When the GDPR was enacted in 2018, businesses all over the world were forced to rework their Privacy Policies, websites and business practices in response to the regulation's new rules. This also forced countries to begin overhauling their own privacy laws to comply with the EU's more strict privacy regulations.
Businesses and countries are required again to look at their Privacy Policies and laws now that the CCPA was enacted on January 1, 2020. The CCPA is an overarching and overreaching privacy law that adds further protections for consumers regarding their privacy online.
The CCPA, or the California Consumer Privacy Act, is the latest privacy law to be enacted in the world that has far-reaching effects. The act came into effect at the beginning of 2020 with the purpose to enhance the rights of California consumers and to create a transparent relationship between websites or apps and their users. The act gives the consumers "more control" over their personal information that is collected by businesses.
The four major rights it gives California consumers are:
What qualifies as "personal information" under the CCPA can include a large amount of information. The act's definition is intentionally broad to include as much as possible, including:
Note, the above list is not exhaustive. Any information that "identifies, relates to, or could reasonably be linked" to a consumer is considered private information.
Like the act's definition of "private information," what businesses fall under its umbrella is also intentionally broad. However, there are exceptions.
The act only applies to for-profit businesses. The CCPA does not apply to non-profits or governmental agencies.
In addition to being a for-profit business and doing business in California or having California consumers, there are additional requirements that you must meet, that include:
A note to remember is the "or." You have to meet one of the additional items. You don't have to meet all of them, just one for the CCPA to apply.
The only way a consumer can sue under the CCPA is if there is a data breach at the business, and even then there are certain limitations.
First, a consumer can sue if the business failed to "maintain reasonable security procedures and practices" to protect the information. If this happens, a consumer can:
Sue for statutory damages
A consumer cannot sue if your business has been able to cure the violation and provides a written statement reflecting the cure.
Other violations under the CCPA can only be brought by the Attorney General of California. Consumers can file a "consumer complaint" with the Attorney General which could lead to a lawsuit. This is why making sure your policy follows the guidelines of the CCPA is extremely important.
Let's take a closer look at each of these.
As we mentioned above, the CCPA's greatest impact on privacy laws is that it has given additional rights to California residents for how they can control the collection and use of their personal information.
Know What Information. Consumers have the right to know what information that is being collected by the business.
Delete Information. They have the right to request that their information be deleted from the website or app.
Opt-Out of Selling Information. Consumers are able to tell websites that their information is not allowed to be sold to third-parties.
Not be Discriminated Against. They also have the right to not be discriminated against if they choose to exercise any of the above rights.
A critical thing to note is that only California residents have rights under the CCPA. A resident of New York will not have access to the same rights. California residents who are temporarily outside of the state will still have to maintain those rights.
California consumers under the CCPA have the "right to know about the personal information" that is collected by a business, website, or app.
This information a consumer has the right to access or request can include:
If a business sells your information, all of these would apply as well to what is being disclosed or sold to third-parties.
Businesses must offer two different methods for how to request what information is collected, one must be a toll-free number. The other ways could be an email address, website form, or hard paper form. This information should be somewhere in your policy.
Apple has a good example of how to have two options, the toll-free number and an email address:
If your business has a website, one of the methods must be through the website. However, if your business is only online, you only need to provide an email address.
When a consumer submits a right to request to know, businesses have 45 calendar days to respond. This time limit can be extended by another 45 days if a business notifies the consumer.
You can state how consumers can make those requests as Canva does:
One of the rights given under the CCPA is the right to request deletion of information collected by businesses, so it is essential and a requirement that you have a section in your policy stating how a consumer can do this.
Your business must provide at least two ways for a consumer to request deletion. It doesn't matter the combination of the two, it just has to be at least two. These can be through a:
Wells Fargo combines a phone number and a link to submit a request via a website form:
The right to opt-out of selling information allows customers to tell businesses they cannot sell their private information once they have received the opt-out request. This can change if the consumer decides to opt back in. However, there is a grace period of 12 months before a business can ask a consumer to opt in.
Remember, the link needs to be easily accessible since this is a requirement under the law.
Uber offers a separate link in its footer to its Do Not Sell Page:
You can create a simple request form on your page where consumers can request as Six Flags does on its website:
The CCPA's requirement for detailing what private information is collected is similar to other laws, such as the GDPR. It clearly gives consumers the right to ask what information businesses have "collected, shared, or sold about." The information must be provided to consumers for a 12-month period before the request.
The CCPA provides a long list of the types of information collected that fall under its purview. Here are just a few:
REI provides a detailed example of all of the information that it collects:
The CCPA requires that the "sources" from which you collect the private information must be disclosed. It's not necessary to go into great detail as you would for what information is collected, just where you collected the information. This section can also cover the "how" you collect personal information as well.
Examples of this are through online forms, email lists, check outs, site usage, etc.
Blue Apron sources include analytic vendors and cookies:
While on the other hand, Weebly's sources include social media, direct sources, devices, or affiliates:
Make sure you include all of the different ways you use the information. If you use the data in a way that was not included or the consumer did not give permission for, could be a violation of the act and could mean your business is potentially liable.
You can separate your reasons as the BBC does or create a simple list. As long as it's clear, that's what's most important:
A business or website cannot discriminate against a consumer if they choose to practice one of their rights under the CCPA.
If a consumer exercised one of their rights, a business cannot:
It's recommended to include in your policy or in your California resident section that your business does not discriminate if a consumer chooses to exercise their rights as Macy's does in its California section:
A unique feature of the CCPA is that it requires businesses to disclose to consumers all types of information they have disclosed for "business purposes" in the last 12 months.
Under the CCPA, a "business purpose" can be any one of the following. The below isn't a complete list, as there are an "x" number of business purposes that your business may sell the information for.
The ones included in the act are:
Even if you haven't disclosed personal information in the last 12 months, you still need to notify users that you haven't done this. In this particular section, it's best to be overly descriptive than vague, with what and why you disclosed the information.
Hulu lists every type of provider and what type of information is disclosed:
The notice must be "at or before" the point of collection. This can be on your business's homepage or the check out page. If your business is a brick-and-mortar store, you can have a flyer notifying users of the collection.
Since the CCPA has given direction for where to look, it's best to follow their suggestions and include your link in either the footer, settings page, or even on a sidebar where consumers can easily access it.
Coach includes its link in its footer:
These rights are:
How this is reflected in your policy is that you are now required to have certain sections. If you don't have these sections, you may be in violation of the CCPA: