The California Consumer Privacy Act (CCPA) imposes a lot of new responsibilities on businesses and requires them to change the way they think about consumer data. For the most part, businesses can continue collecting and using personal data as they were before, but they must be more transparent about it and be prepared to respond to consumer requests regarding their rights.
In this chapter, we’ve outlined the major actions a business must take in order to become CCPA compliant, from data mapping to preparing for your first privacy request.
On August 31, 2022, the California legislative session adjourned without having extended the CCPA's exemption for employee and B2B data. This exemption expired on January 1, 2023. Businesses should plan to incorporate employee and B2B data into their CCPA compliance strategy.
Data mapping is the first step to becoming CCPA compliant, and generally the most labor-intensive one as well. During this process, businesses must precisely determine what personal information they are collecting, who they are collecting it from, and who they are sharing it with.
This large task is easier to understand when broken down into two halves: personal information that comes in and personal information that goes out.
Businesses tend to collect a lot of consumer data. In fact, they usually collect more data than they are aware of. That’s why CCPA compliance starts with figuring out who you are collecting personal information from and what categories of personal information you are collecting.
Let’s start with the “who” question. The best way to do this is to identify what groups of consumers you collect information from. Here are some of the most common consumer groups for businesses:
Notice the diversity of groups in this list of examples. Businesses may just be thinking of customers as “consumers,” but the CCPA defines the term simply as any California resident. The CCPA even covers personal information collected for internal or non-commercial purposes, such as from a job applicant.
Identifying the various groups of consumers helps businesses better understand the categories of information they are collecting. Often it is as simple as reviewing the forms used in that particular context. For example, a newsletter subscription may just require an email address, while an online purchase usually involves much more (name, phone number, shipping address, etc.).
Having mapped out your different consumer groups and determined what information you are collecting from them, the next step is to determine which of the information categories are personal information for CCPA purposes. The CCPA defines personal information very broadly, including not just identifiers like names and email addresses, but also IP addresses, search history, geolocation data, and much more. As a practical matter this step is more about finding exceptions, i.e., consumer data that is not personal information. These include:
Creating a thorough and accurate map of your business’s inbound consumer data will make the rest of the CCPA compliance proceed more smoothly. It will also help your team better respond to consumer requests to know and requests to delete.
After you’ve mapped the inbound data, you must next examine each category of disclosures of personal information to outside parties. The CCPA deals extensively with the disclosure of consumers’ personal information, and these disclosures are treated differently according to how they are characterized. The most critical question to ask of any disclosure will be: Is this a sale or sharing of personal information?
Deciding what is or is not a sale or sharing of personal information is important for two reasons. First, if a consumer submits a request to know, the business must disclose the categories of personal information it has sold to or shared with third parties. Second, the CCPA gives consumers the right to opt out of the sale and sharing of their personal information. In order to honor consumers’ opt-out requests, the business must first know which transactions qualify as selling or sharing.
The most important exception to the CCPA’s definition of selling is the disclosure of personal information to service providers. If a vendor qualifies as a service provider, the transfer of personal information to that vendor is not a sale and is not affected by consumer opt-out requests.
The onboarding of vendors to your CCPA compliance system is therefore critically important, and often the most time-consuming part of the whole compliance project. In order to qualify as a service provider, the vendor contract must meet certain requirements, such as prohibiting the vendor from retaining, using, or disclosing consumers’ personal information for any other purpose besides performing the specified service. This means your compliance team will have to examine each vendor contract to see if it contains the necessary language. If it does not, businesses will either have to update the contract or else potentially treat any transfer of information to the vendor as a sale, and thus subject to opt-out requests.
Your business’s data map forms the foundation of all future CCPA compliance. Once it is completed, the rest of the project will be significantly easier.
Keeping consumers informed regarding data collection and their privacy rights is a major component of the CCPA. Once a business has finished its data map, it will need to make some changes to its privacy notices. Fortunately, this is usually a pretty straightforward process.
As noted in the previous section, even internal data collection from employees and job applicants is covered by the CCPA. A business must disclose what personal information it is collecting and for purposes it is used. This notice must be given at or before the point of collection (e.g., in the job application or employment agreement).
These businesses must also post a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their homepage. The link should send consumers to this notice.
Additionally, businesses that sell or share personal information collected while interacting with the consumer offline must provide an offline disclosure of their right to opt out and instructions for making a request. If a business operates a brick-and-mortar store, they can fulfill this obligation with a disclosure on the forms used to collect the information, or by posting signage in the area. If the information is collected over the phone, the business may orally inform the consumer of their opt-out rights.
