A step-by-step practical guide for the California Consumer Protection Act (CCPA)
There are thousands of articles on the web that analyze in-depth the legalese and jargon of the California Consumer Protection Act of 2018. But as a business owner or data protection officer that handles the personal data of California residents, you just want to know exactly what you need to do to follow the rules, while avoiding the hefty fines and customer complaints.
The California attorney general’s office enforces CCPA violations that range from $2,500 PER EACH violation (non-intentional) or up to $7,500 per each intentional violation. This could mean per data field per person, and as we’ve seen with GDPR fines, these immense fines could be detrimental to your organization.
Not to mention, the California Privacy Rights and Enforcement Act of 2020 (CPRA), also referred to as the CCPA 2.0, has been passed and will enter enforcement starting January 2023. The CPRA borrows heavily from its predecessor, so if you are not yet CCPA compliant, now is a great time to start.
Let the following guide act as your roadmap to CCPA compliance.
By following this guide, your company will be able to meet the following obligations under CCPA:
The above six (6) obligations can be divided into different workstreams and addressed concurrently.
Step 1 will help you determine if your company is in scope for CCPA, and therefore must comply.
The CCPA does not only affect California-based companies.
If your company collects the personal information of California residents and households AND the answer is “Yes” to ONE of the following three criteria, then you are in scope for the CCPA.
If you answered “No” to every question above, then you are not a covered business under the CCPA.
This is broken into two parts: 1) what is personal information, and 2) what is considered a California resident and household.
1.B.1. First, what is considered personal information?
Simply put, if the data you collect can be used to identify an individual, household or device, then it’s personal data. If you have customers or employees, then you collect personal information. Most common examples of personal data include:
1.B.1.1. Exemptions
Personal information that is publicly available information, meaning publicly available in federal, state, or local government records, is NOT in-scope for CCPA.
Additionally, certain financial information and medical information regulated by the Health Information Portability and Accountability Act (HIPAA) are exempt from the CCPA. Step 6 has the full list of CCPA exemptions.
So, does your organization collect personal information? If not, you are the lucky few where the CCPA does not apply to your business.
If you conduct business in California, then it’s safe to assume that you have personal information of California residents, as either customers or suppliers.
The CCPA covers only those domiciled in California, meaning they ordinarily live in California. Even if a California resident leaves temporarily, they are still in scope wherever they go. For example, if a Californian travels to New York and they visit your site from New York (or anywhere), they’re in scope for the CCPA and your organization must handle their data responsibly.
It’s for that reason that most companies that conduct business in the USA, and satisfy the above requirements in (1A) above, widely choose to proactively comply with the CCPA.
Step 2 will walk you through how to identify the data in-scope, create a data inventory, and develop a record of all the personal data you process for attestation purposes.
As we discuss in Step 4, your organization must be able to, at a minimum, tell California residents the categories of information you collect, disclose and sell.
Additionally, your organization must be able to give California residents access to the information you collect and honor deletion requests for information that is no longer needed, all within 45 days.
Therefore, your organization must be able to quickly locate the personal information across all your business systems and data repositories. To handle this complex task, many organizations have created a centralized data inventory for the sole purpose of CCPA compliance.
A data inventory is a list of data inputs and outputs for each of your business systems and applications. For CCPA, the inventory will focus on identifying the in-scope personal data and ensuring that your data handling practices meet CCPA requirements.
A data inventory is also vital for your business because it will act as a record for the data you process, which is what the Attorney General will request from you in case of an incident.
The following steps will allow you to create a data inventory:
2.A.1.1. Identify in-scope systems and applications.
Use available resources like IT infrastructure diagrams, data flow diagrams, or network diagrams to create a list of systems and applications in your organization that handle personal information.
If your organization does not have detailed diagrams, you can start with the IT assets that are sure to collect personal information, like payment gateways, ecommerce and order management software, and HR software.
From there, track the data flows from these systems either through automated integrations or manual processes. Interview system and applications owners to determine possible system integrations, and interview users to see if data is transferred from these systems via manual processes (e.g., download and send).
