Knowledge - 09 December 2021 | By TermsHub

Updated at: 10 December 2021

California Consumer Privacy Act (CCPA) Compliance Guide

Everything You Need to Know

What is CCPA?

– Why is CCPA important?

The CCPA is important because it protects your data and privacy. Because of it, you have control over how your personal data is used. Unfortunately, many companies have taken advantage of the fact that consumers are not aware of their rights. So, personal data are being sold left and right, and negatively affected by data breaches.

How do you feel about your credit card information being exposed to various types of entities? Well, you are not going to be happy about that for sure. However, how businesses use your data should be clear to you, even if they promise to protect your data with their super-secure firewall. 

If you live in California, you can be sure that you have a right over your personal information. Nobody can simply make use of it without your express permission, even if they are providing you with a particular service. 

– What is considered personal information under CCPA?

According to the CCPA, personal information refers to information associated with or that can be traced back to your household. For example, your name, social security number, the email address you use for important transactions, fingerprints, or even your Internet browsing history, fall under this category. Your geolocation can also reveal so much about you. 

Why is there a strong need to protect personal data? Well, any bit of data coming from you can be used to steal your money or identity. At the very least, the exposure can leave your information vulnerable. 

On the other hand, public information refers to anything readily available in the public domain. 

– What is a business under CCPA?

To make sure you are using the CCPA law correctly, you should know what is considered a business. 

The privacy laws listed under the CCPA apply to for-profit businesses. Such a business should be transacting (buying, receiving, and selling) 50000 instances of personal information. In addition, it should have a gross annual income of more than $25 million. The business may also be gaining about half or more than half its annual revenue from selling the personal information of California residents. 

If a company fits one or more of the definitions mentioned, it is considered a business. Some entities may fall under this category but may still have the right to collect certain bits of information from you for sharing somewhere else. You need to get this cleared out.

Data brokers still fall under the CCPA even if their companies deal with all types of information. 

– Does the CCPA apply to your business?

If your business falls under one of the definitions mentioned in the section above, yes, the CCPA will apply to your business. But, on the other hand, if your organization is non-profit, then it is not technically a business, at least not in the case of the CCPA. 

– What happens if you fail to comply?

Now, what if you are a business? Then, you disregard some of the provisions in the law. Your consumers cannot sue you right away for these violations. However, if there is a data breach, they can sue you. 

It means that your company has not maintained proper security procedures. Your clients’ data should always be protected because other entities can use it for their personal gain. 

When there is a breach, your clients can sue you for as much as the monetary damages they may have suffered. Another possibility is getting sued for statutory damages. The client will list your violations, and you will have to pay a maximum of $750 for each incident.  

You need to show evidence that you are trying to fix the situation. 

“Do not sell my personal information.”

When a client says this, they are trying to opt out. If there is no reason to keep and sell their information, a business should listen to this request. If it is not possible, the company should explain why the data is being sold. 

– What is the right to opt-out?

One of your CCPA rights is the right to opt-out. It means that you can tell businesses to stop selling your personal information. Once you have sent your request, these businesses cannot sell your data. They may have to wait for at least a year before they can ask you to opt back in. Find out if a business that you are transacting with is a possible exception to the rule.  

– How to submit my opt-out request?

But how do you opt-out? The good news is that businesses are supposed to post a “Do not sell my personal information” link on their website. You must click on the link to request an opt-out. If a business does not have such a link, you have the right to ask them why that is the case.

If they do not have an opt-out link, you may use other business methods. But, again, you may ask the company about the availability of such an option. 

So, you have submitted your request for an opt-out. Then, suddenly, the business asks you for more information. You may be a little worried that you are giving more than you should. However, you can provide the data simply for verification purposes. 

Is there a possibility your request can get denied? Well, unfortunately, yes, there is a chance. The business may not opt you out if the information is required to meet legal obligations. The information may also be required. For example, credit and medical information are exempted even from the CCPA.  

Some information is simply needed to keep people safe and to follow some proper legal practices. However, if you are not sure why your request was denied, you have the right to ask why. You may still get rejected, but at least you know the cause. 

The right to know

– What is the right to know?

You have the right to know what personal information the business has collected and used, or even shared or sold, about you. Moreover, you have the right to know why your data was collected and used. 

The business must tell you the specific information collected and the category it belongs to. You also have the right to know who or what has gained access to your data. The company should be willing to share this information with you for the whole 12 months before your request. They should not charge you for your request. Finally, you have the right to know what is being done to your personal information. You own every little bit of detail. 

– How do I submit my request for information?

Again, businesses should assign ways for you to submit your request for information. For example, they should give you an email address to send the request to or a website form to fill. Even a hard copy form will provide you with the idea that you are dealing with a business willing to assist you with your quest to control your personal information better.

A business willing to comply with CCPA should provide a toll-free phone number and a website where customers can easily make requests or send queries. At the very least, an email address should be assigned for receiving such requests. 

If it is difficult to find a means to submit your request, you may need to review the business’s privacy policy. Find out where the company stands in terms of using their clients’ personal information. 

