Blog Compliance How to comply with CCPA: A step-by-step guide December 5, 2023 Oro Oro provides content designed to educate and help audiences on their compliance journey. The California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA) is a comprehensive data privacy law providing Californians with more control over their personal information and sets requirements for businesses collecting, using, and selling their data. To help you navigate this complex regulation, we’ve created a step-by-step guide on how to comply with CCPA, ensuring your business is CCPA compliant. Key takeaways Understand your obligations under the CCPA to avoid penalties Update privacy policies and provide data collection notices for transparency and trust Manage consumer requests, ensure data security, audit third parties, and train staff—all essential steps for compliance Understanding the California Consumer Privacy Act (CCPA) At its core, the CCPA provides more transparency and control to consumers over how their personal data is collected, used, and sold. Businesses must be aware of their obligations under the CCPA, as failure to comply can result in hefty fines and legal action. You may wonder what qualifies as personal data and how the CCPA impacts your business practices. Let’s explore these aspects. What is considered personal data under CCPA? Under the CCPA, personal data includes any information linking to an individual or household. The following are considered personal data: Names and aliases Social security numbers Drivers license numbers Passport numbers Addresses Email addresses Device identifiers, like IP addresses Account names Credit and debit card numbers Income and financial data Purchase history Browsing and search history Geolocation data Biometric data Employment and/or education-related personal information Political and/or religious affiliation It is crucial to understand the implications of personal information collected and how it can impact individuals’ privacy. However, not all information falls under this category; public information from government records, aggregated data, and certain consumer-shared information are exempt from CCPA regulations. Who needs to comply with CCPA? The CCPA and CPRA applies to for-profit businesses that collect and sell the personal information of California residents, maintain reasonable security procedures, and meet at least one of three specific criteria: They have annual gross revenues exceeding $25 million They buy, sell, receive, or share personal information of 100,000 or more consumers, households, or devices They earn 50% or more of their annual revenue from selling or sharing personal data. If your business aligns with any of these categories, understanding and adhering to the CCPA requirements is required. Compliance with the CCPA not only safeguards your California customers’ privacy rights but also exhibits your dedication to data security and transparency, thereby enhancing trust among your clientele. Here are the key details of CCPA at-a-glance: Key consumer rights under CCPA The CCPA empowers California consumers with a set of key rights regarding their personal information. By understanding these rights, businesses can better address consumer concerns and ensure their practices remain compliant with the CCPA. Right to notice The right to notice requires businesses to inform consumers about what type of personal information they are collecting and how they plan to use it, either before or at the point of collection. This disclosure must include: Details about the categories of personal information being collected The purposes for which it will be used Any third parties with whom the business shares or sells the information The length of time the personal information will be retained and a link to the business’s privacy policy Right of access/right to request The right of access, also known as the right to request, allows consumers to obtain the personal information a business has collected about them. To comply with this right, businesses must provide at least two ways for consumers to submit requests, such as a: Toll-free phone number (a must-have if the business is not exclusively online) Email address Website form Hard copy form Note: A business operating exclusively online that has a direct relationship with a consumer is only required to provide an email address. Once a request is received, businesses must confirm receipt of request within ten (10) days with a response in 45 days (and an additional 45 days once the consumer is notified.) Right to know The right to know grants consumers the ability to learn how their personal information is being used, sold, or shared by businesses. This includes the categories of personal information collected, the sources from which it was obtained, the purpose for which it was collected or sold, and the third parties with whom it is shared, disclosed, or sold. To comply with the right to know, businesses must provide the requested information within 45 days, with the possibility of an additional 45-day extension if the consumer is notified. Right to opt out The right to opt out enables consumers to tell businesses not to sell or share their personal information. Businesses must provide a clear and conspicuous link on their website, usually labeled “Do Not Sell My Personal Information,” where consumers can exercise this right. Recommended for you Updates to privacy law: what does CPRA mean for you? The California Privacy Rights Act amended CCPA and provides new guidance and additional privacy protections for consumers. CCPA: Understanding the California privacy act and its enhancement (CPRA) icon-arrow-long Right to delete Under the right to delete, consumers can request businesses delete any personal information they have collected. To comply with this right, the consumer’s identity needs to be verified for a deletion to occur. Businesses must also provide at least two methods for consumers to submit deletion requests, such as a: Toll-free phone number (a must-have if the business is not exclusively online) Email address Website form Hard copy form Note: A business operating exclusively online that has a direct relationship with a consumer is only required to provide an email address. Once a request is received, businesses must respond within 45 days, with the possibility of an additional 45-day extension if the consumer is notified. Right to notification of financial incentive The right to notification of financial incentive requires businesses to inform consumers of any financial incentives offered in exchange for the collection, sale, or deletion of their personal information. Businesses must clearly explain the material terms of the incentive program, including the categories of personal information involved, the value of the consumer’s data (along with the method used to calculate this value), how the consumer can opt in or out of the program, and a statement the consumer can withdraw at any time (or exercise their