CCPA RESOURCES CENTER › THE COMPLETE CCPA GUIDE

Chapter 4: Getting CCPA Compliant

The California Consumer Privacy Act (CCPA) imposes a lot of new responsibilities on businesses and requires them to change the way they think about consumer data. For the most part, businesses can continue collecting and using personal data as they were before, but they must be more transparent about it and be prepared to respond to consumer requests regarding their rights.

In this chapter, we’ve outlined the major actions a business must take in order to become CCPA compliant, from data mapping to preparing for your first privacy request.

Data Mapping

Data mapping is the first step to becoming CCPA compliant, and generally the most labor-intensive one as well. During this process, businesses must precisely determine what personal information they are collecting, who they are collecting it from, and who they are sharing it with.

This large task is easier to understand when broken down into two halves: personal information that comes in and personal information that goes out.

Inbound Information

Businesses tend to collect a lot of consumer data. In fact, they usually collect more data than they are aware of. That’s why CCPA compliance starts with figuring out who you are collecting personal information from and what categories of personal information you are collecting.

Let’s start with the “who” question. The best way to do this is to identify what groups of consumers you collect information from. Here are some of the most common consumer groups for businesses:

  • Customers
  • Prospective customers
  • Email newsletter subscribers
  • Website visitors
  • Employees
  • Job applicants

Notice the diversity of groups in this list of examples. Businesses may just be thinking of customers as “consumers,” but the CCPA defines the term simply as any California resident. The CCPA even covers personal information collected for internal or non-commercial purposes, such as from a job applicant. These internal consumer groups are treated differently, though. While a business must disclose to employees and job applicants what personal information it is collecting and for what purpose, at this time these groups don’t have the right to make privacy requests, such a request to delete.

Identifying the various groups of consumers helps businesses better understand the categories of information they are collecting. Often it is as simple as reviewing the forms used in that particular context. For example, a newsletter subscription may just require an email address, while an online purchase usually involves much more (name, phone number, shipping address, etc.).

Having mapped out your different consumer groups and determined what information you are collecting from them, the next step is to determine which of the information categories are personal information for CCPA purposes. The CCPA defines personal information very broadly, including not just identifiers like names and email addresses, but also IP addresses, search history, geolocation data, and much more. As a practical matter this step is more about finding exceptions, i.e., consumer data that is not personal information. These include:

  • Information that is deidentified or in the aggregate, which cannot reasonably identify or be linked to a particular consumer
  • Publicly available information from government records
  • Information collected pursuant to other federal or state laws, such as HIPAA

Creating a thorough and accurate map of your business’s inbound consumer data will make the rest of the CCPA compliance proceed more smoothly. It will also help your team better respond to consumer requests to know and requests to delete.

Upcoming Changes to the Law

In November 2020, voters approved the California Privacy Rights Acts (CPRA), sometimes called CCPA 2.0. The CPRA makes a number of significant changes to the CCPA, many of which are meant to strengthen enforcement and provide clarification of the original law.

Most of the changes go into effect on January 1, 2023, but this can be a little misleading. The CPRA contains a 12-month “look back” provision, meaning it applies to personal data collected as early as January 1, 2022. Businesses will need to begin planning their compliance well in advance of the 2023 effective date.

Publicly Available Information

Effective January 1, 2023, the exception for publicly available information is broadened to include information from other sources besides government records. This exception now includes:

  • Lawfully obtained, truthful information that is a matter of public concern
  • Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience

Outbound Information

After you’ve mapped the inbound data, you must next examine each category of disclosures of personal information to outside parties. The CCPA deals extensively with the sharing and selling of consumers’ personal information, and these disclosures are treated differently according to how they are characterized. The most critical question to ask of any disclosure will be: is this a sale of personal information?

Deciding what is or is not a sale of personal information is important for two reasons. First, if a consumer submits a request to know, the business must disclose the categories of personal information it has sold to third parties. Second, the CCPA gives consumers the right to opt out of the sale of their personal information. In order to honor consumers’ opt-out requests, the business must first know which transactions qualify as sales.

Under the CCPA, the sale of personal information can include:

  • Disclosing personal information in exchange for money or other valuable consideration; the money part is obvious, but “other valuable consideration” can be tricky
  • Using interest-based advertising services with platforms such as Google and Facebook
  • Potentially any disclosure to an outside vendor where the contract does not explicitly prohibit the vendor from retaining, using or disclosing personal information for other purposes

The most important exception to the CCPA’s definition of selling is the disclosure of personal information to service providers. If a vendor qualifies as a service provider, the transfer of personal information to that vendor is not a sale and is not affected by consumer opt-out requests.