There are special rules for the sale or sharing of personal information from consumers who are between the ages of 13 and 15, and for consumers under the age of 13. If your business has knowledge that it sells or shares the personal information from consumers in these age groups, it must provide a process for obtaining their affirmative consent (or their guardian’s consent) to opt in, and also describe this process in the privacy notice.
Businesses cannot discriminate against consumers for exercising their CCPA rights, but they can offer consumers financial incentives for opting in to the use and sale or sharing of their personal information. They can also charge a different price to consumers who opt out, as long as the price difference is related to the value provided to the business by that consumer’s personal information. Businesses that do either of those things must explain it in their privacy notice.
With all the necessary privacy notices out the way, the final component of CCPA compliance is responding to privacy requests from consumers. Businesses should already have a plan in place for handling these requests before they ever receive one. Going through a few trial runs will help identify any gaps in the system and ensure that requests can be processed in a timely manner.
This section does not include a detailed description of each privacy right—you can find that in Chapter 2—but rather identifies the key issues that businesses should be aware of when responding to each type of privacy request.
Because there are security concerns associated with disclosing personal information, requests to know must be verifiable. When determining the level of verification necessary, businesses should take into account the sensitivity of the information. For requests to know less sensitive personal information, an email verification is usually sufficient. Requests to know more sensitive information may require additional security steps, or perhaps an account login if they have an online account (businesses cannot require a consumer to create an account in order to process the request).
There are also several types of specific information that a business cannot disclose to the consumer. These are:
In these cases, the business should just describe the type of information collected.
Businesses must acknowledge receipt of the request to know within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.
Requests to delete personal information involve many of the same issues as requests to know. Like requests to know, businesses must verify the request before complying. The level of verification required depends on the type of information being deleted. For example, before deleting sensitive information such as family photos, the business must verify the consumer’s identity to a higher degree of certainty.
Complying with the deletion request does not necessarily require deleting the information. Deidentifying or aggregating the data—changing it so it can no longer be linked to a specific individual—also fulfills the business’s obligation. If the business determines that it does not need to delete because one of the CCPA’s exceptions applies, it must inform the consumer of this decision.
Businesses must also notify service providers, contractors, and third parties of the request to delete, unless notification would be impossible or involve disproportionate effort.
Businesses must acknowledge receipt of the request to delete within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.
Businesses must provide at least two methods to submit opt-out requests, including an interactive form accessible via its “Do Not Sell or Share My Personal Information” link. Websites must also treat opt-out preference signals such as Global Privacy Control as valid requests to opt out.
Businesses may give customers the option to opt out of specific types of information selling, as long as there is a prominent option that opts out of the sale of all personal information. Once a consumer has opted out, the business must wait at least 12 months before asking them to opt in again.
The opt-out request must be easy to execute and require minimal steps. CCPA regulations offer several example of prohibited practices:
Unlike requests to know and delete, requests to opt out do not need to be verified. However, businesses can deny a request if they have a good-faith, reasonable, and documented cause to believe the request is fraudulent.
Businesses must comply with a request to opt out within 15 days of receiving it.
Businesses must respond to consumer requests to correct inaccurate personal information. Similar to requests to know and requests to delete, requests to correct must be verifiable. Businesses have 45 days to comply with the request, though that may be extended to 90 days if reasonably necessary and the consumer is notified. Businesses are only required to make “commercially reasonable efforts” to correct the information.
The CCPA now gives consumers the right to limit use and disclosure of their sensitive personal information. This addition brings the California law closer in line with the data privacy protections of the European Union’s privacy law, the General Data Protection Regulation (GDPR).
In order to respond efficiently to a request to limit, businesses should identify in advance what sensitive personal information they process, and the necessary procedures for limiting its use.
The CCPA also imposes cybersecurity requirements on businesses that collect personal information. The law creates a private right of action for consumers in the event of a data breach where nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices.
In order to avoid potential class-action lawsuits, businesses should encrypt and redact consumers’ personal information wherever possible, and implement and maintain reasonable data security procedures. Neither the law nor the regulations give specific guidance on what security measures are required, so it is likely to depend on the situation and personal information involved.
With a complete data map, updated privacy notices, and practiced responses to privacy requests, CCPA compliance is a very manageable goal. For the most part, becoming CCPA compliant is a one-time process, coupled with the handling of privacy requests as they come up. There are a few ongoing, periodic tasks that businesses must perform in order to maintain their compliance.
The next chapter, “Staying CCPA Compliant,” discusses these maintenance tasks and gives businesses a sense of how much effort is involved.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.