Stay updated on the California Consumer Privacy Act (CCPA) regulations for 2024. Secure Privacy provides essential guidelines to ensure compliance, covering privacy policies, opt-out mechanisms, risk assessments, employee training, and more. Learn how to adapt your data protection practices.
The California Consumer Privacy Act (CCPA) gets regular updates, which means that you need to learn about the new CCPA Regulations and adjust your data protection practices accordingly. We at Secure Privacy follow the updates day after day to ensure that our CCPA compliance solution is up-to-date and that you'll be compliant with our solution.
Here's what you need to be aware of to be compliant with the CCPA in 2024.
Explore more privacy compliance insights and best practices
The CCPA was updated in 2023, first with the CPRA, and later on with the CCPA regulations. Taking all the recent novelties into account, here's what every business has to know to be CCPA-compliant.
We'll discuss the following below:
Every website must publish a privacy policy and be transparent with consumers about the privacy practices of the business. It aims to inform the consumer about how their data is handled by the website.
Each CCPA privacy policy must contain at least the following:
Read more about the CCPA privacy policy requirements.
The CCPA doesn't specifically demand a cookie banner. But if you use a cookie banner, you'll meet the privacy notice requirement easily.
The CCPA mandates that businesses give clear and conspicuous privacy notices to their customers. These notices must be presented to users right when they land on your website. You have different options for these notices, and one way to display them is through a banner.
The CCPA requires four different types of privacy notices:
Only businesses that collect personal information are required to provide notice of collection. The notice on collection under the CCPA is meant to inform consumers that you're gathering and processing their data, explaining your methods and reasons. This notice should be given at or before the time you collect their data. Given the nature of tracking technology, it's necessary to display this notice on your website as soon as a visitor arrives.
In your notice, include a link to the privacy policy. This link should direct users straight to the relevant sections of the policy with the necessary information, rather than just the start of the policy, to avoid making consumers search for what they need.
Self-explanatory. Businesses that sell or share personal information must notify users and allow them to opt out of the sale or sharing of personal information.
Businesses processing sensitive personal information, like health and financial data, ethnic background, sexual orientation, and political or religious beliefs, need to let consumers restrict the use of this data. This notice serves to notify the users about that right.
Businesses can offer financial rewards like discounts, coupons, or loyalty programs to their customers, which involve processing personal information. When using personal data for these incentives, businesses must issue a notice about financial incentives. This notice aims to help consumers grasp the exchange between sharing their information and receiving financial benefits from the business.
Read our in-depth article about CCPA privacy notices.
Consumers have the right to opt out of the processing of their personal information. You have to provide them with the following opt-out mechanisms:
The CCPA explicitly requires businesses to have written agreements with service providers processing personal information on their behalf. The service provider must not process any data without a written agreement in place.
Therefore, this is one of the most important CCPA requirements. The agreement must contain provisions on the data categories, processing purposes, help in proving compliance, confidentiality of the processing, and other elements.
Businesses involved in some processing activities must conduct risk assessments before processing. The covered activities are considered to pose a significant risk to consumers' privacy; therefore, the business has to assess the risks before getting into the processing.
The covered activities include:
Many businesses share personal information, so many businesses will have to assess their risks before opting into that kind of data processing.
Some companies need to perform cybersecurity audits to show they follow CCPA rules. It's not yet decided which businesses have to do this.
The suggested rules set a standard: businesses with over 50% of their income from selling or sharing personal data. There might be more criteria added later, like the size of the company, yearly earnings, or how many people's data they handle.
To confirm the cybersecurity standards used in an organization, independent professionals must conduct the audits.
These audits are part of a wider requirement for implementing reasonable security measures to ensure that consumer data is safe.
Consumers have several data privacy rights under the CCPA that you have to respect. These include the right to know, the right to access all or specific pieces of personal information, the right to request the deletion of their data, the right to correct data, and the right to data portability.
Businesses must comply with CCPA requests to exercise those rights. Before conforming to the requests, you need to verify the identity of the requester to prevent abuse. Upon verification, you have no choice but to comply with it. In some situations, you may be allowed to decline the request to delete their personal information.
You have to respond to the requests within 45 days of receiving them. The response must be free of charge unless it causes you significant expenses.
You are as strong as your weakest link; therefore, you have to ensure that all your employees and contractors understand the legal requirements imposed on your company and are equipped with the knowledge to comply with them.
The CCPA explicitly requires training for personnel handling personal information. It is not a nice-to-have; it is a requirement. Conduct regular training sessions to ensure that your people know how to comply with the CCPA, and make sure it is part of your compliance strategy.
Read more about training personnel on the CCPA.
This checklist is a must for businesses to which the California Consumer Privacy Act applies. These laws apply to for-profit firms that does business in California, processes the data of California residents and:
AND
If you recognize your business in these criteria, take this 2024 CCPA compliance checklist seriously.
The CCPA imposes financial and civil penalties for non-compliance, ranging from USD 2,500 per unintentional violation, USD 7,500 per intentional violation, and USD 100-750 per consumer per incident for violating consumer rights.
By proactively complying with the CCPA, businesses can avoid legal and financial repercussions and build trust with consumers.