The onboarding of vendors to your CCPA compliance system is therefore critically important, and usually the most time-consuming part of the whole compliance project. In order to qualify as a service provider, the vendor contract must prohibit the vendor from retaining, using, or disclosing consumers’ personal information for any other purpose besides performing the specified service. This means your compliance team will have to examine each vendor contract to see if it contains the necessary language. If it does not, businesses will either have to update the contract or else potentially treat any transfer of information to the vendor as a sale, and thus subject to opt-out requests.

Your business’s data map forms the foundation of all future CCPA compliance. Once it is completed, the rest of the project will be significantly easier.

Upcoming Changes to the Law

"Service Provider" Definition Changes

Effective January 1, 2023, there are a few changes to the definition of a service provider.

  • A service provider can now be a legal or natural person, not just a legal entity.
  • A business’s contract with a service provider must now prohibit the service provider from selling or sharing consumers’ personal information and from combining it with personal information from other sources. This means that vendor contracts will need to be updated in order to qualify as CCPA service providers.

Contractors

The CPRA also adds a new type of outside party, the “contractor.” A contractor qualifies for the same exemptions as a service provider, i.e., they are not affected by opt-out requests, but are defined a little differently. As opposed to a service provider who “processes information” for a business, a contractor is “a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business.” One impact of this addition is that a business’s contracts with contractors must meet similar requirements as those of service providers.

Privacy Notices

Keeping consumers informed regarding data collection and their privacy rights is a major component of the CCPA. Once a business has finished its data map, it will need to make some changes to its privacy notices. Fortunately, this is usually a pretty straightforward process.

Privacy Policy and CCPA Addendum

Most companies that collect consumer data online already have a privacy policy in place on their website. Businesses should take the opportunity at this point to review their existing policy, compare it to the data map they’ve just created, and make any necessary changes. It’s often the case that businesses have made changes to their data collection practices without updating their privacy policy.

The next step is to add a CCPA addendum to the privacy policy. This addendum makes all the necessary disclosures to consumers regarding the collection and use of their personal information. It should be in plain, non-technical language and be reasonably accessible to consumers with disabilities, following recognized industry standards such as the Web Content Accessibility Guidelines version 2.1. Here are the points it should cover:

  • Inform consumers of their privacy rights under the CCPA: right to know, right to opt out, right to delete, and right to non-discrimination
  • Inform consumers what personal information you collect, from what sources, and for what business purpose
  • Inform consumers what personal information you disclose to service providers and third parties, and the categories of parties you share it with
  • Inform consumers what personal information you sell to third parties and what categories of third parties you sell to
  • Provide instructions for submitting privacy requests
  • Provide at least two methods for submitting privacy requests, at least one of which relates to the business’s normal way of interacting with consumers (e.g., a primarily online retailer must provide at least one online method)

Once the CCPA addendum is completed, it must be posted at or before any point of collection. For example, if a retailer offers discount codes to consumers in exchange for signing up to receive promotional emails, this is a point of collection. The retailer must include a link to its privacy policy near the point of data collection.

Additional Notices

Depending on their practices, businesses may need to include other notices in their privacy policy.

Employee and Job Applicant Notices

As noted in the previous section, even internal data collection from employees and job applicants is covered by the CCPA. While consumers in these groups don’t have the right to submit privacy requests, e.g., a request to delete, businesses do have to inform them what personal information is being collected and for what purpose. This notice must be given at or before the point of collection (e.g., in the job application or employment agreement).

"Do Not Sell My Personal Information" Page

Businesses that sell consumers’ personal information to third parties must provide an additional notice to consumers. This notice can be its own web page or added to the main privacy policy. It must inform consumers:

  • What personal information is being sold
  • How to opt out of the sale of their personal information

These businesses must also post a clear and conspicuous “Do Not Sell My Personal Information” link on their homepage. The link should send consumers to this notice.

Additionally, businesses that sell personal information collected while interacting with the consumer offline must provide an offline disclosure of their right to opt out and instructions for making a request. If a business operates a brick-and-mortar store, they can fulfill this obligation with a disclosure on the forms used to collect the information, or by posting signage in the area. If the information is collected over the phone, the business may orally inform the consumer of their opt-out rights.

