On Friday, California's Office of Administrative Law officially approved final regulations under the California Consumer Privacy Act (CCPA), arguably the nation’s most comprehensive legislation governing the collection, access, sale and ultimate control of consumers’ personal information (PI). The California Attorney General’s office had previously announced its intention to begin enforcement on July 1, and has reportedly already sent letters to noncompliant businesses – indicating we could potentially see the first formal CCPA enforcement actions within the coming weeks.
With CCPA, transparency is not only ethical; it’s practical.
This means that it is incredibly important for all businesses covered by CCPA to ensure they are in regulatory compliance. However, given the rushed and sometimes contradictory CCPA review process, it can be difficult for compliance officers to determine what changes their organizations need to make. Compliance departments may also have to work with other departments or functions.
This is certainly true with respect to a company’s website. How your website collects PI and notifies consumers is one of the most important aspects of CCPA compliance. It is critical that compliance officers understand all the relevant technologies their companies employ – including third-party integrations and plugins – when analyzing their respective websites for CCPA compliance. Below are several key concepts, questions and actions for compliance officers to consider when conducting their own reviews.
Key concepts and questions
Before a compliance function conducts a website evaluation or recommends specific action, it should first review the core terms and concepts as defined by CCPA. Begin with following questions:
1. What is personal information (PI)? CCPA defines PI as “Information that identifies, relates to, or could reasonably be linked with you or your household.” This includes everything from a consumer’s name or social security number to their browsing history or geolocation data. However, anything publicly available through government records (such as professional licenses and property records) is not considered PI. Also, some specific types of PI, such as information required to comply with state or federal laws, are exempted. Consult the full list of exemptions if you have questions.
2. Who is affected by CCPA? For a business to fall under the CCPA, it must meet one of the following conditions:
- Have a gross annual revenue of over $25 million;
- Buy, receive or sell the PI of 50,000+ California residents, households, or devices; or
- Derive 50% of their annual revenue from selling California residents’ PI.
It is important to note that CCPA applies to for-profit businesses only; nonprofit and government agencies are exempted. The law also contains sections specific to data brokers – companies that collect and sell PI to third parties. For guidance, the California DOJ maintains a list of all registered brokers.
Finally, only California residents are covered under the law. Noon-natural persons (such as California business entities and associations) are also excluded.
3. What are the 4 CCPA consumer privacy rights? As California AG Xavier Becerra has publicly stated, prosecutors will first consider a company’s intent to comply with CCPA when making enforcement decisions. So, before attempting to address individual regulatory requirements, compliance officers should ensure they can demonstrate (and document) their organization’s understanding – and comprehensive defense – of the rights established under CCPA:
- The right to know what PI is collected and how it is used
- The right to delete PI collected
- The right to opt-out of the sale of PI; and
- The right to non-discrimination for exercising your CCPA rights
Critically, the law also mandates California consumers be provided with notice when their PI is collected. They also have the right to sue under the CCPA in the event of data breaches resulting in the theft of some types of PI.
Every regulation under CCPA emanates from one or more of these rights, as should every action an organization affected by CCPA takes regarding its collection and use of PI.
4. What can CA consumers do under the CCPA? Outside of data breaches, consumers can’t directly sue for CCPA violations. However, they can submit requests pursuant to the rights above, including:
- Requests to know what categories and specific pieces of PI have been collected, the sources from which they were collected, and the purposes for which they were collected. They can also request to know the categories of third parties with whom PI is shared and what types of information they receive.
- Request to delete PI that has been collected; and
- Request to opt-out from having their PI sold.
Making your website CCPA compliant
Once key terms and concepts are clearly defined, compliance officers can begin reviewing their websites. The following is a starting list of best practices organizations can implement to begin the process of keeping CCPA compliance:
2. Draft "notice at collection" statements. Under the law, businesses are required to provide consumers with certain details at the time of collection, specifically:
- The categories of PI your business collects (name, email address, etc.)
- The purposes for which your business collects PI
- A “Do Not Sell” link (if your business sells consumers’ PI)
This notice must be provided at or before the point at which your business collects PI. For example, it can be placed on your homepage and on a webpage where a consumer would enter their PI.
Make sure your collection notice is in “plain, straightforward language” and avoids technical or legal jargon. Also make sure it is offered in multiple languages. As a general rule, if a language is used on your site, it should be used here.
3. Provide additional collection details. In addition to the information required in the collection notice, consider including as much collection detail to your privacy statement as possible, including:
- The categories of sources from which your business collects PI
- The categories of third parties with whom you share PI
- The categories of information your business sells or discloses to third parties
This transparency is not only ethical; it’s practical. These are all items consumers have a right to request under CCPA, so providing this information now help prevent extra work responding to requests later.
4. Include a CCPA request form. If a California consumer cannot find the answer to their question on your website’s privacy statement, CCPA mandates they be able to make requests pursuant to their rights under the law. Many businesses, including NAVEX Global, have created web request forms to capture and relay those requests. Under CCPA, links to these requests should be “clear and conspicuous,” so make sure not to bury them.
5. Post a toll-free phone number. CCPA requires businesses to designate at least two methods for submitting requests – one through its website (if it has one) and another via phone. Be sure to place your organization’s toll-free number prominently on your privacy statement page. Also, have a script ready to be provided orally when information is taken over the phone or in person.
6. Review cookies. Make sure to review what cookies and tracking technology is on your website. Make sure to include both 1st party (those belonging to your domain) and 3rd party (those belonging to ad tech/social media platforms through plugins, tags & tools).
7. Check mobile and responsive presentations. You should also take care to ensure your CCPA web elements are compatible with mobile formats. Place your collection notices on your app’s download page, in your app’s settings menus, and within just-in-time notices.
Although by no means comprehensive, this list will help you begin to make your website CCPA compliant.