8 CCPA Website Requirements for Compliance

1. A Privacy Policy

If you’re subject to the CCPA, you’ll need to display a privacy policy that provides a detailed explanation of your business’s privacy practices and informs users of their privacy rights along with how to exercise them. Your privacy policy must be linked from your homepage, ideally in the footer of your website. For mobile apps, it can be on your download page or in your app’s settings menu.

2. A “Notice at Collection”

If your business is subject to the CCPA, you’ll need to provide your users with a ‘notice at collection’ prior to or at the point of collecting personal information. Given http cookies collect Unique Personal Identifiers, which falls under the CCPA’s definition of personal information, if your website uses cookies for marketing or analytics, you’ll need to provide your notice the moment a user enters your website. We recommend using a cookie consent banner to do this.

What should your notice at collection include?

Your notice at collection will need to include a link to your company’s privacy policy, a list containing the different categories of personal information your business collects at that point, and the purpose each category is used for, e.g. for performance cookies (used by Google Analytics) the purpose would be “to help us understand how our website is being used”.

In cases where you need to collect a category of personal information that isn’t disclosed in your original notice at collection, e.g. in a contact form, you’ll need to provide an additional notice at the time customers are submitting the form.

If your business sells consumers’ personal information, then your notice at collection will also need to include a link to your Do Not Sell or Share mechanism (discussed below).

3. A “Do Not Sell or Share My Personal Information” mechanism

If your business is subject to the CCPA, and sells or shares personal information, you’ll need a mechanism that allows your users to opt out of the sale or sharing of their personal information – This can be done with a form or toggle – see Microsoft’s do not sell or share my personal information page. The mechanism must not require users to create an account to submit an opt-out request and must be linked from your website’s homepage, ideally in the header or footer.

4. A “Limit the Use of My Sensitive Personal Information” mechanism

If you use or disclose sensitive personal information for purposes other than providing the services or goods your customers expect of you, you’ll need a mechanism to allow your customers to limit your use of their sensitive personal information – one of their rights under the CCPA. This mechanism should be linked to from your homepage, ideally your footer.

What’s an example of selling or disclosing sensitive personal information for expected purposes?

If a fitness app collects it’s users’ location data to help them track the distance they run each week, this aligns with the expected purpose of that sensitive data. However, if the app’s team sells that data to advertising companies to target users with ads for businesses in areas they frequently run, this constitutes using sensitive information for an unexpected purpose.

5. A link to manage privacy choices (recommended)

Instead of providing two separate opt out mechanisms for opting out or limiting data use, you can opt to use a single, clearly labelled link on your homepage that allows consumers to easily opt out of the sale or sharing of their personal information and to limit the use or disclosure of their sensitive personal information from one page. A great example of a “Manage Privacy Choices” page, is Microsoft’s third-party ad settings page.

If you choose this option, your link must be labelled either “Your Privacy Choices” or “Your California Privacy choices,” and shall include the following opt-out icon adjacent to the title.

6. A mechanism for consumers to exercise their rights

If your business is subject to the CCPA, you’ll need to provide at least two methods for consumers to submit requests to know, delete, and correct their personal information. At least one method must be a toll-free telephone number, and if you have a website, one method must be through your website (e.g., a form or via a provided email address). If you operate exclusively online and have a direct relationship with consumers (as opposed to B2B), you only need to provide an email address for these requests. We recommend providing your contact details with instructions on how users can exercise their consumer rights from within your privacy policy.

7. Integration with Global Privacy Control (GPC) signals:

If you are subject to the CCPA, you’ll need to make sure your website treats user-enabled global privacy controls, like the GPC, as a valid opt out requests.

What is a Global Privacy Control?

A Global privacy control (GPC) – sometimes referred to as universal opt-out preference signal – is a tool that enables users to globally opt-in or opt-out of the processing, sharing or selling of their personal information. Users can setup a GPC with specific browsers and browser extensions.

8. Accessible notices and consent mechanisms

All of your privacy notices and consent mechanisms are required to be reasonably accessible to consumers with disabilities, following generally recognised industry standards such as WCAG 2.1 for online content. Remember that PDFs are not always accessible, and that your consent banner will need to be readable by screen readers.