Notices Regarding Consumers Under the Age of 16

There are special rules for the sale of personal information from consumers who are between the ages of 13 and 15, and for consumers under the age of 13. If your business has knowledge that it sells the personal information from consumers in these age groups, it must provide a process for obtaining their affirmative consent (or their guardian’s consent) to opt in, and also describe this process in the privacy notice.

Notice of Financial Incentive

Businesses cannot discriminate against consumers for exercising their CCPA rights, but they can offer consumers financial incentives for opting in to the use and sale of their personal information. They can also charge a different price to consumers who opt out, as long as the price difference is related to the value provided to the business by that consumer’s personal information. Businesses that do either of those things must explain it in their privacy notice.

High Volumes of Personal Information

Businesses that buy, receive, sell, or share for commercial purposes the personal information of 10 million or more consumers per year must compile and disclose additional information in their privacy policy. They must tell consumers how many privacy requests they received in the previous year, as well as how many of those requests were denied, complied with in part, and complied with in whole. They must also disclose the median number of days they took to respond to privacy requests.

Upcoming Changes to the Law

New Rights in the CPRA

The CPRA adds two new categories of consumer rights: the right to correct inaccurate personal information and the right to limit use and disclosure of sensitive personal information. Effective January 1, 2023, privacy policies must inform consumers of these rights and provide instructions for submitting requests.

Those businesses whose practices are covered by the right to limit use and disclosure of sensitive information must post a clear and conspicuous link on their homepage, titled “Limit the Use of My Sensitive Personal Information.”

Fulfilling Certain Requests to Know via Privacy Policy

Effective January 1, 2023, businesses can fulfill their obligations regarding a request to know what categories of personal information are being collected by including that disclosure in their privacy policy, as long as the information would be the same as for the requesting consumer.

"Sharing" Personal Information

The CPRA adds a new term, “sharing,” meaning the disclosure of personal information for purposes of cross-context behavioral advertising (a.k.a. interest-based advertising or retargeting). This type of transaction is treated the same as a sale of personal information. One practical implication is that “Do Not Sell” links on web pages will need to be changed to “Do Not Sell or Share My Personal Information.”

Business Purpose for Selling or Sharing

In addition to informing consumers of the business purpose for collecting personal information, the CPRA requires privacy policies to also disclose the business purpose for selling or sharing personal information.

No More "Do Not Sell" Links?

The CPRA states that at some point businesses will be able to satisfy their legal obligations without including “Do Not Sell or Share My Personal Information” or “Limit the Use of My Sensitive Personal Information” links on their homepage. To do so, they must allow consumers to opt out “through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism” based on technical specifications and regulations to be published by the Office of the Attorney General.

Responding to CCPA Privacy Requests

With all the necessary privacy notices out the way, the final component of CCPA compliance is responding to privacy requests from consumers. Businesses should already have a plan in place for handling these requests before they ever receive one. Going through a few trial runs will help identify any gaps in the system and ensure that requests can be processed in a timely manner.

This section does not include a detailed description of each privacy right—you can find that in Chapter 2—but rather identifies the key issues that businesses should be aware of when responding to each type of privacy request.

Request to Know

Consumer requests to know can be divided into two types: requests to know what categories of personal information have been collected (and for what business purpose) and what specific pieces of personal information have been collected. A single request may ask for both types of information.

Because there are security concerns associated with disclosing personal information, requests to know must be verifiable. When determining the level of verification necessary, businesses should take into account the sensitivity of the information. For requests to know categories of information, an email verification is usually sufficient. Requests to know specific pieces of information require additional security steps, or perhaps an account login if they have an online account (businesses cannot require a consumer to create an account in order to process the request).

There are also several types of specific information that a business cannot disclose to the consumer. These are:

  • Social security numbers
  • Driver’s license numbers (or other government-issued ID numbers)
  • Financial account numbers
  • Medical or health insurance information
  • Account passwords
  • Security questions and answers
  • Unique biometric data

In these cases, the business should just describe the type of information collected.

Businesses must acknowledge receipt of the request to know within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.

Upcoming Changes to the Law

Categories of Personal Information Collected

Effective January 1, 2023, businesses can fulfill their obligations regarding a request to know what categories of personal information are being collected by including that disclosure in their privacy policy, as long as the information would be the same as for the requesting consumer.

Right to Access

The CPRA includes the term “right to access personal information.” This is just a change in terminology. It does not grant any new rights, but refers to a consumer’s right to know what specific pieces of personal information a business has collected.

