (37%) came from the United States.[ii]
Automation decreases costs and resources required to comply with CCPA.
[i] Gartner Research, How to Prepare for the CCPA and Navigate Consumer Privacy Rights, June 2019.
[ii] GDPR’s First Anniversary: A Year of Progress in Privacy Protection, Microsoft Blog.