A step-by-step practical guide for the California Consumer Protection Act (CCPA)
There are thousands of articles on the web that analyze in-depth the legalese and jargon of the California Consumer Protection Act of 2018. But as a business owner or data protection officer that handles the personal data of California residents, you just want to know exactly what you need to do to follow the rules, while avoiding the hefty fines and customer complaints.
The California attorney general’s office enforces CCPA violations that range from $2,500 PER EACH violation (non-intentional) or up to $7,500 per each intentional violation. This could mean per data field per person, and as we’ve seen with GDPR fines, these immense fines could be detrimental to your organization.
Not to mention, the California Privacy Rights and Enforcement Act of 2020 (CPRA), also referred to as the CCPA 2.0, has been passed and will enter enforcement starting January 2023. The CPRA borrows heavily from its predecessor, so if you are not yet CCPA compliant, now is a great time to start.
Let the following guide act as your roadmap to CCPA compliance.
By following this guide, your company will be able to meet the following obligations under CCPA:
- 1. Maintain a data inventory to track data processing history
- 2. Publish a compliant Privacy Policy, which needs to be updated at least every 12 months, including the consumers’ rights regarding their personal information
- 3. Notify a consumer before or at the point of data collection that the business wants permission to collect this data
- 4. Grant consumers their rights as they pertain to their personal data, including the right to access and delete their data, as well as opt-out of marketing
- 5. Create a Do Not Sell My Personal Information icon on your page if you sell personal information
The above six (6) obligations can be divided into different workstreams and addressed concurrently.
Related guide: GDPR Compliance
Related guide: GDPR vs. CCPA
Related guide: GDPR Fines
Step 1 - Is Your Company Impacted?
Step 1 will help you determine if your company is in scope for CCPA, and therefore must comply.
1.A. Who are Covered Businesses under CCPA?
The CCPA does not only affect California-based companies.
If your company collects the personal information of California residents and households AND the answer is “Yes” to ONE of the following three criteria, then you are in scope for the CCPA.
- Does your organization earn annual revenues exceeding $25 million?
- Does your organization buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices for commercial purposes? (50,000 in total; not just California consumers, households or devices)
- Does your organization derive 50 percent of annual revenues from selling consumers’ personal information?
If you answered “No” to every question above, then you are not a covered business under the CCPA.
1.B. Determine if you collect the personal information of California residents and households
This is broken into two parts: 1) what is personal information, and 2) what is considered a California resident and household.
1.B.1. First, what is considered personal information?
Simply put, if the data you collect can be used to identify an individual, household or device, then it’s personal data. If you have customers or employees, then you collect personal information. Most common examples of personal data include:
- Home address
- Names
- Passport and other official numbers
- Employment records
- Biometric information such as fingerprints
- Email and IP addresses
- See Step 2 for a more exhaustive list
1.B.1.1. Exemptions
Personal information that is publicly available information, meaning publicly available in federal, state, or local government records, is NOT in-scope for CCPA.
Additionally, certain financial information and medical information regulated by the Health Information Portability and Accountability Act (HIPAA) are exempt from the CCPA. Step 6 has the full list of CCPA exemptions.
So, does your organization collect personal information? If not, you are the lucky few where the CCPA does not apply to your business.
1.B.2. Next, does the personal information you collect belong to California residents?
If you conduct business in California, then it’s safe to assume that you have personal information of California residents, as either customers or suppliers.
The CCPA covers only those domiciled in California, meaning they ordinarily live in California. Even if a California resident leaves temporarily, they are still in scope wherever they go. For example, if a Californian travels to New York and they visit your site from New York (or anywhere), they’re in scope for the CCPA and your organization must handle their data responsibly.
It’s for that reason that most companies that conduct business in the USA, and satisfy the above requirements in (1A) above, widely choose to proactively comply with the CCPA.
Step 2 - What Personal Information Do You Collect?
Step 2 will walk you through how to identify the data in-scope, create a data inventory, and develop a record of all the personal data you process for attestation purposes.
2.A. Identify and catalog all instances of personal information that your company collects.
As we discuss in Step 4, your organization must be able to, at a minimum, tell California residents the categories of information you collect, disclose and sell.
Additionally, your organization must be able to give California residents access to the information you collect and honor deletion requests for information that is no longer needed, all within 45 days.
Therefore, your organization must be able to quickly locate the personal information across all your business systems and data repositories. To handle this complex task, many organizations have created a centralized data inventory for the sole purpose of CCPA compliance.
2.A.1. Create a data inventory.