Request to Delete

Requests to delete personal information involve many of the same issues as requests to know. Like requests to know, businesses must verify the request before complying. The level of verification required depends on the type of information being deleted. For example, before deleting sensitive information such as family photos, the business must verify the consumer’s identity to a higher degree of certainty.

Complying with the deletion request does not necessarily require deleting the information. Deidentifying or aggregating the data—changing it so it can no longer be linked to a specific individual—also fulfills the business’s obligation. If the business determines that it does not need to delete because one of the CCPA’s exceptions applies, it must inform the consumer of this decision.

Businesses must acknowledge receipt of the request to delete within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.

Upcoming Changes to the Law

Notifying Third Parties

Effective January 1, 2023, after receiving a request to delete, businesses must notify all third parties to whom they have sold or shared a consumer’s personal information. This is in addition to the original requirement to notify service providers (and now contractors) of the deletion request. Such notification is not required if it would be impossible or involve disproportionate effort.

Request to Opt Out

Businesses must provide at least two methods to submit opt-out requests, including an interactive form accessible via its “Do Not Sell My Personal Information” link. Businesses may give customers the option to opt out of specific types of information selling, as long as there is a prominent option that opts out of the sale of all personal information. Once a consumer has opted out, the business must wait at least 12 months before asking them to opt in again.

The opt-out request must be easy to execute and require minimal steps. CCPA regulations offer several example of prohibited practices:

  • The process for submitting an opt-out request cannot require more steps than the process for opting in to the sale of personal information.
  • Businesses cannot use confusing language, such double negatives.
  • Businesses cannot force consumers to click through or listen to a list of reasons why they should not submit an opt-out request before confirming the request.
  • The process for submitting an opt-out request shall not require the consumer to provide personal information that is not necessary to implement the request.
  • After clicking on a “Do Not Sell Link,” businesses cannot require a consumer to search or scroll through the text of a privacy policy to find the mechanism for opting out.

Unlike requests to know and delete, requests to opt out do not need to be verified. However, businesses can deny a request if they have a good-faith, reasonable, and documented cause to believe the request is fraudulent.

Businesses must comply with a request to opt out within 15 days of receiving it.

Request to Correct

Starting January 1, 2023, businesses must respond to consumer requests to correct inaccurate personal information. The California Privacy Protection Agency will draft and release regulations in the future, but here’s what we know for now.

Similar to requests to know and requests to delete, requests to correct must be verifiable. Businesses have 45 days to comply with the request, though that may be extended to 90 days if reasonably necessary and the consumer is notified. Businesses are only required to make “commercially reasonable efforts” to correct the information.

Request to Limit Use and Disclosure of Sensitive Personal Information

Effective January 1, 2023, the CCPA gives consumers the right to limit use and disclosure of their sensitive personal information. This addition brings the California law closer in line with the data privacy protections of the European Union’s privacy law, the General Data Protection Regulation (GDPR).

Currently, there are no regulations regarding how to handle a request to limit use and disclosure of sensitive personal information. The right bears a strong resemblance to the right to opt out, so it is possible that the procedures for handling the two types of requests will be similar.

Authorized Agents

Consumers may submit privacy requests through an authorized agent. In order to maintain data security, businesses may require the agent to prove it has signed permission to make the request. It may also require the consumer to:

  • Verify their own identity directly with the business, or
  • Directly confirm with the business that they provided the authorized agent permission to submit the request on the consumer’s behalf

These requirements would not apply when the consumer has provided the agent with power of attorney.

Data Privacy Security Requirements

The CCPA also imposes cybersecurity requirements on businesses that collect personal information. The law creates a private right of action for consumers in the event of a data breach where nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices.

In order to avoid potential class-action lawsuits, businesses should encrypt and redact consumers’ personal information wherever possible, and implement and maintain reasonable data security procedures. Neither the law nor the regulations give specific guidance on what security measures are required, so it is likely to depend on the situation and personal information involved.

Next: Staying CCPA Compliant

With a complete data map, updated privacy notices, and practiced responses to privacy requests, CCPA compliance is a very manageable goal. For the most part, becoming CCPA compliant is a one-time process, coupled with the handling of privacy requests as they come up. There are a few ongoing, periodic tasks that businesses must perform in order to maintain their compliance.

The next chapter, “Staying CCPA Compliant,” discusses these maintenance tasks and gives businesses a sense of how much effort is involved.