The California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, is one of the most comprehensive and broadest data privacy laws in the U.S.
This landmark legislation affects certain business collecting, storing, and selling information about California residents and sets the stage for countrywide privacy protections.
As a business, the CCPA requires you to be transparent in handling personal consumer data related to California residents. It also offers more control to California residents over whether they want their personal information collected, what data is being collected and how that data is being used.
As such, it's essential that you develop and implement CCPA compliance procedures and programs, especially if you have a decentralized framework for managing personal information.
To Which Entities Does CCPA Compliance Apply?
The CCPA applies to you if you conduct business in California, gather personal data of California residents, and determine, either on your own or jointly, the purpose and handling of this information. Further, the legislation applies if you meet the following criteria:
Your business has annual gross revenue exceeding $25 million.
Your purchase, collect, share or sell the personal data of 50,000 or more consumers or devices annually.
You get 50% or more of your annual revenue from selling consumers' personal information.
What Constitutes "Personal Information"?
According to the CCPA, personal information is any information that identifies, describes, relates to, could be directly or indirectly linked to, or is associated with a particular consumer, device, or household. Based on this definition, Personal information includes but is not limited to the following:
Direct identifiers – Include a consumer's real name, alias, email address, postal address, social security number, passport number, and similar identifiers.
Unique identifiers – Cookies, account names, and IP addresses.
Internet activity information – Search history, browsing history, and information about interaction with your website or app.
Commercial information – Records of products/services purchased, personal property records, and consumer preferences or history.
Biometric information – Fingerprint, voice recording or iris, retina, face, and palm scans.
Sensitive data – Signatures, telephone numbers, bank account numbers, medical information, credit or debit card numbers, health insurance information, employment information, education information, and physical descriptions.
Geolocation data – Location history.
There are exceptions to the CCPA's definition of personal information. These include information that has been lawfully made publicly available from government records, de-identified information, or information that cannot reasonably identify, describe, or be linked to a particular consumer, and aggregate consumer information (from which consumer identifiers have been eliminated).
CCPA Compliance Website Requirements
If CCPA legislation applies to your business and you have an online domain, there are some obligations you must meet to operate a CCPA-compliant website.
Under the CCPA, you must update your website's privacy policy to include descriptions of a consumer's privacy rights.
These rights have the right to request disclosure of information collected and sold, nondiscrimination relating to consumers exercising CCPA rights, and the right to opt-out with a "Do Not Sell My Personal Information" page.
Remember – the CCPA notes that all privacy policies and disclosures must be written in clear, understandable language. This is important because some big companies have been fined over the last few years for violating this rule.
Meta, Apple, Amazon, TikTok, and WhatsApp have all faced additional scrutiny for strongarming end users into making agreements they didn't understand.
Lawmakers are pushing back. It is no longer acceptable to bury policies under burdensome paragraphs, legalese, and otherwise complicated language.
Furthermore, by creating policies that end users can easily understand, you are helping to build a foundation of mutual trust and respect with your customers. That goes a long way, significantly, as the awareness and importance of data privacy are heightened.
To ensure website compliance with CCPA, you must also afford your customers the right to access the Personal information that you collect. You must inform your users at or before the data collection point of this information that includes:
The information you collect about a consumer (both by specific details and category).
The source of the personal information (directly or from third parties).
How you collect the information, where it's stored, and when it's deleted.
How you use the information and the authorities determining a change of use.
The personal information you sell to third parties, the identity of the third parties, and the rights granted to the parties.
Whether your business can reasonably determine the consumer's age and whether the consumer has an account with your business.
Verifiable Consumer Requests
Your website must have designated means of submitting requests, such as a website address or toll-free telephone number. Your business provides this information after receiving a Verifiable Consumer Request (VCR).
A VCR is a request where you can verify that the consumer submitting the request is someone you have collected personal information about.
Your business must respond to VCRs within 45 days, either electronically or by mail. This period can be extended upon notifying the consumer. Your business's information should be readily usable, allowing the consumer to process the data without hindrance efficiently.
Cookie Consent Management and CCPA Website Compliance
Cookies are one of the leading website tracking technologies used to collect user information and monitor online behavior. As such, the data collected by first and third-party cookies constitutes Personal Information according to the CCPA, for which your business is liable.
A Consent Management Platform (CMP) can help you keep track of cookies and ensure website compliance with CCPA.
Adzapier offers a robust CMP to help you implement your policies and stay compliant. We help your business provide clarity in your tracking processes, through cookies, of consumer data.
Our solution helps you create CCPA-compliant cookie consent banners that don't affect your customers' digital experience on your website. You can also create a data map, which tracks the information collected using cookies, how your business uses this data and which third parties you share it with. You can access, visualize, filter, and track all these vital metrics from one dashboard.
Further, you can quickly implement the aforementioned "Do Not Sell My Personal Information" link and automated cookie blocking to facilitate CCPA website compliance.
Our CMP solution not only saves money and time for compliance, but the advanced optimization tools can also offer your insight into strategies that increase your cookie consent opt-in rates. You don't have to use third-party cookies to have a solid marketing strategy. That's right – even in the new era of data privacy.
The Importance of DSAR Management for CCPA Compliance
Data Subject Access Request (DSAR) forms a crucial part of the consumer's right to access data. DSAR is a request that a consumer initiates that exercises their right to obtain disclosure of a copy of Personal Information your business processes.
It is one of the most common requests you will receive in your private mailbox and is pivotal to a CCPA-compliant website.
One of the best ways to help your business ensure CCPA compliance is to invest in a robust Data Subject Access Request (DSAR) solution. The good news is that Adzapier is here to help.
Our DSAR Management platform is an automated solution that helps your business avoid CCPA violations by enabling you to find, retrieve and manage personal consumer data efficiently. Our simple solution also gives your customers control and access to the privacy rights stipulated by the CCPA.
Using our comprehensive dashboard, you can collect, save and track consumer preferences and consent while our user-friendly privacy access center enables you to create custom request forms.
Our automated system helps your business handle Verifiable Consumer Requests in minutes, keeping in line with the CCPA response time requirements. An automated DSAR management system is especially invaluable if you receive a high volume of requests that can catch your business off guard.
With Adzapier's automated DSAR management tools, you can deliver quickly when your customers request to access, monitor, or delete their personal information or opt out of data collection. Our end-to-end solution also helps with an audit by ensuring you keep and organize records of your data collection activities.
In today's security landscape, where high-profile breaches compromise personal consumer data, privacy laws such as California's CCPA are a step in the right direction. Ensuring you check the CCPA compliance checklist to avoid breaching any rules should be a pressing concern for your business.
Implementing effective Cookie Consent Management and a DSAR management system is one of the ways to ensure your website meets CCPA compliance requirements. Fortunately, Adzapier can be your business's trusted and reliable partner, supplying access to practical solutions that ensure you stay ahead of CCPA and other privacy law compliance.
It's easy to get started! Schedule a free demo with our privacy experts to learn more about cookie consent, consent preference management, DSAR management, and the total package: a streamlined CMP that will have you globally compliant in minutes. The best part? We offer a 14-day free trial, so you can see how well this works – on us!