A data inventory is a list of data inputs and outputs for each of your business systems and applications. For CCPA, the inventory will focus on identifying the in-scope personal data and ensuring that your data handling practices meet CCPA requirements.
A data inventory is also vital for your business because it will act as a record for the data you process, which is what the Attorney General will request from you in case of an incident.
The following steps will allow you to create a data inventory:
2.A.1.1. Identify in-scope systems and applications.
Use available resources like IT infrastructure diagrams, data flow diagrams, or network diagrams to create a list of systems and applications in your organization that handle personal information.
If your organization does not have detailed diagrams, you can start with the IT assets that are sure to collect personal information, like payment gateways, ecommerce and order management software, and HR software.
From there, track the data flows from these systems either through automated integrations or manual processes. Interview system and applications owners to determine possible system integrations, and interview users to see if data is transferred from these systems via manual processes (e.g., download and send).
2.A.1.2. Categorize data assets based on CCPA requirements.
Consult with your legal team on how to catalog and categorize the data assets of the affected teams. The categories of personal information and associated data fields as defined in the CCPA are as follows:
| Category | Data Fields (not exhaustive) |
| Identifiers | Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers |
| Customer records information | Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information |
| Characteristics of protected classifications under California or federal law | Race, religion, sexual orientation, gender identity, gender expression, age |
| Commercial information | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies |
| Biometric information | Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data |
| Internet or other electronic network activity information | Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement |
| Geolocation data | |
| Audio, electronic, visual, thermal, olfactory, or similar information | Professional or employment-related information |
| Education information | Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act | Inferences | Preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitudes |
2.A.1.3. Prioritize your systems and applications based on risk.
Focus first on the riskiest scenarios for CCPA compliance (i.e., where you are most likely to see regulatory and customer pressure first). For example, systems that process sensitive data categories like characteristics of protected classifications or biometric or geolocation data should be prioritized over systems that process low-risk identifiers like name or email.
2.B. Utilize Data Inventory and Mapping Technology.
If manually identifying and mapping personal information in your infrastructure is too daunting a task, there exists on the market several third-party software applications that automatically scan your business systems to identify instances of personal data. Popular examples include:
OneTrust — a comprehensive privacy management technology platform that helps organisations demonstrate accountability and compliance with global regulations like GDPR.
Big ID — capture and manage technical, business and security metadata across your entire data environment. Automatically catalog and map sensitive & personal data with deep data insight, incorporating active metadata and classification.
The end result for step 2 should be a functioning, centralized data inventory that can serve as a record for the data processing activities your business conducts.
Step 3 - Create a Privacy Policy
Step 3 will walk you through how to create a CCPA-compliant privacy policy, cookie policy and opt-out mechanism.
3.A. Create a Privacy Policy and Cookie Policy that satisfies the CCPA requirements.
Today, all businesses that collect, store, or process personal data must already have a published Privacy Policy. So, if your Privacy Policy is already in line with the GDPR, then these obligations will be largely familiar to you.
- Publish a Privacy Policy that complies with CCPA rules and is updated at least once every 12 months
- Notify a consumer before or at the point of data collection that the business wants permission to collect this data — This is commonly done through a cookie policy
3.A.1 Draft a Privacy Policy / Use a Privacy Policy Generator.
At a high level, your Privacy Policy must include:
- List of the rights that a customer has
- Disclosure
- Access
- Opt-out of sale and marketing
- Deletion (Right to be forgotten)
- The categories of personal data you collect
- How you process and collect this data
- Why you collect the data
- If you sell personal data, and how to opt-out of sale
- How they can contact you for rights or for further information
Since this is a practical guide, we will share the practical option. There are many websites that allow you to generate a privacy policy using solely your business contact information and the data you collect.
We recommend the following:
- https://www.termsfeed.com/blog/sample-ccpa-privacy-policy-template/
- https://app.privacypolicies.com/wizard/privacy-policy
- https://termly.io/products/privacy-policy-generator/
Once you have all the policy generated, send it to your legal team for review. Be sure that this policy accurately includes all the categories of data you collect, how you process and collect it, why, and if you sell it. Most of the time, your legal team will not have specific knowledge into your data processing activities so they will not be able to correct them.
3.A.2. Put a link to this Privacy Policy somewhere where customers can easily find it.
Most commonly, the Privacy Policy is placed in the following locations:
- Site footer
- Email footer
- At checkout
You must also place a link to the Privacy Policy, and any associated Terms of Service, in any and all places where your company collects personal information. Be it, newsletter email sign-ups, SMS opt-ins, and even in-person event registrations.
3.A.3. Create a cadence to update and notify your customers.
