In this post, we’ll cover the broad implications of the CCPA, which businesses need to be CCPA-compliant, and how to be CCPA compliant.
Why Does the California Consumer Privacy Act Matter?
Savvy digital consumers may know that websites are collecting their personal information, but they might be unaware just how much of their personal data is collected.
The intent of the CCPA is to help consumers understand what data businesses are collecting and for what purpose, and to give consumers the ability to opt out of data collection. (That’s a high-level view — we’ll delve into specifics of the CCPA in a subsequent section).
Information that businesses may collect about consumers includes:
- Credit card numbers
- Real names
- Postal addresses
- Social security numbers
- Demographics
- Income or similar information
- Browsing history and search history
- Age
- Commercial information
- Political affiliations
- Education information
- Religious affiliations
- Unique personal identifier/account name/online identifier
- Driver's license number
- Geolocation data
- Biometric information
- IP address or other device similar identifiers
- Passport number
- Other identifiable information
Who Needs to Be CCPA Compliant?
- Has a gross annual revenue of at least $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50% or more of annual revenue from selling consumers' personal information.
CCPA Compliance Requirements
- Right to know — Organizations that collect consumer data must inform consumers at or before the point of data collection about the type of data they’re collecting, and for what purpose.
- Right to access — Upon request, and within 45 days, organizations must provide consumers with the personal data they’ve collected, in a usable format (such as a CSV file).
- Right to be forgotten — Companies must honor consumers’ requests to be “forgotten,” which means their personal data must be deleted (with some exceptions).
- Right to opt-out — Consumers have the right to ask companies to stop sharing their personal information with third parties.
- Right to non-discrimination — Organizations cannot discriminate against consumers for exercising their rights under the CCPA.
What does the CCPA say about cookies?
The CCPA requires organizations to create a cookie consent policy stating what cookies they use, the type of information cookies collect, and for what purpose. Websites must also offer an easy way to opt out of/reject cookies, except for those that are necessary for website functionality. The cookie consent language can be included in a company’s privacy policy.
What if You Fail to Meet Requirements?
How to Comply With the California Consumer Privacy Act
1. Update privacy policy and notices
Maintain a detailed data inventory
3. Create data rights protocols
4. Improve your cybersecurity
5. Review third-party processor agreements
6. Schedule internal data privacy training
CCPA Compliance Checklist
1. Preparation
2. Implementation
3. Maintenance
CCPA Compliance FAQ
1. What’s the difference between GDPR and CCPA?
The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR). The primary differences between the two regulations are:
- The GDPR applies to organizations with customers within the EU.
- While the CCPA requires companies to provide an opt-out process for consumers, the GDPR requires an opt-in process, meaning organizations cannot collect consumer data until and unless granted permission to do so.
2. Does the CCPA apply to any specific industries?
3. Can I achieve CCPA compliance on my own?
3. Can I achieve CCPA compliance on my own?
4. What does the CCPA define as “Sale of Data”?
CCPA compliance with Monsido Consent Manager
Monsido Consent Manager
Find out how Monsido can prepare you for success and shield you from non-compliance issues.
