Are you wondering what the California Consumer Privacy Act (CCPA), and how it affects your business? Or do you want to learn what the CCPA compliance requirements are?
The CCPA is the newest privacy law in the United States. It has taken many people by surprise and caused a lot of confusion. But don’t worry, it’s not as scary as it seems.
Like GDPR used to be a frightening law before people understood it, the CCPA is actually more straightforward and therefore less intimidating.
So, in this article, you’ll learn what the CCPA compliance requirements are and the notices you need to provide your customers. You’ll also learn how customers can exercise those rights and the steps you need to take to be fully compliant.
As a seven-figure blogger and business lawyer, my passion is helping other entrepreneurs, and so far, I’ve helped over 50,000 people protect their blogs and businesses. So, read this post to learn everything you need to know about the CCPA.
What is the California Consumer Privacy Act (CCPA)
The CCPA is a new law that regulates the use and sale of an individual’s personal information. It was passed in June of 2018 and went into effect on January 1, 2020.
Personal information under the CCPA compliance requirements includes:
- Your postal address or physical location
- Name, alias, or unique personal identifier
- Email address
- IP address
- Social security number
- Account name
- Passport number
- Driver’s license number and other similar data
It also includes commercial information such as:
- Personal property records
- Services or products considered, bought, or obtained
- Other purchase histories
- Internet activity history, like your browsing and search history or other electronic network activity information
- Credit and debit card information
- Geolocation data
- Interaction with websites, advertisements, or apps
- Visual, audio, olfactory, electronic, thermal, or similar data
- Biometric data
- Education information
- Employment and professional-related data
And any other government records related to you that I may have missed.
As you can see, personal information covers a lot of data!
The California Consumer Privacy Act gives people more control over how businesses collect and use their personal information. The law helps secure better privacy rights for the people of California, and it’s the first state to enact such a law.
Also, under the CCPA compliance requirements, businesses are required to provide consumers with certain notices that explain their consumer rights. It applies to many businesses, including any online business that could have California customers, which means it affects pretty much any online company.
How Did The CCPA Law Come About?
The CCPA came to be after California residents were concerned with the Cambridge Analytica scandal, which led them to demand more control over their personal data. It is a response by legislators who wanted to keep up with GDPR and establish a law that would protect their residents.
But who do the CCPA compliance requirements affect? It affects anyone who is a California resident or collects data from residents of CA on its website, in an app, etc.
How Will This New Regulation Change Things for Businesses Located Outside of California?
If you are not based out of California, and you do not collect data from Californians, then the CCPA won’t affect your business. But if you cater to all U.S. customers, you need to make sure your business is CCPA compliant.
I would advise all businesses with a website and American customers to take action to comply with these laws ASAP if you haven’t already.
Is Your Website Legally Compliant with the CCPA and other Laws?
In this video, I share three website policies that will help you sleep better at night and avoid any headaches in the future.
PLUS at the end, I provide two BONUS legal tips not found elsewhere.
GDPR vs. CCPA
GDPR stands for General Data Protection Regulation. GDPR and CCPA are both privacy laws that regulate what data companies can collect from their customers. GDPR is a European Union law affecting all EU citizens, whereas the CCPA rights affect only California residents in America.
Also, while GDPR requires businesses to notify individuals about any customer data collected through an app or website etc. This doesn’t apply to the CCPA.
But the unique CCPA compliance requirements of the CCPA mean that the compliance falls solely on the shoulders of each business to achieve compliance and then maintain it. The businesses that updated their operational applications and governance procedures have the advantage with CCPA requirements.
One key piece will be transitioning into a privacy program that is scalable, responsible, and efficient, so it’s easy to adjust as privacy regulations change and mature.
Transitioning can be a lengthy process for large corporations, so it’s best to start creating a program like this as soon as possible.
One particularly challenging part is third-party risk management. If you work with third parties, you’re responsible for what they do with the data they hold that you collected.
This part can be very tricky, and whoever gathers and stores the data is responsible for keeping it private, which could require a contract in certain circumstances. And most of us use service providers for our business like ConvertKit or Kartra for email marketing, for example.
Consider performing a very thorough and detailed review of this relationship with third-party companies you do business with. Determine which party collects, processes, and stores information on your business’s behalf. Then you can renegotiate contracts with these third parties so you can achieve compliance.
Click here to get all three legal pages you need to make your website compliant with the CCPA, GDPR and other laws.
What are the Required Notices for CCPA?
