The California Consumer Privacy Act (CCPA)—the most comprehensive personal data privacy legislation anywhere in the United States so far—is officially being enforced. Is your website in compliance? Does it need to be? What does it take to comply with the CCPA, and how do you prove that you’ve met those requirements?
Let’s start by reviewing what the CCPA is all about.
The Gist of the CCPA
The CCPA was created shortly after the first major data privacy legislation, the European Union’s General Data Protection Regulation (GDPR), was adopted. Its goal is to protect the personal information of California residents, ensuring that they have rights over their data and a way to enforce those rights.
For the CCPA’s purposes, “personal information” includes any “information that identifies, relates to, or could reasonably be linked with” an individual or their household. This includes the obvious, such as names, social security numbers, and email addresses. But it also includes a user’s internet browsing history, user names, purchasing history, and more. It also encompasses any “inferences from other personal information” that, in combination with other data, could be used to create a personal profile about what a user likes or dislikes. For years, companies have been able to collect this data and use it to target their marketing and increase their sales. They’ve even been able to sell that personal information for a profit. And individuals haven’t been able to do much about it. The CCPA seeks to change that dynamic.
The CCPA grants California residents four central rights:
- the right to know what personal information a business collects about them, including how it is used and shared;
- the right to have a business delete any personal information it has collected about them (with some exceptions);
- the right to opt out of any sales of their personal information; and
- the right not to be discriminated against should a user exercise any of these rights.
Businesses that violate the CCPA can be penalized by fines of up to $2,500 per “unintentional” violation and up to $7,500 for each intentional violation. Customers also have the right to sue any company that experiences a data breach implicating their personal information.
So, does the CCPA apply to your business? It does if your organization is a for-profit business that does business in California and meets at least one of these three qualifying criteria:
- has a gross annual revenue exceeding $25 million;
- buys, receives, or sells the personal information of at least 50,000 California residents; or
- derives 50 percent or more of its annual review from the sale of California residents’ personal information.
On August 14, 2020, the Office of Administrative Law in California approved final regulations for the California Consumer Privacy Act (CCPA), but even before then the California Attorney General announced that enforcement had begun as of July 1, 2020. The AG’s office immediately sent out letters to companies that it believed were not in compliance. The initial wave of letters “focused on businesses that operated online and were missing either key privacy disclosures or a ‘Do Not Sell’ link” that the AG believed to be necessary.
If your organization is subject to the CCPA, how do you keep from getting one of those letters?
Curious to learn more?
Capture your web content to create a replica website that can be navigated as if it were live to demonstrate compliance.
Five Tips for CCPA Compliance
CCPA compliance is complex; what we’re offering here is neither legal advice nor a comprehensive guide to the CCPA. That said, these five tips will give you a good start on making your website CCPA compliant.
1. Add a “Do Not Sell My Personal Information” link to your homepage.
This is the first and most important step you should take. In his July 1 announcement that the CCPA was being enforced, the California AG emphasized that “The website of every business covered by the law must now post a link on its homepage that says ‘Do Not Sell My Personal Information.’” He further advised that California residents should “Click on it. Remember, it’s your data. You now get to control how it’s used or sold.” Note that this language should not be abbreviated or shortened; your link should include the entire phrase “Do Not Sell My Personal Information.”
2. Provide notice anytime you’re going to collect personal information.
4. Provide data request forms and link to them.
The CCPA gives consumers the right to make specific data requests. Your website needs to offer a way for them to make those requests, including:
- a request to know what categories and specific pieces of personal information your company has collected from them, where that information was collected from, and the purpose behind its collection;
- a request to delete any of their personal information that your company has collected; and
- a request to opt out from having any of their personal information sold.
These request forms should be “clear and conspicuous” enough that website visitors don’t have to search for them.
5. Make sure website visitors know how to contact you online and offline.
The CCPA requires that any business that collects personal information should provide consumers who seek to assert their rights with at least two different methods for submitting a request. Your website should be one of those methods, but be sure to also list a phone number where consumers can contact you.
Archive Your Website for Proof of Compliance
We’ve said it before and we’ll say it again: your compliance with laws, rules, and regulations is only ever as good as your ability to prove that compliance. This is certainly true for CCPA compliance.
Scenarios like these illustrate why you need a plan for archiving your website—and we don’t just mean taking screenshots. With a fully functional website archiving system like Hanzo Dynamic Capture, your archives look just like the original live site. Our archiving solution crawls the entire source website, locating and capturing all of its content to create a replica website that can be navigated as if it were live. A Hanzo website archive lets you click through links, complete fillable request forms, and navigate through your full website, demonstrating that all of the necessary information was there and that all of your links worked.
If your archives don’t meet that standard, or if you’re not archiving your website at all, contact us to schedule a demonstration.