CCPA Compliance Checklist (Download Your Action Plan Today)
Ever since the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, and began enforcement on July 1, 2020, businesses across California have had to ensure strict adherence to its guidelines. Then, in November 2020 came the CPRA (California Privacy Rights Act), also known as CCPA 2.0, effective since January 1, 2023, and finally, on March 23, 2023, the long awaited CCPA Regulations were published, effective as of February 9, 2024.
With all of these in play, businesses’ compliance became somewhat of a bumpy road because of the changes and updates made. However, still today, for any for-profit entity collecting California consumers' personal data and meeting specific revenue or data interaction thresholds, CCPA compliance is not just necessary—it's legally mandated to avoid steep penalties.
In this article we are discussing what a CCPA compliance checklist looks like so covered businesses can gain some clarity and some insight into their obligations and responsibilities, and we even offer an infographic that sums up all of this.
Understanding CCPA in Simple Terms
The California Consumer Privacy Act, or CCPA, is California’s consumer privacy law, which aims to help protect the privacy of California residents, and one of the strictest privacy laws in the world. It applies to businesses that meet its thresholds for applicability and which collect and process the personal information of Californians.
Here’s a simpler breakdown of what CCPA means:
- Who it affects: Any business, that satisfies one or more of the following thresholds:
- Earns annual revenues of more than $25 million;
- Collects and processes personal information of at least 100,000 consumers, households or devices; or
- Derives at least 50% of its annual revenues from selling or sharing consumers’ personal information.
- What is its purpose: The CCPA aims to give more control to Californians over their personal information while also making sure that businesses are careful with people’s data and telling them how they can use it. The CCPA also mandates that businesses have to keep personal information safe by having good security practices in place which prevent data from getting lost or stolen.
The CCPA grants California residents enhanced rights regarding their personal data,
- Right to Know: Consumers can inquire about what personal information a business collects about them and why it's collected.
- Right to Data Portability: Consumers can access their personal data held by a business.
- Right to Opt-out: Consumers can object to the sale of their personal information.
- Right to Deletion: Consumers can request the deletion of their personal information from a business's records.
- Right to Non-discrimination: Exercising CCPA rights should not lead to discriminatory treatment by businesses.
In addition to this, the CCPA offers a broad definition of "selling" personal information which covers many business activities and has to be carefully studied and understood.
According to the CCPA, selling data means
selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
Your CCPA Compliance Checklist
Here's a CCPA compliance checklist to help your business facilitate CCPA compliance.
- Publish a Privacy Policy: Make sure your website displays a privacy policy that meets the CCPA’s standards and outlines consumer rights and your data handling practices. CCPA requires a number of privacy policy disclosures, and you’ll need to make sure yours includes:
- Effective date.
- CCPA specific disclosure requirements (if you’d like, you can link to a separate California-specific privacy policy).
- Update every twelve (12) months.
- Web forms and contact methods (such as a toll-free phone number) for a California consumer to make a data subject access request (“DSAR”).
- Accurate descriptions of personal information collected, purposes of collection, and any sharing/selling activities.
- Contact information where consumers may submit questions or concerns about the business’s privacy policy and processing activities.
- Ensure Data Processing Transparency: Clearly communicate to your website visitors - consumers - how their data is used, shared, or sold upon collection or sale.
- Maintain An Inventory of Data: Keep a detailed log of the data you collect, process, and/or share.
- Make Sure You Obtain Informed Consent at Data Collection: Before collecting the personal data of consumers, notify them explicitly of this, securing their consent.
- Facilitate Data Subject Requests: Allow consumers easy access to their rights. In order to do this, you need to establish protocols to promptly respond to their consumer inquiries and requests under CCPA, within the timeframes mandated by the law.
- Implement a "Do Not Sell or Share My Personal Information" Link: Feature this link prominently on all your website pages and anywhere data is collected if you sell personal information.
- If you process sensitive personal information, implement a "Limit the use of my sensitive personal information" Link: Feature this link prominently on all your website pages and anywhere data is collected if you process sensitive personal information.
- Understand the "Do Not Sell or Share'' Obligations: Under the CCPA, even if you indirectly share data, this can be seen as data selling. For example, if you share consumer data through an embedded YouTube video, this could very well be considered a sale of information. Make sure your website is compliant with an accessible "Do Not Sell or Share My Personal Information" link, and your privacy policy is transparent in regards to your data sharing practices, and that it differentiates between sales and exchanges of data with service providers. Some things to consider:
- Even if your business is not a data broker, you should review your AdTech activities, such as reviewing your cookies and trackers on your website. If you’re using common tools like Google Analytics or Facebook Pixel, this may fall under the definition of “sale” of data.
- If you’re using cookies or tracking scripts, or sharing/selling data in any way, you should outline this in your privacy policy.
- Explore whether your sharing activities are exclusively to “service providers” or businesses that would not meet the “sale” criteria and make sure the privacy policy accurately discloses those activities.
- Understand the Scope of "Sale": The CCPA's definition of selling data is broad, capturing many forms of data transactions. Ensure you understand what "sale" means and how it applies to your business in order to facilitate compliance.
- Keep Your Privacy Policies Updated: CCPA compliance involves regular privacy policy updates to reflect the latest data practices and legal requirements of your business, along with providing clear channels for consumers to exercise their CCPA rights.
