The California Consumer Privacy Act (CCPA) is a law that requires businesses and service providers to provide certain disclosures to consumers about their personal data. The law also gives consumers and data subjects the right to request that businesses delete their personal data. If your business collects, processes, or sells the personal data of California residents, you need to comply with the CCPA. This blog post provides a compliance checklist for your privacy policy to help you get started.
The California Consumer Privacy Act (CCPA) is a law that requires businesses and service providers to provide certain disclosures to consumers about their personal data. The law also gives consumers and data subjects the right to request that businesses delete their personal data. If your business collects, processes, or sells the personal data of California residents, you need to comply with the CCPA. This blog post provides a compliance checklist for your privacy policy to help you get started. (Click here for a specialized CCPA checklist if you run a digital marketing agency.)
Explore more privacy compliance insights and best practices
The California Consumer Privacy Act (CCPA) is a state law that gives consumers the right to know what personal information is being collected about them, the right to delete that information, and the right to opt-out of its sale. The law applies to companies that do business in California and meet certain criteria, such as having annual revenues over $25 million or collecting personal information from 50,000 or more consumers to ensure privacy protection. The CCPA went into effect on 1 January 2020, and enforcement began on 1 July 2020. A new law, the California Privacy Rights Act (CPRA), will be enacted starting 1 January 2023. However, companies are still subject to the CCPA until then and must post a privacy policy that includes specific information about their data collection and handling practices. They must also provide a way for consumers to exercise their rights under the CCPA. The CCPA is similar to the EU’s General Data Protection Regulation (GDPR), but some important differences exist. For example, the GDPR compliance requirements include companies getting explicit consumer consent before collecting or using their personal data, while the CCPA does not. The CCPA also gives Californians the right to sue companies for data breaches, even if they don’t suffer any financial harm due to the breach. If you’re doing business in California, it’s important to make sure you comply with the CCPA. Use this checklist to make sure you have everything covered. Does your privacy policy meet all of the requirements of the CCPA?
The CCPA applies to any business that meets one or more of the following criteria:
The CCPA has a number of requirements for businesses that collect, use, and store the personal information of California residents. Below is the CCPA compliance checklist:
Regarding your privacy policy, you need to keep a few key things in mind to ensure compliance with the California Consumer Privacy Act (CCPA). Here is a quick checklist of what you should include in your CCPA privacy policy:
By ensuring that your privacy policy covers all of these bases, you can help to ensure compliance with the CCPA.
According to the CCPA, you must reveal a list of all the categories of personal information your business has gathered in the previous 12 months from any source.
This requirement is connected to updating your privacy policy every 12 months. Primarily, when you update your privacy policy, you must disclose the categories of personal information your business collected in the previous year.
Under the CCPA, the types of personal data you must reveal include;
After you list the personal information you collected last year, you must also say where you got each type of information. Examples of sources of information include;
It's important to be clear and specific about where the personal information you gather comes from.
For your privacy policy to be CCPA-compliant, you must let your consumers know why you collect the kind of information you do. Here, you should clearly explain what you use this data for.
Some of the reasons why businesses collect information include;
The CCPA requires you to list user information categories shared for business reasons in the previous year.
Section 1798.140 of the CCPA clarifies activities considered ‘business purposes.’ They include;
If you have not shared information for a business objective, you must make a declaration to this effect in your privacy policy.
Furthermore, you must declare if you disclosed consumer information to a third party, which is then disclosed for business purposes on your behalf. Check out Secure Privacy’s Ultimate CCPA Guide.
The CCPA requires you to declare the categories of personal information you sold in the previous 12 months. You need to update this disclosure in your annual privacy policy updates.
In addition, you need to disclose the reasons why you have sold the data.
In the event that your business does not sell personal information, this should also be clear in your privacy policy.
Businesses often share consumer personal information with third parties, and that must be disclosed in the privacy policy.
The CCPA-compliant business must disclose the categories of data shared in the last 12 months, the purposes for sharing it, and the third parties with whom each category of data has been shared.
You must inform users whether you disclose their sensitive personal information to third parties. Such information includes racial or ethnic origin, health data, financial data, etc.
Businesses are exempt from this requirement only if they disclose the data for any of the following purposes:
Should the business process consumers’ sensitive data for other purposes, it must allow consumers to limit the use of their sensitive data.
California’s data privacy law establishes an opt-in obligation for children between 13 and 16 years old. Minors in this age group must opt-in to the sale of their personal data.
Moreover, the CCPA requires your business to get the consent of a parent or a guardian before selling the information of a minor below the age of 13 years.