right). Right not to be discriminated against The right not to be discriminated against ensures consumers cannot be denied goods or services, charged different prices, or receive lower quality goods or services due to exercising their CCPA rights. This protection encourages consumers to exercise their rights without fear of negative consequences, promoting a fair and transparent marketplace. Steps to comply with CCPA Ensuring your business is CCPA-compliant requires adherence to a series of steps covering all necessary requirements and obligations. These steps include: Understanding your obligations Updating your privacy policy Implementing data collection notices Managing consumer requests and responses Ensuring data security Auditing third-party contracts Providing staff training Each of these steps holds a significant role in CCPA compliance. Let’s examine each one… 1. Know your obligations The first step in CCPA compliance is understanding your business’s obligations under the law. This involves familiarizing yourself with the key provisions of the CCPA, such as the consumer rights it grants, the types of personal information it covers, and the specific rules and requirements it imposes on businesses. 2. Updating your privacy policy A crucial step in CCPA compliance is updating your privacy policy to reflect the requirements of the law. This involves: Disclosing the categories of personal information you collect Stating the purposes for which the information is used Identifying any third parties with whom you share or sell the information Informing consumers of their rights under the CCPA Providing clear instructions on how consumers can exercise these rights Frequent reviews and updates of your privacy policy can uphold transparency and exhibit your dedication to data privacy. 3. Implementing data collection notices To comply with the CCPA’s right to notice, businesses must implement data collection notices informing consumers about the types of personal information being collected and the purposes for which it will be used. These notices should be provided before or at the point of collection and must be clear, conspicuous, and easy to understand. Implementing data collection notices can help businesses maintain transparency and build trust with their customers by informing them about the data collected and managing their data inventory effectively. 4. Managing consumer requests and responses Another essential aspect of CCPA compliance is effectively managing consumer requests and responses. This includes: Providing at least two methods for consumers to submit requests, for example: Toll-free phone number (a must-have if the business is not exclusively online) Email address Website form Hard copy form Note: A business operating exclusively online that has a direct relationship with a consumer is only required to provide an email address. Verifying the identity of the consumer making the request Responding within the required time frame Having processes in place to handle requests for access, correction, deletion, and opt-out, as well as any necessary follow-up actions. 5. Ensuring data security and breach notification Data security is a critical component of CCPA compliance, and businesses must implement reasonable security measures to protect consumers’ personal information. In the event of a data breach, businesses are required to notify affected consumers and, in some cases, the California Attorney General. Investing in data security and establishing a breach notification plan can reduce the risk of expensive penalties and reputational harm linked to data breaches. 6. Auditing and updating third-party contracts CCPA compliance extends to your business’s relationships with third-party processors, making it crucial to audit and update your third-party contracts. This process involves: Identifying all third-party processors handling personal data Reviewing existing contracts for CCPA compliance Amending contracts as necessary to include CCPA-specific language 7. Training and awareness for staff Finally, staff training and awareness are essential for CCPA compliance. Employees who handle customer inquiries about a company’s privacy policies or process personal information must be knowledgeable about the CCPA and its requirements. Regular training on the CCPA, consumer rights, and data security best practices can help ensure your staff is well-equipped to handle any privacy-related issues and maintain compliance with the law. Keep in mind, CCPA compliance is a continuous process, and staying informed about any law updates or changes is vital. Regularly reviewing your practices and policies, as well as maintaining open communication with consumers, will help your business remain compliant and foster trust with your clientele. The cost of getting it wrong: Penalties and enforcement of CCPA Non-compliance with the CCPA can result in significant penalties and legal action. The California Attorney General is responsible for enforcing the law, and businesses failing to comply can face fines of up to $7,500 per violation. Additionally, consumers affected by a data breach may take legal action against the business, with potential damages ranging from $100 to $750 per consumer per incident. Potential financial and reputational consequences of non-compliance underline the importance of sticking to the CCPA regulations. By following the steps outlined in this guide and maintaining a strong commitment to data privacy, your business can avoid costly penalties and protect the privacy rights of California consumers. More FAQs about CCPA How does a business comply with CCPA? Businesses must comply with consumer requests to delete their data, provide notices explaining their privacy practices, and update third-party contracts. Additionally, they must require vendors to provide data inventories, due diligence questionnaires, records of processing, and ensure data syncability. What is an example of CCPA compliance? Examples of CCPA compliance include a business: Updating its privacy policy to clearly explain how it uses third-party cookies Allowing consumers to fully opt out of the sale of their personal information, including in connection with targeted advertising Simplifying the opt-out mechanism on its website. What are ways the CCPA protects consumers? The CCPA provides consumers with key protections, such as the right to know what information is collected about them and how it’s used, the right to delete their personal information, and the right to opt out of data sales or sharing. What types of businesses need to comply with CCPA? Businesses collecting and selling personal information of California residents meeting certain criteria must comply with CCPA. This includes for-profit companies with annual gross revenues exceeding $25 million, handling personal information of 100,000 or more consumers, or earning more than 50% of their annual revenue from selling personal data. Share this post with your network: Facebook Twitter LinkedIn