2.A.1.2. Categorize data assets based on CCPA requirements.
Consult with your legal team on how to catalog and categorize the data assets of the affected teams. The categories of personal information and associated data fields as defined in the CCPA are as follows:
Category | Data Fields (not exhaustive) |
Identifiers | Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers |
Customer records information | Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information |
Characteristics of protected classifications under California or federal law | Race, religion, sexual orientation, gender identity, gender expression, age |
Commercial information | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies |
Biometric information | Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data |
Internet or other electronic network activity information | Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement |
Geolocation data | |
Audio, electronic, visual, thermal, olfactory, or similar information | Professional or employment-related information |
Education information | Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act | Inferences | Preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitudes |
2.A.1.3. Prioritize your systems and applications based on risk.
Focus first on the riskiest scenarios for CCPA compliance (i.e., where you are most likely to see regulatory and customer pressure first). For example, systems that process sensitive data categories like characteristics of protected classifications or biometric or geolocation data should be prioritized over systems that process low-risk identifiers like name or email.
If manually identifying and mapping personal information in your infrastructure is too daunting a task, there exists on the market several third-party software applications that automatically scan your business systems to identify instances of personal data. Popular examples include:
OneTrust — a comprehensive privacy management technology platform that helps organisations demonstrate accountability and compliance with global regulations like GDPR.
Big ID — capture and manage technical, business and security metadata across your entire data environment. Automatically catalog and map sensitive & personal data with deep data insight, incorporating active metadata and classification.
The end result for step 2 should be a functioning, centralized data inventory that can serve as a record for the data processing activities your business conducts.
Step 3 will walk you through how to create a CCPA-compliant privacy policy, cookie policy and opt-out mechanism.
Today, all businesses that collect, store, or process personal data must already have a published Privacy Policy. So, if your Privacy Policy is already in line with the GDPR, then these obligations will be largely familiar to you.
At a high level, your Privacy Policy must include:
Since this is a practical guide, we will share the practical option. There are many websites that allow you to generate a privacy policy using solely your business contact information and the data you collect.
We recommend the following:
Once you have all the policy generated, send it to your legal team for review. Be sure that this policy accurately includes all the categories of data you collect, how you process and collect it, why, and if you sell it. Most of the time, your legal team will not have specific knowledge into your data processing activities so they will not be able to correct them.
Most commonly, the Privacy Policy is placed in the following locations:
You must also place a link to the Privacy Policy, and any associated Terms of Service, in any and all places where your company collects personal information. Be it, newsletter email sign-ups, SMS opt-ins, and even in-person event registrations.
CCPA mandates that the Privacy Policy be updated at least once every 12 months. This must include an easy to read summary of what has changed. Most companies email all the users that they have stored, and include a section on the top of their privacy policy that details any recent changes.
Moreover, your Privacy Policy must also be updated upon any significant changes to the way that you process personal data. For example, if your company decides to start selling personal information in a way it has not before, you must update your Privacy Policy and inform your users and customers about the new processing activity via email or some other method.
The CCPA requires businesses notify consumers before or at the point of data collection that the business wants permission to collect this data. (Notify, but not get consent, as the GDPR mandates) — In CCPA speak, this is known as the Right to Disclosure.
This CCPA requirement most specifically governs how companies can use cookies on their site. Cookie consent for the CCPA is based on an opt-out mechanism, instead of the GDPR opt-in mechanism. This means that websites can load cookies, but must notify the customer and provide them with an easy way of opting out at any time.
The first step is to gather information on all the cookies for each of your site pages, identify who owns them (whether internal or third party), and describe what the cookie does with personal information.
Depending on the size of your company and how many teams have access to your site code, this task could vary in complexity. Below is a step-by-step process of how you can gather all the necessary information regarding your company’s use of cookies.
Hopefully there is a defined list of users/teams that have access to your site code, like your security team or marketing team. Contact these teams to see if they have placed any cookies on your site and for what purpose, or if they allowed a third party to place cookies (common examples include Snapchat, Facebook, Pinterest, etc).