The notices are the most important thing for businesses to be compliant with the CCPA. CCPA compliance requirements say there must be three required disclosures that consumers can access at any time. This includes notifications before they sign up and after signing in.
These notices include:
- The right to non-discrimination (including not being denied service because of your gender or ethnicity)
- The right to disclosure (including the ability to review, correct, and delete your information)
- The right to access personal information about you that a company has collected.
The consumer privacy rights of the CCPA requires these notices.
Your Right to Non-Discrimination
All businesses are prohibited from discriminating against consumers on these bases:
- Race or ethnicity
- National origin
- Religion or religious affiliation
- Gender (including pregnancy, childbirth, and medical conditions related to gender)
- Sexual orientation, among other things.
This means you can’t deny someone services or goods, provide a different level of quality of services or goods, or charge a different price based on some of the discriminations above.
But if someone refuses to provide their personal information and it’s required to complete the transaction, they must be aware that they can’t get that product or service.
You can offer discounts, promotions, and other deals in exchange for collecting, selling, or keeping someone’s information as long as they are related to the value of that personal data.
If someone asks you to stop using their personal information or to delete it, they understand that they won’t receive the same deals, discounts, or promotions.
Your Right to Disclosure
The CCPA requires that you notify protected people about your intentions before or at the point you plan to collect their data. You can either notify people as soon as they land on your webpage with something like a pop-up or banner or at the point you gather the data.
Your Right to Access
The CCPA grants consumers the right to access and review the personal information that a company has collected. People have a right to request the following information from you in a format that is “readily usable” for free within 45 days:
- The various categories of personal data you collect
- What categories of sources do you get personal data from
- The categories of third-party service providers you disclose their personal information to
- The specific parts of personal data you keep about each consumer
- What your commercial reason is for selling or collecting someone’s personal information
You also have a 45-day extension period if you need it. The good thing is you only need to honor consumer requests twice a year, so it reduces the administrative burden placed on your business.
Legal Pro Tip: Make sure you can provide an easy method for customers to exercise their right to access, such as keeping your contact information in a variety of formats. You may want to create an access request process too.
Your Right to Delete Personal Information
Everyone has the right to ask businesses to delete their personal data. There are only limited exceptions when it comes to these requests. For instance, you can hold onto someone’s information to fulfill some type of legal obligation or to complete a customer’s purchase.
Under this law, there is no specific time frame for how long you must retain consumer data. However, it does require that you delete all personal information about them when they request it or at least within 45 days of their request.
Your Right to Know How Your Contact Information is Used
CCPA compliance requirements state that you must also tell your customers what contact information they’ve given and how it will be used. You also must provide them with the right, at any time, to instruct third-party service providers not to use the personal information for direct marketing purposes or sharing it with third parties.
At a minimum, you should provide clients and customers with your online contact information, and in some instances, a toll-free telephone number so they can exercise these consumer rights.
What Business Owners Need to Do to Be Compliant
So, here’s what you need to do to achieve and maintain compliance.
Step 2: Maintain a Secure Data Storage Solution
If you keep people’s information, you’ll want to store it securely, including through encryption methods such as hashing algorithms and tokenization.
Consider adding a layer of security by encrypting personal information on mobile devices. Or have it in an encrypted format when you store it on servers (you’ll need to do this if you handle sensitive personal data).
Step 3: Implement Data Rights Protocols
If you store customers’ personal information, you’ll want to create protocols that help you store their data securely. Also, make sure your employees are trained on security and privacy. Teach them how the CCPA affects their job and make sure you train all new employees too. Training materials will help you do this.
If you have a large company and collect more than 250,000K personal data records, you may need to designate a Data Protection Officer.
Step 4: Respond to CCPA Notification of Violations Quickly
Respond quickly to notification from the CCPA that you have violated a provision in it. The process is not just so they know what’s going on but because fines can be steep if you’re non-compliant. You will continue to receive fines until you are compliant.
Step 5: Have a Plan in Place for Any Potential Security Breaches or Data Leaks
In the event your business becomes a victim to a possible data leak or security breach, make sure you have a plan in place to deal with it.
Penalties for Violating the CCPA
Consumers can sue a business privately for statutory damages that are set at no less than $100 and no greater than $750 per consumer per incident. Businesses will only have 30 days to resolve the problem after the customers notify them, or they will face civil penalties.
The State of California can sue you for $7,500 for intentional violations and $2,500 for unintentional violations.
