CCPA, CPRA, what is it anyway?
CCPA stands for: California Consumer Privacy Act and refers to a data protection law that standardizes the rights of California consumers. As with the GDPR, the marketplace principle applies here, which means that the CCPA also affects European companies in certain cases. Once you run a profit-oriented business that collects, processes, or sells data from California citizens, you may be required to comply with the CCPA if you meet some additional criteria.
As of January 1, 2023, the CCPA has been amended to include the CPRA (California Privacy Rights Act). We have already informed you about the important changes to the CCPA in 2023.
At this point, it is critical for you to know that consumers have new rights under CPRA, such as the right to correct inaccurate information.
What data is (not) affected by CCPA
CCPA defines in Section 1798.140. (o) (1) exactly what personal data, or personally identifiable information (PII) is and is not affected.
The usual suspects that you must be aware of include:
What is not covered by CCPA
CCPA compliance: the ultimate guide for 2023
To be CCPA-compliant, it’s best to follow the CCPA rights consumers are held to under Section 1798.100f of the California Consumer Privacy Act.
These are:
Right to know
Californian consumers have the right to be disclosed by companies exactly what personal information is collected. A request in this regard may be made by consumers up to twice a year. Additionally, an individual must be notified of these intentions at or before the point of data collection.
The right to disclosure/right to know includes the following information:
-
Categories of personal data
-
Specific personal information about the individual concerned
-
Purpose of the data storage
-
Source of the stored data
-
To which third parties personal data is disclosed
Ensure the right to know
To inform your consumers about your data processing activities, you can use a pop-up window or banner that appears when a page is first accessed. Here’s an example of a cookie banner:
Tell your customers that you collect data, for what purpose, and also include links with additional information about your CCPA practices.
Important! Consider the CPRA changes starting January 1, 2023. What worked last year is likely to be outdated this year.
Right of access in CCPA
Section 1798.130. of CCPA requires you to provide consumers with two or more methods to contact you to make requests such as disclosures of personal information. Here, you must provide a toll-free telephone number and your website address. If a request is raised, you only have 45 days to comply.
Comply with Access Rights in CCPA
To make it as easy as possible for consumers to practice their CCPA rights, you should place your contact information prominently on your website. Simply link to your imprint in the footer:
Keep your privacy policy up to date
To fully comply with CCPA, you need a privacy policy that complies with current CCPA/CPRA rules and is updated at least every 12 months. The privacy policy should elaborate that data is collected and why. Furthermore, how to deny access to personal data for specific purposes must be stated in the CCPA privacy policy. Do not forget to mention that you do not discriminate against once someone takes away your right for data storage.
You can add the privacy policy as a single page on your website or present it as a pop-up, like this:
To make sure your privacy policy is up-to-date, you should first have a CCPA gap assessment performed. It’s best to get help here from professionals like our privacy compliance service.
Opt-out of data sales and marketing
Under the California Consumer Privacy Act, consent does not have to be obtained for data processing – but consumers must be able to opt out of the sale of personal data to third parties at any time. This right is called the Opt-out right. The opt-out option must include a separate page in your online presence with the mandatory heading, “Do not sell my personal information.”
Comply with Opt-out right
Create the mandatory opt-out page and preferably link to it in your footer as well as your privacy policy. Recently, the Attorney General has developed a uniform Opt-out icon that you can implement on your website: Download Opt-out Icon.
This will additionally help your consumers get a good overview of your privacy efforts as well as claim their personal CCPA rights.
Watch out: The icon does not replace the opt-out page!
Right to delete/be forgotten
Californian consumers have the right to have their data that has been collected by the company deleted, and therefore to “be forgotten.” In certain cases, you do not have to comply with this obligation to delete, namely if it was necessary for your company to continue maintaining the requested data to detect security incidents, comply with legal obligations, or the like, as described in Section 1798.105.
Comply with CCPA right to deletion
In very few cases will you be able to rely on an exemption, but will be required to delete all data – again within 45 days if you don’t want to risk a penalty. Fast and risk-free action is therefore required.
So make sure your IT team knows exactly where personal data is stored and how to delete it in a CCPA-compliant manner. Establish processes within your organization to delete or anonymize data in a simple, fast and reliable way. A tool can be helpful at this point.
New rights under CPRA
Since the CPRA went into effect in January 2023, consumers have the right to correction, that is, to have inaccurate information about them adjusted. All commercially reasonable efforts must then be made by you – although reasonableness is not specified in the text of the law.
A tool that can automate this process is also a great benefit for complying with this requirement by law.
Your ultimate checklist for CCPA compliance for 2023
Everything thought of? Simply check your CCPA compliance against this list:
- Create a privacy policy and update it at least once a year
- Inform consumers of their rights
- What data is stored
- For what purpose
- With whom it is shared
- Inform at the latest at the time of data processing
- Respond to customer inquiries as soon as possible
- Provide multiple contact options on your website
- Create a “Do not sell my personal data” page.
Conclusion: CCPA risk-free compliance
As you can see, CCPA/CPRA requires quite a bit from you. Not only must personal data be collected securely, but it must also be stored in a way that allows consumers to claim their CCPA rights at any time. Our ultimate guide and checklist provide a good overview of CCPA compliance. For additional help, have a look at the Data Protection and Security Toolkit for Jira/Confluence. With this app, you can easily comply with all CCPA requirements. You can quickly create cookie banners or privacy policies this way and adapt them to your individual requirements in terms of size, design, placement and much more. The reliable Data Cleaner module finds all personal data and helps you comply with the complex right to delete.
Save yourself time and money and integrate this smart assistant into your data protection process. Convince yourself with the free trial version!