The California Consumer Privacy Act (CCPA) imposes a lot of new responsibilities on businesses and requires them to change the way they think about consumer data. For the most part, businesses can continue collecting and using personal data as they were before, but they must be more transparent about it and be prepared to respond to consumer requests regarding their rights.
In this chapter, we’ve outlined the major actions a business must take in order to become CCPA compliant, from data mapping to preparing for your first privacy request.
Data mapping is the first step to becoming CCPA compliant, and generally the most labor-intensive one as well. During this process, businesses must precisely determine what personal information they are collecting, who they are collecting it from, and who they are sharing it with.
This large task is easier to understand when broken down into two halves: personal information that comes in and personal information that goes out.
Businesses tend to collect a lot of consumer data. In fact, they usually collect more data than they are aware of. That’s why CCPA compliance starts with figuring out who you are collecting personal information from and what categories of personal information you are collecting.
Let’s start with the “who” question. The best way to do this is to identify what groups of consumers you collect information from. Here are some of the most common consumer groups for businesses:
Notice the diversity of groups in this list of examples. Businesses may just be thinking of customers as “consumers,” but the CCPA defines the term simply as any California resident. The CCPA even covers personal information collected for internal or non-commercial purposes, such as from a job applicant. These internal consumer groups are treated differently, though. While a business must disclose to employees and job applicants what personal information it is collecting and for what purpose, at this time these groups don’t have the right to make privacy requests, such a request to delete.
Identifying the various groups of consumers helps businesses better understand the categories of information they are collecting. Often it is as simple as reviewing the forms used in that particular context. For example, a newsletter subscription may just require an email address, while an online purchase usually involves much more (name, phone number, shipping address, etc.).
Having mapped out your different consumer groups and determined what information you are collecting from them, the next step is to determine which of the information categories are personal information for CCPA purposes. The CCPA defines personal information very broadly, including not just identifiers like names and email addresses, but also IP addresses, search history, geolocation data, and much more. As a practical matter this step is more about finding exceptions, i.e., consumer data that is not personal information. These include:
Creating a thorough and accurate map of your business’s inbound consumer data will make the rest of the CCPA compliance proceed more smoothly. It will also help your team better respond to consumer requests to know and requests to delete.
In November 2020, voters approved the California Privacy Rights Acts (CPRA), sometimes called CCPA 2.0. The CPRA makes a number of significant changes to the CCPA, many of which are meant to strengthen enforcement and provide clarification of the original law.
Most of the changes go into effect on January 1, 2023, but this can be a little misleading. The CPRA contains a 12-month “look back” provision, meaning it applies to personal data collected as early as January 1, 2022. Businesses will need to begin planning their compliance well in advance of the 2023 effective date.
Effective January 1, 2023, the exception for publicly available information is broadened to include information from other sources besides government records. This exception now includes:
After you’ve mapped the inbound data, you must next examine each category of disclosures of personal information to outside parties. The CCPA deals extensively with the sharing and selling of consumers’ personal information, and these disclosures are treated differently according to how they are characterized. The most critical question to ask of any disclosure will be: is this a sale of personal information?
Deciding what is or is not a sale of personal information is important for two reasons. First, if a consumer submits a request to know, the business must disclose the categories of personal information it has sold to third parties. Second, the CCPA gives consumers the right to opt out of the sale of their personal information. In order to honor consumers’ opt-out requests, the business must first know which transactions qualify as sales.
Under the CCPA, the sale of personal information can include:
The most important exception to the CCPA’s definition of selling is the disclosure of personal information to service providers. If a vendor qualifies as a service provider, the transfer of personal information to that vendor is not a sale and is not affected by consumer opt-out requests.
The onboarding of vendors to your CCPA compliance system is therefore critically important, and usually the most time-consuming part of the whole compliance project. In order to qualify as a service provider, the vendor contract must prohibit the vendor from retaining, using, or disclosing consumers’ personal information for any other purpose besides performing the specified service. This means your compliance team will have to examine each vendor contract to see if it contains the necessary language. If it does not, businesses will either have to update the contract or else potentially treat any transfer of information to the vendor as a sale, and thus subject to opt-out requests.