Once you have a full list of the cookies you collect and for what purpose, you can either include this information in your Privacy Policy, or draft a standalone Cookie Policy.
Either way, you must ensure that the cookie or privacy policy provides accurate and clear information about each cookie. You may already have a cookie policy, but for CCPA compliance your company’s Cookies Policy must:
The above privacy policy generator sites also provide Cookie Policy Generator options, and be sure to search the web for “Cookie Policy Generator”. Below are our favorites:
When a user lands on your site, you must notify them of the collection of cookies immediately. Common practice is to include a cookie banner — the pop-up that appears on most websites informing you of their collection of cookies.
For example, go to https://trustarc.com/ and look at the bottom of the screen.
Sample cookie banner language:
“This site uses cookies and related technologies for site operation, analytics, and third party advertising purposes as described in our Privacy and Data Processing Policy. You may choose to consent to our use of these technologies, reject non-essential technologies, or further manage your preferences. To opt-out of sharing with third parties information related to these technologies, select “Decline All” or submit a Do Not Sell My Personal Information request.”
The cookie banner should:
If you don’t have the in-house capabilities to create an opt-out mechanism for cookies, consider purchasing online tools to automate your Cookie Consent Management. Companies like TrustArc and OneTrust provide plug-and-play software capabilities to manage cookies on your site.
Step 4 will walk you through what rights are granted to users under the CCPA, and how your organization is expected to fulfill the rights of the user.
First and foremost, your company must clearly provide contact information for customers to exercise their rights. Once you receive such a request, your company must verify their identity before proceeding.
Your company must provide both digital and non-digital methods for which customers can contact in order to exercise their rights. At a minimum, you must provide a toll-free number and a web address.
Common examples include a specific email inbox, phone number, mailing address, or self-service feature designed for rights requests specifically.
In Step 3.A.1., you’ll see that your Privacy Policy must have these contact methods clearly listed.
It’s also worth noting that you may use already established channels like call centers, online chat features, email inboxes and the like, but you will have to train your employees/AI chatbots to direct these customers through the proper channels to your data privacy team, or whoever handles consumer rights requests (CRRs).
4.A.1.1 Determine the people involved, who are the stakeholders involved in your process? Who will your customers instinctively contact when they want to exercise their rights? This should at least include system/data owners, call center personnel, and your data privacy team. Consider making a RACI chart.
4.A.1.2. Develop a concrete, step-by-step process that walks the stakeholders through the specific process for your company. The process should include:
4.A.1.3. Automate & Templatize. You should seek to automate these workflows using whatever existing tools you have at your disposal. As mentioned, the rights requests must be fulfilled in 45 days, so any delays in the information chain make all the difference.
Additionally, create templates of your intake forms and responses for each of the below rights and their various scenarios.
Responses can be delivered either electronically or by mail.
Before granting their rights to a customer, your company must do its due diligence to verify the identity of the requestor, in order to avoid identity theft and fraud. You can also use this process to verify that they are a resident of California.
4.A.2.1. For a request seeking access to specific pieces of personal information (see step 4.B.), the business must verify the consumer’s identity to a “reasonably high degree of certainty,” which may include matching at least three “reliable” data points in the same manner.
Depending on what information you collect, examples could include:
And for liability purposes, your company should collect a “signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.”
4.A.2.2. For a data deletion request (see step 4.C.), the business must verify the consumer’s identity to a degree of certainty, based on the risk of harm to the user by its unauthorized deletion. For example, deletion of Employment or Order history is more sensitive and potentially harmful, than deletion of a very old shipping address.
Here is a great example of a self-service request and verification form:
4.A.2.3. Templated scenario
IF Verification is unsuccessful, provide the customer a notice that they are unverified and do not qualify for their request at this time.
IF Verification is successful, you may proceed to fulfilling their rights request.
There are a wide array of verification tools that produce variable verification types, like selfie verification or driver’s license verification software. Choosing the right one for your organization depends on the sensitivity of the personal data you collect, as well as the quantity of requests you receive as an organization.