- Provide Consumers with Opt-Out Mechanisms: CCPA requires that companies provide consumers with a way to “opt-out” of data collection. One of the most common data collection points is on a company’s website, and likely the most common personal information collected is a website visitor’s IP address. If your website is using cookies or tracking scripts (most do), then it’s highly likely that you’re collecting personal information. If that’s the case, then you need to provide consumers with a way to “opt-out” of cookie collection. If you think that this can be accomplished by “Do Not Track” signals or emails, you’d be wrong. An effective opt-out mechanism for data collection, particularly around cookie use, is vital. You should consider using a cookie consent management platform to facilitate this and ensure consumer choice is respected.
- Conduct Regular Privacy Assessments (where applicable): There are specific cases where you need to conduct a risk assessment which revolve around data processing that presents a significant risk to consumers’ privacy, for example. If your data processing meets these criteria, then you need to conduct audits and to periodically review your data practices and privacy policy to ensure ongoing CCPA compliance.
- Training and Awareness: You should arrange for regular training of your employees on CCPA compliance, with a special focus on those of your employees which handle consumer inquiries and data processing.
CCPA Noncompliance Consequences
Based on the CCPA rules, if your business doesn't follow the CCPA requirements and fails to show that it has fixed the issue within the 30 days cure period, you are likely to face serious fines, of up to $2,500 per unintentional violation and up to $7,500 per willful violation.
In addition to these, if a consumer is harmed because their data got leaked following a data breach on your website, they can ask for damages and may get between $100 and $750 for each person affected by the incident, or even more if the actual harm was greater, and can even ask the court for other types of legal actions against your business in order to correct the situation or prevent further harm.
What is a best practice?
Implement a Consent Management Platform (CMP).
Why?
Using a CMP simplifies the way your business can meet its data-handling responsibilities. This tool offers you a straightforward way for users to manage their data preferences and for your business to record these preferences accurately. A CMP integrates seamlessly with your website, helping with compliant data sharing and staying current with ever evolving privacy regulations. By using a CMP your business can more effortlessly follow the legal requirements of the CCPA and can also cultivate trust with consumers.
How Can Clym Help You?
Clym helps businesses easily meet the requirements of the California Consumer Privacy Act (CCPA) by offering a tool that streamlines the management of consumers’ data privacy. Our platform makes it simple for businesses to notify consumers about what personal information is being collected and why, at the time of collection.
Furthermore, Clym aids in verifying the identity of people making requests about their personal information, helping businesses prevent fraud while respecting consumer rights. We provide businesses with a way to keep track of consumer requests and responses to these. This means your business can comply with the law without hassle, avoid fines, and you can build trust with your customers by showing them that you take data protection seriously.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
CCPA Compliance Checklist - Downloadable Resource
Here is a CCPA compliance checklist to facilitate compliance for your business with the California Consumer Privacy Act:
CCPA Resources
-
What Does 'Do Not Sell or Share My Personal Information' Mean in CCPA/CPRA?
-
Email Marketing Under CCPA: Ensuring Privacy While Maximizing Impact
- What is the difference between the VCDPA and the CCPA?
- New California Bill on Web Accessibility Considered for Approval
- How to Respond to Consumer Requests - CCPA (CPRA)
- To Track or Not to Track: GPC and 'Do Not Track' Signals
- A Look at CCPA Regulations and Employment Related Data
-
CCPA or CPRA? Understanding California’s Data Privacy Landscape
FAQs about CCPA Compliance
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a stringent privacy regulation designed to protect the personal information of California residents. It applies to businesses that meet specific thresholds, such as earning over $25 million annually or handling the data of 100,000 consumers or more.
Who needs to comply with the CCPA?
Any business that meets one or more of the specified thresholds, including earning significant revenue, processing large amounts of personal data, or deriving income from selling Californians' personal information, must adhere to the CCPA.
What are the key consumer rights under the CCPA?
The CCPA provides California residents with the right to know about, access, and delete their personal information, the right to opt-out of the sale/sharing of their personal data, and the right to non-discrimination for exercising their CCPA rights.
What constitutes a 'sale' of personal information under the CCPA?
The CCPA defines a 'sale' broadly, including any exchange of personal data for monetary or other valuable consideration. This can refer to a variety of business activities beyond traditional sales.
What should be included in a CCPA-compliant privacy policy?
A compliant policy should detail the types of data collected, purposes of collection, sharing practices, consumer rights, and methods for submitting data access requests. It must be updated every twelve months.
How can businesses ensure they are not improperly selling personal information?
Businesses should understand the broad definition of 'sale' under the CCPA and review their data sharing practices, including those involving cookies and analytics tools, to ensure they align with the law.
What are the penalties for non-compliance with the CCPA?
Businesses can face fines up to $2,500 per unintentional violation and $7,500 per intentional violation. Additionally, consumers may seek damages for data breaches, which can significantly increase financial risks for non-compliant entities.
What is a Consent Management Platform (CMP), and why is it recommended?
A CMP is a tool that helps businesses manage user consent for data collection and processing, facilitating compliance with privacy regulations such as the CCPA. A CMP provides a systematic way to capture and document user preferences.