CCPA mandates that the Privacy Policy be updated at least once every 12 months. This must include an easy to read summary of what has changed. Most companies email all the users that they have stored, and include a section on the top of their privacy policy that details any recent changes.
Moreover, your Privacy Policy must also be updated upon any significant changes to the way that you process personal data. For example, if your company decides to start selling personal information in a way it has not before, you must update your Privacy Policy and inform your users and customers about the new processing activity via email or some other method.
3.B. Create a Cookie Policy and opt-out mechanism that satisfies CCPA requirements.
The CCPA requires businesses notify consumers before or at the point of data collection that the business wants permission to collect this data. (Notify, but not get consent, as the GDPR mandates) — In CCPA speak, this is known as the Right to Disclosure.
This CCPA requirement most specifically governs how companies can use cookies on their site. Cookie consent for the CCPA is based on an opt-out mechanism, instead of the GDPR opt-in mechanism. This means that websites can load cookies, but must notify the customer and provide them with an easy way of opting out at any time.
3.B.1. Document the Cookies placed on your site.
The first step is to gather information on all the cookies for each of your site pages, identify who owns them (whether internal or third party), and describe what the cookie does with personal information.
Depending on the size of your company and how many teams have access to your site code, this task could vary in complexity. Below is a step-by-step process of how you can gather all the necessary information regarding your company’s use of cookies.
- 1. Scan your company website for cookies to get an initial list. To scan, you can use online code scanners or browser-based tools like the Google chrome extension. (https://chrome.google.com/webstore/detail/cookies-scanner/mbpokgplnceehjoeifmlhkbfifjmbpee?hl=en)
- 2. Identify the Owner of the cookie, who sets the cookie, and whether its a first or third party
- 3. Confirm the purpose of each cookie
- 4. Confirm whether the cookie processes personal data, given the list in step 2. If no personal data is processed (e.g., anonymous browser data), the cookie is not in scope for CCPA
- 5. List each field of personal data that is processed, and if it is shared with a third party
- 6. Confirm if the cookie is a session or persistent cookie
- 7. Decide if the duration of persistent cookies are justifiable for the purpose
- 8. Determine if the cookie is necessary for site functionality (e.g., personal data required for sale or checkout) or if the cookie is not explicitly required, which would therefore require clear and comprehensive information and consent
Hopefully there is a defined list of users/teams that have access to your site code, like your security team or marketing team. Contact these teams to see if they have placed any cookies on your site and for what purpose, or if they allowed a third party to place cookies (common examples include Snapchat, Facebook, Pinterest, etc).
3.B.2. Draft a Cookie Policy / Use a Cookie Policy Generator
Once you have a full list of the cookies you collect and for what purpose, you can either include this information in your Privacy Policy, or draft a standalone Cookie Policy.
Either way, you must ensure that the cookie or privacy policy provides accurate and clear information about each cookie. You may already have a cookie policy, but for CCPA compliance your company’s Cookies Policy must:
- Disclose your use of cookies on your website and briefly explain cookies
- List and explain what types of cookies you or any third parties are using
- Inform users why you use cookies
- Explain how users can opt out of cookies
The above privacy policy generator sites also provide Cookie Policy Generator options, and be sure to search the web for “Cookie Policy Generator”. Below are our favorites:
- https://www.termsfeed.com/cookies-policy-generator/
- https://termly.io/products/tl/cookie-consent-manager/
3.B.3 Create an Opt-out Mechanism (Cookie Banner) on your Site
When a user lands on your site, you must notify them of the collection of cookies immediately. Common practice is to include a cookie banner — the pop-up that appears on most websites informing you of their collection of cookies.
For example, go to https://trustarc.com/ and look at the bottom of the screen.
Sample cookie banner language:
“This site uses cookies and related technologies for site operation, analytics, and third party advertising purposes as described in our Privacy and Data Processing Policy. You may choose to consent to our use of these technologies, reject non-essential technologies, or further manage your preferences. To opt-out of sharing with third parties information related to these technologies, select “Decline All” or submit a Do Not Sell My Personal Information request.”
The cookie banner should:
- Inform the site visitor what cookies are collected and for what purpose
- Include a link to the privacy policy and cookie policy
- Give a method to opt-out to all non-essential cookies
3.C. Automate with Cookie Consent Management Tools
If you don’t have the in-house capabilities to create an opt-out mechanism for cookies, consider purchasing online tools to automate your Cookie Consent Management. Companies like TrustArc and OneTrust provide plug-and-play software capabilities to manage cookies on your site.