This requirement is very important if your target market includes children, but it applies to any business that knows the age of a minor.
The business must explicitly state if they knowingly collect and process children’s personal information.
Even if the business does not knowingly process children’s data, it must be explicitly stated in the privacy policy.
Your privacy policy must contain the consumer rights established under the CCPA. Essentially, consumers are entitled to:
It is not adequate to outline the rights consumers are entitled to under the CCPA. Instead, your privacy policy must inform them how to access their personal data.
Also, ensure your users know that you will respond to their request within 45 days, as the CCPA requires.
You must give the consumer at least two ways to get this information: a toll-free phone number and a website address.
However, if your business operates exclusively online and has a direct relationship with a consumer, you must only provide an email address for submitting requests.
You must also ensure that your policy informs users of their right to delete their personal information and explains how they can make this request, including how their identity would be verified.
You need to provide a way through which consumers can exercise this right.
The business also must explain to consumers how they can implement Global Privacy Controls (GPC) or a similar mechanism that sends opt-out preferences to websites.
Unlike the GDPR, to have a CCPA-compliant privacy policy, you need a clear and noticeable link labeled ‘Do Not Sell My Personal Information.’
You must display this link in the privacy policy and the web page’s footer.This link aims to allow consumers to opt out of having their personal data sold by companies.
However, your business is exempt from meeting this obligation if you do not sell personal data.
Unlike the GDPR, to have a CCPA-compliant privacy policy, you need a clear and noticeable link labeled ‘Do Not Sell My Personal Information.’
You must display this link in the privacy policy and the web page’s footer. This link aims to allow consumers to opt out of having their personal data sold by companies.
However, your business is exempt from meeting this obligation if you do not specialize in selling personal data.
The CCPA requires your business to have a noticeable link to your privacy policy on the homepage of your website.
In this case, most businesses prefer to have a link in the website’s footer since that is the customary location of a company’s legal policies. Learn how to add a Privacy Policy button to a website.
Under the CCPA, you must update your privacy policy every 12 months.
To guarantee your privacy policy is compliant with the CCPA, you will require a mechanism to monitor the updates made to the regulation.
Apart from updating your privacy policy every year, you will need to clearly display the last date the policy was updated for users to see. In this context, you may be required to add a short overview outlining the changes made in the most recent update.
The CCPA makes it clear that consumers should not be treated unfairly just because they are using their legal rights.
Because of this, you must make sure to tell users that they won't be treated badly if they use their rights under the CCPA.
The CCPA requires businesses to adopt transparency in data collection and sharing. To ensure your privacy policy is CCPA-compliant, you must add clauses specific to the aforementioned rights.
Secure Privacy relieves you of the burden of developing your company's privacy policy.Our solution gives you a privacy policy generator with which you can customize your privacy notice to meet the requirements of the CCPA.
Schedule a call with us today and get expert guidance on our solution and how we can support your CCPA compliance journey.
Check out Secure Privacy’s GDPR and CCPA Compliance features for Publishers.
To avoid CCPA non-compliance, you can do a few key things to ensure your organization is on the right track. Here are some tips for staying compliant: 1. Understand the requirements: The first step to compliance is understanding businesses’ CCPA requirements. Make sure you know the ins and outs of the law so you can take the necessary steps to comply. 2. Create a privacy policy: A key part of compliance is having a clear and concise privacy policy that outlines your data collection and use practices. Your policy should be easily accessible to consumers and easy to understand. 3. Train your employees: Customers who handle customer data need to be trained on CCPA requirements and your organization’s privacy policy. They should know how to handle requests from consumers and keep data secure. 4. Keep records updated: Maintaining accurate customer data records is important for compliance. You should have a system for tracking the data collected, used, and deleted. This will help you respond quickly to any consumer requests. 5. Be prepared for audits: The CCPA gives the attorney general’s office the right to audit businesses for compliance. Be sure you have all the necessary documentation and records to pass an audit with flying colors.
Although CCPA doesn’t require an audit, you must constantly monitor data security and CCPA security measures to avoid fines if you’re ever under investigation. The only way to ensure daily CCPA compliance is through automation. Check out Secure Privacy’s solutions that fit your needs.
Learn about Secure Privacy's CCPA Certification.
The California Consumer Privacy Act (CCPA) is a law that requires businesses to disclose what personal information they collect and how it is used. The law also allows consumers to request that their personal information be deleted. If you are doing business in California, you must ensure your privacy policy complies with CCPA requirements. This checklist will help you ensure that your policy meets all the necessary requirements.