Your business’s data map forms the foundation of all future CCPA compliance. Once it is completed, the rest of the project will be significantly easier.
Effective January 1, 2023, there are a few changes to the definition of a service provider.
The CPRA also adds a new type of outside party, the “contractor.” A contractor qualifies for the same exemptions as a service provider, i.e., they are not affected by opt-out requests, but are defined a little differently. As opposed to a service provider who “processes information” for a business, a contractor is “a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business.” One impact of this addition is that a business’s contracts with contractors must meet similar requirements as those of service providers.
Keeping consumers informed regarding data collection and their privacy rights is a major component of the CCPA. Once a business has finished its data map, it will need to make some changes to its privacy notices. Fortunately, this is usually a pretty straightforward process.
As noted in the previous section, even internal data collection from employees and job applicants is covered by the CCPA. While consumers in these groups don’t have the right to submit privacy requests, e.g., a request to delete, businesses do have to inform them what personal information is being collected and for what purpose. This notice must be given at or before the point of collection (e.g., in the job application or employment agreement).
These businesses must also post a clear and conspicuous “Do Not Sell My Personal Information” link on their homepage. The link should send consumers to this notice.
Additionally, businesses that sell personal information collected while interacting with the consumer offline must provide an offline disclosure of their right to opt out and instructions for making a request. If a business operates a brick-and-mortar store, they can fulfill this obligation with a disclosure on the forms used to collect the information, or by posting signage in the area. If the information is collected over the phone, the business may orally inform the consumer of their opt-out rights.
There are special rules for the sale of personal information from consumers who are between the ages of 13 and 15, and for consumers under the age of 13. If your business has knowledge that it sells the personal information from consumers in these age groups, it must provide a process for obtaining their affirmative consent (or their guardian’s consent) to opt in, and also describe this process in the privacy notice.
Businesses cannot discriminate against consumers for exercising their CCPA rights, but they can offer consumers financial incentives for opting in to the use and sale of their personal information. They can also charge a different price to consumers who opt out, as long as the price difference is related to the value provided to the business by that consumer’s personal information. Businesses that do either of those things must explain it in their privacy notice.
The CPRA adds two new categories of consumer rights: the right to correct inaccurate personal information and the right to limit use and disclosure of sensitive personal information. Effective January 1, 2023, privacy policies must inform consumers of these rights and provide instructions for submitting requests.
Those businesses whose practices are covered by the right to limit use and disclosure of sensitive information must post a clear and conspicuous link on their homepage, titled “Limit the Use of My Sensitive Personal Information.”
The CPRA adds a new term, “sharing,” meaning the disclosure of personal information for purposes of cross-context behavioral advertising (a.k.a. interest-based advertising or retargeting). This type of transaction is treated the same as a sale of personal information. One practical implication is that “Do Not Sell” links on web pages will need to be changed to “Do Not Sell or Share My Personal Information.”
In addition to informing consumers of the business purpose for collecting personal information, the CPRA requires privacy policies to also disclose the business purpose for selling or sharing personal information.
The CPRA states that at some point businesses will be able to satisfy their legal obligations without including “Do Not Sell or Share My Personal Information” or “Limit the Use of My Sensitive Personal Information” links on their homepage. To do so, they must allow consumers to opt out “through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism” based on technical specifications and regulations to be published by the Office of the Attorney General.
With all the necessary privacy notices out the way, the final component of CCPA compliance is responding to privacy requests from consumers. Businesses should already have a plan in place for handling these requests before they ever receive one. Going through a few trial runs will help identify any gaps in the system and ensure that requests can be processed in a timely manner.
This section does not include a detailed description of each privacy right—you can find that in Chapter 2—but rather identifies the key issues that businesses should be aware of when responding to each type of privacy request.
Consumer requests to know can be divided into two types: requests to know what categories of personal information have been collected (and for what business purpose) and what specific pieces of personal information have been collected. A single request may ask for both types of information.