You may also go further by sending the business a formal letter notifying your desire to submit a request. Tell the administration that you could not find one and that you will need another designated method. 

The right to request deletion

– What is the right to request deletion?

The CCPA provides you with the right to request deletion. For example, you can ask the business to delete personal information collected from you. The request may have to extend to their service providers, as well.

Just like in the opt-out above, your request may not always be granted. Some businesses may keep pertinent information that is required for safety and fairness. You may want to discuss the cause of rejection with the company, just in case, it goes down like this.

– How do I submit my request for deletion of information

Again, like in the opt-out, businesses must provide designated methods for submitting requests to delete information.

Businesses should have the CCPA in mind when making provisions on their website. Some methods that they should include would be a toll-free number, a specific email address, and forms (digital and hard copy). They do not have to provide you with all of the above, but they should have at least one active means of receiving requests.

Take note that these businesses cannot require you to start an account with them. They may, however, ask you to submit your request via the existing account you have with them. Be careful when filing a deletion request. You may end up typing it on a form for general customer service. It might get buried there with the rest of the queries. Read well to see if you have reached the proper form. 

It is possible that the business’s proposed method is not working at all. Perhaps people have not been sending anything through there. You may want to inform the company in writing to find out what was going on or if the request managed to push through.

Businesses are required to respond within 45 calendar days (not business). They must notify you if they need to extend the time to another 45 calendar days. Of course, before you complain elsewhere, make sure you have submitted your request through the proper venue. Inspect the business’s privacy policy to make sure you have followed the rules and guidelines. Find out if the company and the type of information it gathers fall under the laws of the CCPA. 

Right to non-discrimination

– What is the right to non-discrimination?

One of the rights you get from CCPA is the right to non-discrimination. It means that businesses cannot deny you goods or services because you ensure your rights are being served. For example, they cannot charge you a higher price or give you lower quality goods because you have requested to opt-out or requested your personal information be deleted.

This provision ensures that you can safely let the law protect your rights without suffering repercussions. 

But think again. The CCPA does not allow you to skip necessary security checks. You should submit the information pertinent to the service you want to avail of. For example, you may have to show proof of your credit and accounts when applying for a loan. There is no going around that. 

Moreover, businesses can sometimes improve their services when they know their demographics well. It is why they are constantly sending out surveys to find out what people want. They need some personal information at times to help them serve you better. 

So, they may sometimes offer discounts and promotions to clients who are willing to provide their information. The small print may also reveal that you allow them to collect, keep, or sell your personal information. It does not make sense to complain if you were fully aware and took full advantage of the promotions. You know what you were getting yourself into, and you are aware of why your personal information was collected and used.

Required notices

– What is a notice at collection?

The CCPA requires businesses to provide a notice at collection. It means that they should reveal what information will be collected and for what they will be used. 

The notice of collection must show the various data categories that they get from the consumers. So, you know what you are pledging to the business from the very start. It is best to start questioning them when you create an account with the company. 

– What is a Privacy Policy?

A privacy policy is a written document or set of rules that show you the business’s data collection and manipulation processes. It will indicate how they use, share, and sell your personal information if they do so. 

The CCPA requires each company to reveal its privacy policies to its clients. This set of guidelines should include what the CCPA stands for: 

• The right to know
• The right to delete
• The right to opt-out
• The right to non-discrimination

Consumers should be aware of how a particular company makes use of its data. They should be able to feel safe when transacting with the business. Consumers should know when and if their data is being used. This way, they know if their rights are being upheld.

– Why do I need Privacy Policy?

There should be a privacy policy to ensure that clients’ data are being protected and respected. Of course, every person has a right to their privacy. However, they should know what their personal data means to every company they transact with. This way, they will feel safe and protected. 

A company that reveals all its methods is more likely able to follow the rules. By doing so, it shows its customers that they can relax. A company that has a Privacy Policy offers that it knows how to handle data. 

Nowadays, you may have heard about companies getting into hot water because they are not using their clients’ information responsibly. There should be a time when all of these companies’ problems will come to the forefront. If they cannot respect the proper use of their client’s data, they should not be afraid to reveal their data.

The GDPR protects all European Union citizens’ personal information. Because of this, many companies around the world have to change or begin using privacy policies. Since EU citizens account for about 16% of US exports, you can tell that many businesses are affected by the GDPR. 

What are the differences between the CCPA and the GDPR?

1. The most apparent difference would be that the CCPA protects California residents while the GDPR protects EU residents. 

2. The GDPR has broader coverage, involving all types of personal data. It does not care about how it was processed and what it is for. It covers all types of data except if it has been processed by the individuals, serving their purposes. 

The GDPR is stricter because it requires businesses to ask for explicit content when opting in. Meanwhile, the CCPA only requires companies to let clients opt out if their information will be sold or shared. The CCPA also allows businesses to collect public data, medical information, and other data required to process some services efficiently. 

A business that deals with both EU and California clients may have to follow the stricter GDPR. It may also double-check and inquire about the extent of the laws.