Related guide: How to Understand the Privacy Practices of an Online Business Based on Their Privacy Policy
Step 4 - Consumer Rights Requests
Step 4 will walk you through what rights are granted to users under the CCPA, and how your organization is expected to fulfill the rights of the user.
4.A. Contact and Verification
First and foremost, your company must clearly provide contact information for customers to exercise their rights. Once you receive such a request, your company must verify their identity before proceeding.
4.A.1. Give users a method to exercise their rights.
Your company must provide both digital and non-digital methods for which customers can contact in order to exercise their rights. At a minimum, you must provide a toll-free number and a web address.
Common examples include a specific email inbox, phone number, mailing address, or self-service feature designed for rights requests specifically.
In Step 3.A.1., you’ll see that your Privacy Policy must have these contact methods clearly listed.
It’s also worth noting that you may use already established channels like call centers, online chat features, email inboxes and the like, but you will have to train your employees/AI chatbots to direct these customers through the proper channels to your data privacy team, or whoever handles consumer rights requests (CRRs).
4.A.1.1 Determine the people involved, who are the stakeholders involved in your process? Who will your customers instinctively contact when they want to exercise their rights? This should at least include system/data owners, call center personnel, and your data privacy team. Consider making a RACI chart.
4.A.1.2. Develop a concrete, step-by-step process that walks the stakeholders through the specific process for your company. The process should include:
- Receive the request
- Determine the type of request
- Verify the request (see 4.A.2.)
- Find impacted systems (through scan and/or data inventory)
- Involve applicable parties
- Execute rights (where legally permissible)
- Audit
- Draft response
- Deliver response
- Record Processing Activity (see 4.G.)
4.A.1.3. Automate & Templatize. You should seek to automate these workflows using whatever existing tools you have at your disposal. As mentioned, the rights requests must be fulfilled in 45 days, so any delays in the information chain make all the difference.
Additionally, create templates of your intake forms and responses for each of the below rights and their various scenarios.
Responses can be delivered either electronically or by mail.
4.A.2. Verify the request.
Before granting their rights to a customer, your company must do its due diligence to verify the identity of the requestor, in order to avoid identity theft and fraud. You can also use this process to verify that they are a resident of California.
4.A.2.1. For a request seeking access to specific pieces of personal information (see step 4.B.), the business must verify the consumer’s identity to a “reasonably high degree of certainty,” which may include matching at least three “reliable” data points in the same manner.
Depending on what information you collect, examples could include:
- Verify date of birth
- Verify email address or username (never password)
- Verify mailing address
- Verify last login date
- Verify last order (amount, type, size, etc.)
- MFA or SMS push notifications
- Selfies
And for liability purposes, your company should collect a “signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.”
4.A.2.2. For a data deletion request (see step 4.C.), the business must verify the consumer’s identity to a degree of certainty, based on the risk of harm to the user by its unauthorized deletion. For example, deletion of Employment or Order history is more sensitive and potentially harmful, than deletion of a very old shipping address.
Here is a great example of a self-service request and verification form:
4.A.2.3. Templated scenario
IF Verification is unsuccessful, provide the customer a notice that they are unverified and do not qualify for their request at this time.
IF Verification is successful, you may proceed to fulfilling their rights request.
4.A.3. Verification Solutions
There are a wide array of verification tools that produce variable verification types, like selfie verification or driver’s license verification software. Choosing the right one for your organization depends on the sensitivity of the personal data you collect, as well as the quantity of requests you receive as an organization.
4.B. Right to Access & Information
Under the CCPA, any California resident can exercise their Right to Access & Information, which means that they can request from your business the following:
- The categories of personal information you collect about them (see step 2)
- The sources from which that personal information was collected (e.g., online order histories, online surveys, marketing companies, tracking pixels, cookies, web beacons, or recruiters)
- The categories of personal information sold to third parties
- The categories of personal information disclosed for business purposes
- The categories of third parties to whom personal information was sold or disclosed (e.g., tailored advertising partners, affiliates, social media websites, service providers)
- The business or commercial purposes for which personal information was collected or sold (e.g., fraud prevention, marketing, improving customer experience)
- The “specific pieces” of personal information collected.
Your company must respond within 45 days from their request, with an additional 45 day extension period available when necessary, in the case of a large or complicated data request.
The CCPA also imposes a 12-month lookback from the time of the request, meaning that the user can ask for the above information only up to 12 months from the time of the request.
It also mandates that the user receive this information in a readily usable format that allows them to transmit the information to others without undue hindrance. Responses can be sent electronically or by mail.