Because there are security concerns associated with disclosing personal information, requests to know must be verifiable. When determining the level of verification necessary, businesses should take into account the sensitivity of the information. For requests to know categories of information, an email verification is usually sufficient. Requests to know specific pieces of information require additional security steps, or perhaps an account login if they have an online account (businesses cannot require a consumer to create an account in order to process the request).
There are also several types of specific information that a business cannot disclose to the consumer. These are:
In these cases, the business should just describe the type of information collected.
Businesses must acknowledge receipt of the request to know within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.
The CPRA includes the term “right to access personal information.” This is just a change in terminology. It does not grant any new rights, but refers to a consumer’s right to know what specific pieces of personal information a business has collected.
Requests to delete personal information involve many of the same issues as requests to know. Like requests to know, businesses must verify the request before complying. The level of verification required depends on the type of information being deleted. For example, before deleting sensitive information such as family photos, the business must verify the consumer’s identity to a higher degree of certainty.
Complying with the deletion request does not necessarily require deleting the information. Deidentifying or aggregating the data—changing it so it can no longer be linked to a specific individual—also fulfills the business’s obligation. If the business determines that it does not need to delete because one of the CCPA’s exceptions applies, it must inform the consumer of this decision.
Businesses must acknowledge receipt of the request to delete within 10 days, and have 45 days to comply. This can be extended for an additional 45 days when reasonably necessary, provided the consumer is notified before the original 45-day period has lapsed.
Effective January 1, 2023, after receiving a request to delete, businesses must notify all third parties to whom they have sold or shared a consumer’s personal information. This is in addition to the original requirement to notify service providers (and now contractors) of the deletion request. Such notification is not required if it would be impossible or involve disproportionate effort.
Businesses must provide at least two methods to submit opt-out requests, including an interactive form accessible via its “Do Not Sell My Personal Information” link. Businesses may give customers the option to opt out of specific types of information selling, as long as there is a prominent option that opts out of the sale of all personal information. Once a consumer has opted out, the business must wait at least 12 months before asking them to opt in again.
The opt-out request must be easy to execute and require minimal steps. CCPA regulations offer several example of prohibited practices:
Unlike requests to know and delete, requests to opt out do not need to be verified. However, businesses can deny a request if they have a good-faith, reasonable, and documented cause to believe the request is fraudulent.
Businesses must comply with a request to opt out within 15 days of receiving it.
Starting January 1, 2023, businesses must respond to consumer requests to correct inaccurate personal information. The California Privacy Protection Agency will draft and release regulations in the future, but here’s what we know for now.
Similar to requests to know and requests to delete, requests to correct must be verifiable. Businesses have 45 days to comply with the request, though that may be extended to 90 days if reasonably necessary and the consumer is notified. Businesses are only required to make “commercially reasonable efforts” to correct the information.
Effective January 1, 2023, the CCPA gives consumers the right to limit use and disclosure of their sensitive personal information. This addition brings the California law closer in line with the data privacy protections of the European Union’s privacy law, the General Data Protection Regulation (GDPR).
Currently, there are no regulations regarding how to handle a request to limit use and disclosure of sensitive personal information. The right bears a strong resemblance to the right to opt out, so it is possible that the procedures for handling the two types of requests will be similar.
The CCPA also imposes cybersecurity requirements on businesses that collect personal information. The law creates a private right of action for consumers in the event of a data breach where nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices.
In order to avoid potential class-action lawsuits, businesses should encrypt and redact consumers’ personal information wherever possible, and implement and maintain reasonable data security procedures. Neither the law nor the regulations give specific guidance on what security measures are required, so it is likely to depend on the situation and personal information involved.
With a complete data map, updated privacy notices, and practiced responses to privacy requests, CCPA compliance is a very manageable goal. For the most part, becoming CCPA compliant is a one-time process, coupled with the handling of privacy requests as they come up. There are a few ongoing, periodic tasks that businesses must perform in order to maintain their compliance.
The next chapter, “Staying CCPA Compliant,” discusses these maintenance tasks and gives businesses a sense of how much effort is involved.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.