3. Processing may be defined slightly differently between the two sets of privacy laws.

According to the GDPR, processing refers to applying any type of action to someone’s information. The collection and storing of data fall under this description. Therefore, sharing and selling information are even more severe forms of processing. 

The CCPA is more lenient in that various processing methods are divided into three distinct parts: collecting, processing, and selling. 

Collecting refers to merely data gathering and storing them. Nothing has been done on the data yet. Meanwhile, the processing applies some sort of action to the data. Finally, selling is the direct sales of the clients’ data to a third party. 

Businesses should then be careful with any type of processing they may want with data. Again, using the GRDP definition is safer.

4. Both the GDPR and CCPA have certain degrees of transparency in managing private data. Clients must be informed of their data sharing processes, the purpose of processing and sharing, and how the clients can get hold of data protection officers.

It is about informing them of their rights to their data and how the company is addressing them. 

Under the CCPA, companies must regularly inform their clients on the time and duration the information was collected within the past year. Third parties must also advise clients when they decide that there is a need to sell the data.

Under the GDPR, the clients are informed every time their data is collected and shared. In addition, the companies involved should tell them about the duration in which the data can remain in their current system. Because the GDPR is more thorough, every move should be recorded and reported. It also requires companies to reveal the reason behind the profiling processes. 

Moreover, companies must inform clients about any processes that their data has undergone within a month. They should also reveal which third parties have accessed the data. 

5. A business that goes against the rules will have penalties waiting for it. 

Under the GDPR, non-compliance can set a business back by as much as $24 million US dollars or the equivalent of 20 million Euros.  It can also be 4% of the company’s annual revenue. The law will require the company to pay whatever amount is higher. 

The amount will be applied to the company’s total financial assets. CCPA is a little laxer because it only applies penalties when there is a data breach. If the data is secure, the CCPA is okay with any other processes. 

Furthermore, the law charges different prices for intentional and non-intentional violations, with $7500 per violation and $2500 per violation, respectively. 

Damages of $100 to $750 may also be added in civil court per instance. Each client can also furthermore sue the company that has let the breach happen. So, the charges may seem small, but a wide-ranging breach can result in several demands for compensation. 

Cookies consent requirements in CCPA

Cookies gather information on users. However, there may be a time when people may think that cookies are simply there to collect information that makes it easier for them to log into sites or load the sites the next time they visit. 

While the above is true, cookies also collect information that they can use and share. The clients’ data is collected to make online advertising happen.  

Cookies can help identify and build a profile for each website user. This ability of cookies has been a cause of concern. So, privacy policies have required companies to inform users about their websites’ cookies to gather information. 

A popup will inform you about collecting your information when you go to a particular site. You must either agree and proceed or disagree and leave the site. 

The CCPA has been formulated with the opt-out cookie consent regime in mind. Website publishers have to display the cookie notice and the cookies used before loading non-essential cookies. 

The link or popup showing cookie information (use and purposes) should be conspicuous. It should be given at or before the moment of data collection. 

The California Privacy Rights Act (CPRA) will emphasize the laws by being more intense with implementation and coverage. For example, it will require companies to provide notices on whether the personal collection collected will be sold and shared.

Even under the CCPA, however, businesses are required to indicate the following information about the data collected on their websites:

• The third parties involved in collecting data via a cookie
• The website’s different types of cookies used
• The different types of personal data collected by the website’s cookies
• The reason behind data collection
• How long the data will be retained by the companies involved 

You are probably wondering why some websites do not ask permission to collect data from you. After all, when you go to a site, you do somehow leave a type of footprint.

Websites do get a little bit of leeway in terms of necessary cookies. These cookies are required to ensure the websites continue to function. They do not require consent from their users. However, it is still recommended that they at least make the information known to their site visitors. 

If you have a website, you can at least tell your consumers that the cookies you are using are only there to ensure function. However, performance and analytics cookies should be revealed to consumers. They are not necessary for your website to function. 

A simple disclosure, like advising them that using the site means collecting basic information through cookies, will do. However, this may not be enough if you deal with the GDPR, which requires you to reveal more about your cookie use. 

The CCPA requires companies to be transparent in using a client’s data. The best thing that a company can do is to reveal as much as possible about how they will use the data collected from website visitors. 

The California Attorney General (‘AG’) announcement

The California Attorney General (AG) had recently reported that the CCPA of 2018 had been enforced. The AG’s website had made available a tool that users can use to generate reports of certain companies’ non-compliance to the law. The AG’s website also has some CCPA Enforcement Case Examples that complainants and companies alike can peruse. 

On July 1, 2020, the California Department of Justice had begun sending notices to businesses that had allegedly had issues of non-compliance. They were given about 30 days to fix the allegations before enforcement could begin. 75% of accused companies were able to deal with their cases within the said period. The rest remained “under active investigation.”

Some non-compliant companies had failed to post a “Do Not Sell My Personal Information” link. Others are involved in getting a third party involved in the processing and manipulating their clients’ data. 

The AG has made available a Consumer Privacy Interactive Tool. Here, consumers can assist in zeroing in on companies that do not obey the CCPA. An issue about this tool is that there may be a possibility that non-California residents may also try to get some help through it.