Under the CCPA, any California resident can exercise their Right to Access & Information, which means that they can request from your business the following:
Your company must respond within 45 days from their request, with an additional 45 day extension period available when necessary, in the case of a large or complicated data request.
The CCPA also imposes a 12-month lookback from the time of the request, meaning that the user can ask for the above information only up to 12 months from the time of the request.
It also mandates that the user receive this information in a readily usable format that allows them to transmit the information to others without undue hindrance. Responses can be sent electronically or by mail.
With some exceptions, the CCPA permits consumers to request that your business delete personal information collected about them on your systems, as well as the direct service providers with which you’ve shared the personal information.
Once you’ve received and verified a deletion request, notify your service providers immediately so that they have ample time to satisfy the request as well. Your company will still be held completely accountable for making sure that the service providers fulfill their obligations.
Your company must respond within 45 days from their request, with an additional 45 day extension period available when necessary, in the case of a large or complicated data request. Responses can be sent electronically or by mail.
Deletion is not required if the business needs the personal information:
Even if your company falls under one of these exceptions, there still exists the 45 day period to respond to the customer and explain why you are not able to fulfill their deletion request.
Under the CCPA, consumers are able to opt out of the “sale” of their personal information.
A “sale” is loosely defined as transferring personal data to a third party for any sort of financial compensation, beyond the original purpose of the data collection.
To exercise this right, businesses that sell personal information must provide a “Do Not Sell My Personal Information” button/link on the business’s homepage that guides the user to a web page where consumers can opt out of having their personal information sold to third parties.
It’s also best practice to include a link on your landing page or at the footer of your website.
Reference: Coca-Cola footer
By default, your company should not sell consumers’ personal information when they are between 13-16 years old.
Still, your company must create a process to allow them to opt-in.
Under the CCPA, consumers are able to opt out of the processing of their personal information for marketing purposes, either by the company or a third party.
The CCPA prohibits businesses from discriminating against consumers for exercising their CCPA rights. Specifically, the business may not:
Wherever feasible for your business, maintain a record of the entire process of the rights request.
Analyze your third party agreements with those businesses that you share personal data, and determine if they addendums regarding CCPA.
Businesses are allowed to share personal information with third parties and service providers for business purposes, as long as there are stipulations in the written contract that prohibit the third party service provider from selling the personal information themselves, or using the personal information for any purpose other than the specific purpose of performing the services specified in the contract.
So, if you haven’t already, reach out to your third parties and service providers to understand what they do with the information you share. If necessary, create addendums to your written contracts with explicit data usage requirements and retention policies. You may have to switch service providers that cannot comply with your business standards.
Understand if you are covered by any exceptions.
Employee personal information is excluded from most of the CCPA’s requirements.
These include the rights and requirements that permit consumers to request:
This exclusion does not refer to all “employee” data regardless of context. Specifically, the exclusion applies to personal information collected by a business such that the person is acting as a job applicant, or an employee, owner, director, officer, medical staff member, or contractor of that business, and to the extent the personal information is processed within the context of the person’s role or former role.
Employees are still entitled to a privacy notice. Additionally, employees are entitled to commence a private right of action if affected by a data breach caused by negligence by the employer to maintain reasonable safeguards.
The CCPA does not apply to medical information covered by the Confidentiality of Medical Information Act (CMIA) or protected health information under Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
The above guide has been a legalese-free, step-by-step guide for data privacy officers, business owners, and project managers to kick off their journey towards CCPA compliance. We hope you can use the above list to kick off the workstreams you need to understand what personal data you collect and process, so that you can better exercise the rights of your customers and better safeguard valuable data.
It’s important to keep in mind that presently, data privacy strategy is driven by regulations; however, some day that may not be the case. While compliance to regulations should be a bare-minimum strategy, consider that your customers hope to work with a business that they can trust. And trust starts and ends with privacy, so make sure that you are giving your customers the data privacy that they expect, not just what is mandated by law.
As always, be sure to check with your legal team that your strategies align with your company’s legal counseling.