4.C. Right to Deletion / Right to Be Forgotten
With some exceptions, the CCPA permits consumers to request that your business delete personal information collected about them on your systems, as well as the direct service providers with which you’ve shared the personal information.
Once you’ve received and verified a deletion request, notify your service providers immediately so that they have ample time to satisfy the request as well. Your company will still be held completely accountable for making sure that the service providers fulfill their obligations.
Your company must respond within 45 days from their request, with an additional 45 day extension period available when necessary, in the case of a large or complicated data request. Responses can be sent electronically or by mail.
4.C.1. Right to Deletion Exceptions
Deletion is not required if the business needs the personal information:
- To complete the transaction for which it was collected
- To comply with a legal obligation, such as a record retention requirement
- To protect against malicious, deceptive, fraudulent, or illegal activity
- To identify and repair errors that impair existing and intended functionality
Even if your company falls under one of these exceptions, there still exists the 45 day period to respond to the customer and explain why you are not able to fulfill their deletion request.
4.D. “Do Not Sell” on Landing Page
Under the CCPA, consumers are able to opt out of the “sale” of their personal information.
A “sale” is loosely defined as transferring personal data to a third party for any sort of financial compensation, beyond the original purpose of the data collection.
To exercise this right, businesses that sell personal information must provide a “Do Not Sell My Personal Information” button/link on the business’s homepage that guides the user to a web page where consumers can opt out of having their personal information sold to third parties.
It’s also best practice to include a link on your landing page or at the footer of your website.
Reference: Coca-Cola footer
4.D.1. Right to Opt-out for Minors
By default, your company should not sell consumers’ personal information when they are between 13-16 years old.
Still, your company must create a process to allow them to opt-in.
4.E. Right to Opt-Out of Marketing
Under the CCPA, consumers are able to opt out of the processing of their personal information for marketing purposes, either by the company or a third party.
4.F. Right to Non-discrimination
The CCPA prohibits businesses from discriminating against consumers for exercising their CCPA rights. Specifically, the business may not:
- Deny the customer access to goods or services, or provide differing levels of quality depending on opt-out/opt-in status
- Charge different prices, directly or indirectly through the use of discounts, benefits or penalties
- Suggest that the customer will receive a different price or quality by opting out
4.G. Maintain Records of Processing
Wherever feasible for your business, maintain a record of the entire process of the rights request.
Step 5 - 3rd Party Agreements
Analyze your third party agreements with those businesses that you share personal data, and determine if they addendums regarding CCPA.
5.A. Ensure your third party agreements are compliant
Businesses are allowed to share personal information with third parties and service providers for business purposes, as long as there are stipulations in the written contract that prohibit the third party service provider from selling the personal information themselves, or using the personal information for any purpose other than the specific purpose of performing the services specified in the contract.
So, if you haven’t already, reach out to your third parties and service providers to understand what they do with the information you share. If necessary, create addendums to your written contracts with explicit data usage requirements and retention policies. You may have to switch service providers that cannot comply with your business standards.
Step 6 - Exceptions
Understand if you are covered by any exceptions.
6.A. Employee Personal Information
Employee personal information is excluded from most of the CCPA’s requirements.
These include the rights and requirements that permit consumers to request:
- The deletion of their personal information
- The categories of personal information collected
- The sources from which personal information is collected
- The purpose for collecting or selling personal information
- The categories of third parties with whom the business shares their personal information.
This exclusion does not refer to all “employee” data regardless of context. Specifically, the exclusion applies to personal information collected by a business such that the person is acting as a job applicant, or an employee, owner, director, officer, medical staff member, or contractor of that business, and to the extent the personal information is processed within the context of the person’s role or former role.
Employees are still entitled to a privacy notice. Additionally, employees are entitled to commence a private right of action if affected by a data breach caused by negligence by the employer to maintain reasonable safeguards.
6.B. Health Information
The CCPA does not apply to medical information covered by the Confidentiality of Medical Information Act (CMIA) or protected health information under Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Conclusion
The above guide has been a legalese-free, step-by-step guide for data privacy officers, business owners, and project managers to kick off their journey towards CCPA compliance. We hope you can use the above list to kick off the workstreams you need to understand what personal data you collect and process, so that you can better exercise the rights of your customers and better safeguard valuable data.
It’s important to keep in mind that presently, data privacy strategy is driven by regulations; however, some day that may not be the case. While compliance to regulations should be a bare-minimum strategy, consider that your customers hope to work with a business that they can trust. And trust starts and ends with privacy, so make sure that you are giving your customers the data privacy that they expect, not just what is mandated by law.
As always, be sure to check with your legal team that your strategies align with your company’s legal counseling.