Don’t let the name fool you: your business does not have to be based in California for your website to be affected by the California Consumer Privacy Act (CCPA).
While CCPA remains the most well-known online data privacy law in the United States, four states are adding similar laws in 2023: Virginia, Colorado, Connecticut, and Utah.
The CCPA was signed into law in 2018 and has been in effect since January 1, 2020. The first data privacy law in the United States, the CCPA gives consumers the right to know which personal information is collected about them online, why it is being collected, and who receives it.
So what are the requirements for CCPA website compliance? Who exactly has to comply? And what are the repercussions for not complying? Read on to find out.
What is the CCPA?
The CCPA is a piece of legislation enacted to protect California residents’ privacy, even when they are temporarily outside of the state.
The law gives individuals the right to know which personal data has been collected, and the ability to request that this data be deleted. Businesses must disclose their data collection practices and establish several consumer protections. These protections give consumers the following rights:
- The right to know how personal information is used and shared.
- The right to have any data collected about them deleted.
- The right to opt out of their data being sold.
- The right to exercise their CCPA rights without discrimination.
The CCPA is similar to the GDPR (General Data Protection Legislation), which applies to all organizations within the European Union and to those supplying goods or services for them in some capacity. Both of these laws focus on privacy protections for citizens. And while there are minor differences between the two, they share similar goals: allowing citizens to make decisions about how others collect and use their data.
Examples of Eligible Privacy Information
The following are examples of information that falls under CCPA protection:
- Name
- Phone number
- Email address
- Physical address
- Employment details
- Federal and state ID numbers
- Credit card and other financial information
- Search engine history
- Biometrics
How is This Data Collected?
Your business may be collecting user information intentionally, but it can happen unintentionally, as well. User data is primarily collected in one of two ways:
1. Directly asking the customer. You will be storing any information your customer willingly provides in exchange for some service. Examples include:
- Sign-up forms for newsletters or services
- Social media polls
- Reviews or feedback submissions
- Order forms
- Customer service inquiries
- Customer reward programs
- Website chatbots
2. Indirectly tracking the customer. You may not track your website visitors intentionally, but there are multiple ways data collection can take place, particularly if you’re using any third-party services on your website. For example:
- Running paid ads through Google can result in collecting IP addresses and tracking customers who visit your website.
- Your website may also be tracking customers through cookies and web beacons.
- Paid social media campaigns can collect data on individuals who have engaged with your ads.
- Incoming phone calls
- Storing data from credit card sales.
Whether you’re intentionally collecting user data or using third-party plugins and services on your website, it’s best to be up front with your site visitors to ensure your site is CCPA compliant.
Who Needs to Worry About CCPA Compliance?
The CCPA requires compliance from for-profit companies that serve residents of California (no matter where the company itself is located) and have at least $25 million in annual revenue. In addition, any business that collects data on 50,000 or more individuals, or derives at least half of its revenue from selling personal data, must comply.
Even if your company doesn’t have to be compliant now, it’s a good idea to begin implementing the basic CCPA requirements, as many experts think it’s just a matter of time before the rest of the country adopts similar — and potentially more strict — online privacy laws.
What Does it Mean to be CCPA Compliant?
Complying with the CCPA can seem daunting, but breaking it down into a few simple steps can make the law much easier to understand.
1. Privacy Notices and Policies
The CCPA requires that “at or before the point of collection, compliant, eligible companies notify consumers about what information they collect and for which purpose.”
You may have seen related notices when signing up for a new service or newsletter, informing you what information will be collected and what the business intends to do with them.
2. Maintain Data Inventory
Compliant businesses will have to create a data inventory to track their data processing activities, including all the business processes, third parties, products, devices, and applications that process personal consumer data.
What Happens if a Business Fails CCPA Compliance?
Businesses that fail CCPA compliance are subject to fines, including:
- $2,500 USD for any unintentional violation
- $7,500 USD for any intentional violation
Individuals can also sue businesses that fail to implement proper security measures or that do not release requested information.
Within five months of the CCPA going into effect, 50% of businesses hadn’t even begun implementing compliance plans. According to the California District Attorney, some companies received violations in the first six months, and Salesforce was involved in civil litigation.
The California DA also noted that 10 unnamed companies received violations, including a car dealership that was acquiring customer information during test drives but not disclosing that data collection.
3 Steps to Make Your Website CCPA Compliant
So where to begin making your website CCPA compliant? Here are 3 steps you can take right now:
1. Create a Private Policy Page
Create an easy-to-find page on your website that details how your business collects user data and how it shares this information. Be extremely broad and include any way your business collects personal information. The Privacy Policy page should also provide detail on any of the consumer rights that fall under the CCPA.
2. Include a CCPA Request Form
Provide a form on your website that allows visitors to quickly request any information you have collected on them, or to request that you delete any of their information from your database.
3. Post a Toll-Free Number
In addition to an online form for information requests, businesses must also provide a toll-free phone number for customers to make requests. When collecting personal information, be sure to place the toll-free number prominently on your Privacy Policy page.
CCPA Compliance and Your Business
If your business is required to comply with the CCPA, your best bet to avoid litigation and fines is to be proactive. Make sure you know whether your website is collecting user data, whether intentionally or unintentionally. Be transparent about the information you’re collecting on your site visitors, and about how you’re using that information. Provide users a simple way to request details about data you’ve collected on them, and to request that data be deleted.
As some companies have already discovered, failure to comply with the CCPA can get very expensive very quickly, so make sure your website is up to date with CCPA requirements!