California Consumer Privacy Act (CCPA): Understanding and Navigating the New Era of Data Protection in the U.S.

Unravelling the complexities of CCPA – A comprehensive guide to ensure your business’s compliance and understand its profound implications.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. Enacted in 2018 and effective from January 1, 2020, the CCPA represents a significant step in data privacy law in the United States.
The CCPA provides California residents with specific rights over their personal information, allowing them to know what personal data is being collected about them, whether it is sold or disclosed and to whom, and to say no to the sale of personal data.

Who Does the CCPA Apply To?

The CCPA applies to businesses that operate in California, collect personal information of consumers, and meet at least one of the following criteria:
It’s important to note that these businesses need not be physically located in California. If they collect personal data from California residents, they are subject to the regulations of the CCPA.

Rules for Obtaining Consent and Processing Data

Under the CCPA, businesses must provide notice to consumers at or before the point of data collection. This notice should be easy to understand and accessible, providing consumers with a clear understanding of the categories of information to be collected and for what purpose it will be used.
Furthermore, businesses must create a clear and conspicuous link on their website, labelled ‘Do Not Sell My Personal Information,’ allowing consumers to opt out of the sale of their personal data. When it comes to minors under 16, businesses must obtain explicit opt-in consent.

Fines for Non-Compliance

Non-compliance with the CCPA can result in civil penalties. For intentional violations, businesses can be fined up to $7,500 per violation, and for unintentional violations, the fine is up to $2,500 per violation. These fines can quickly add up considering each affected user may count as a separate violation.
Additionally, the CCPA allows individuals to seek statutory or actual damages in the event of a data breach, with statutory damages ranging from $100 to $750 per incident or actual damages, whichever is greater.

What Does the CCPA Cover?

The CCPA applies to a broad range of personal information, including but not limited to:
The CCPA also covers cookies. Businesses must inform consumers about the use of cookies and obtain their consent.
The Digital Services Act enhances transparency and accountability

The CCPA and the Use of Cookies

Under the California Consumer Privacy Act (CCPA), cookies are considered as personal information. Businesses must inform consumers about the use of cookies and obtain their consent.

What are Cookies and how are they considered under CCPA?

Cookies are small files that websites store on your computer or device. They can contain various types of information, including personal data such as your browsing history or preferences. Under the CCPA, this information is considered personal because it can be used to identify, describe, or be directly or indirectly linked with a particular consumer or household.

Informing Consumers about the Use of Cookies

Businesses must disclose their use of cookies to consumers. This information is usually presented in a clear and accessible way, often through a cookie banner or notice that appears when a user first visits a website. This notice should explain what cookies are, how they are used, and why they are used.

Obtaining Consent for the Use of Cookies

Under the CCPA, businesses must obtain consumer consent before using cookies. This is typically done through an opt-in mechanism on the cookie notice or banner. The consumer must actively agree to the use of cookies, typically by clicking a button or checkbox that indicates their consent. It’s important to note that under the CCPA, silence or inactivity cannot be interpreted as consent.

Opting out and Accessing Cookie Information

The CCPA gives consumers the right to opt out of the sale of their personal information, including information collected through cookies. Businesses should provide an easy way for consumers to exercise this right, such as a “Do Not Sell My Personal Information” link on their website.
In addition, the CCPA provides consumers with the right to know what personal information a business collects about them, including through cookies. Businesses should provide a way for consumers to request this information and must respond to these requests within 45 days.
By adhering to these requirements, businesses can ensure that they comply with the CCPA’s provisions regarding the use of cookies.

How to Comply with the CCPA?

Businesses can take several steps to ensure compliance with the CCPA:
1. Understand your data: Know what personal information you collect, why you collect it, how you store it, who you share it with, and how long you retain it.

2. Update privacy policies and procedures: Make sure your privacy policies are.

Here’s the guide on how to make your website CCPA compliant:

1. Understand what CCPA and CPRA are and who they apply to: CCPA stands for California Consumer Privacy Act and refers to a data protection law that standardizes the rights of California consumers. As of January 1, 2023, the CCPA has been amended to include the CPRA (California Privacy Rights Act). If you run a profit-oriented business that collects, processes, or sells data from California citizens, you may be required to comply with the CCPA if you meet some additional criteria.

2. Know what data is affected: CCPA defines what personal data, or personally identifiable information (PII) is and is not affected. The information includes name, address, email address, social security number, biometric information, job data, educational information, and browsing history. It does not cover publicly available information, like that found in government documents or newspaper articles, and personal health information, which is regulated separately under Health Insurance Portability and Accountability Act (HIPAA).

3. Right to know: Californian consumers have the right to be disclosed by companies exactly what personal information is collected. A request in this regard may be made by consumers up to twice a year. Additionally, an individual must be notified of these intentions at or before the point of data collection. To inform your consumers about your data processing activities, you can use a pop-up window or banner that appears when a page is first accessed. Tell your customers that you collect data, for what purpose, and also include links with additional information about your CCPA practices.

4. Right of access in CCPA: Section 1798.130. of CCPA requires you to provide consumers with two or more methods to contact you to make requests such as disclosures of personal information. Here, you must provide a toll-free telephone number and your website address. If a request is raised, you only have 45 days to comply. To make it as easy as possible for consumers to practice their CCPA rights, you should place your contact information prominently on your website.

5. Keep your privacy policy up to date: To fully comply with CCPA, you need a privacy policy that complies with current CCPA/CPRA rules and is updated at least every 12 months. The privacy policy should elaborate that data is collected and why. Furthermore, how to deny access to personal data for specific purposes must be stated in the CCPA privacy policy. Do not forget to mention that you do not discriminate against once someone takes away your right for data storage.

6. Opt-out of data sales and marketing: Under the CCPA, consent does not have to be obtained for data processing – but consumers must be able to opt out of the sale of personal data to third parties at any time. The opt-out option must include a separate page in your online presence with the mandatory heading, “Do not sell my personal information.” Create the mandatory opt-out page and preferably link to it in your footer as well as your privacy policy.

7. Right to delete/be forgotten: Californian consumers have the right to have their data that has been collected by the company deleted, and therefore to “be forgotten.” In certain cases, you do not have to comply with this obligation to delete, namely if it was necessary for your company to continue maintaining the requested data to detect security incidents, comply with legal obligations, or the like, as described in Section 1798.105. Make sure your IT team knows exactly where personal data is stored and how to delete it in a CCPA-compliant manner.