Who Can Get Fined by the CCPA?
CCPA compliance requirements apply to any for-profit companies that meet at least one of the following conditions:
- Businesses that have an annual income of $25 million or more
- Companies that get more than 50 percent of your annual income from selling California residents’ personal data
- You buy, share, receive, or sell personal information for commercial purposes for over 50,000 consumers each year
How to Make Sure You’re CCPA Compliant the Easy Way
It is a legal statement that informs the visitors and users of your website how you collect and use their personal information. You are required to disclose this information by law.
My legal templates are very affordable. However, you can get a better deal if you buy one of my legal bundles. You can begin with the starter legal bundle that also includes the terms and conditions and disclaimer templates you need for your website.
Listen to what some of my customers have said about how they felt before and after purchasing my legal templates in this video.
If you’re a freelancer offering services, you’ll also want to check out my freelance contract template that has the essential elements you need to legally protect yourself and your clients. It’s one of my most popular templates and very helpful.
FAQs on CCPA compliance
How do you stay compliant with CCPA?
You need to follow the regulations set forth by CCPA. That includes providing the notices mentioned above to your customers and getting a contract in place for third-party service providers (such as website hosts). Educating employees about CCPA is also critical, and remember to train new ones.
Non-compliance can lead to steep fines. So, make sure that the third parties have contracts as well and all contact information is up to date, so they are compliant with CCPA rights regulations.
You also will need to notify customers of their rights before signing up, which can be done at the bottom of every web page or in a registration form.
Who is exempt from CCPA?
If you are not a business and do not maintain personal information, then CCPA does not apply to you. This includes the following:
- Small businesses with fewer than 25 employees in California who don’t collect customers’ personal data or contact information online, by phone, or offline in any capacity (i.e., brick and mortar businesses)
- Nonprofit organizations that don’t collect personal information on their volunteers, members, or donors
- Churches and other religious associations with no paid staff who do not maintain records of their congregation’s contact information
- Educational institutions (both public and private), which mostly work in an academic setting where “contact information” is just a student’s name and contact information, not data-driven
Does CCPA affect me if I am not a California resident?
No, this law only applies to residents of California. If you are not a Californian, then the CCPA does not apply to you as a consumer.
If you are a business owner that has a website online and you have U.S. customers, then the CCPA does affect you as a business owner.
Related Blog Post on Blogging Legally
Check out these 15 best tips from a lawyer to learn how to blog legally and avoid legal trouble!
Final Thoughts of CCPA Compliance Regulations
Now you know everything you need to about the CCPA regulations and how they affect your business. These CCPA guidelines are meant to help you achieve compliance and maintain it.
While it may seem overwhelming, hopefully, this article helped you understand why the CCPA was created and how it affects you. Now you know what you need to do to prevent your business from violating the CCPA compliance regulations.
You can keep this article as a reference, so you always understand what you need to do to become compliant with CCPA regulations.
Grab my starter legal bundle to make sure you’re blogging legally and have all the pages your business website needs if you don’t have them yet. This bundle also ensures that you’re GDPR compliant too.
And sit back and relax because now you and your business are protected from scary legal issues.
Also, join my Facebook group here! It’s packed with tons of FREE business and legal tips. Plus, it’s a great way to network with other bloggers and business owners.
Related Posts to CCPA Compliance Regulations
Now you know the essential CCPA compliance requirements. Unfortunately, legal mistakes can be SO costly for any business owner. Learn how to avoid these 13 costly legal mistakes in your business.
For more legal tips for entrepreneurs, visit my legal tips page. This page has tons of content I created to prevent you from dealing with lawsuits and other legal issues. You’ll love the reviews, testimonials, and blog posts filled with valuable legal tips.
Here are some other helpful blog posts:
ADA Website Compliance (Tips and Checklist You’ll Need)
5 Steps to Easily Manage Your Finances as a Digital Entrepreneur
How to Use a Virtual Assistant Contract Template to Protect Your Business
Membership Agreement: Why You Need it for Your Business (Plus Template)
11 Best Books for Female Entrepreneurs You Need to Read Today
5 Struggles Every Startup Faces and How to Overcome Them
5 Secrets to Creating the Perfect Blogging Schedule You’ll Actually Stick To
The Ultimate Guide to Trademark Registration: What Can I Trademark
Protect Your eBook With This Disclaimer and Copyright Page Template
Blog Disclosures and Blog Disclaimers: Example and Template You Need