Get Started with Google Consent Mode v2
GetTerms supports Google Consent Mode v2. In this article we show you how to configure it in a few simple steps.
Guide To Compliance: California Consumer Privacy Act (CCPA)
Compliance sucks.
We make it simple.
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
The data privacy landscape in the United States underwent a transformative shift with the passage of the California Consumer Privacy Act (CCPA) on June 28, 2018. California was the trailblazer in comprehensive data privacy legislation, setting the stage for a more robust data protection framework. The CCPA went into effect on January 1, 2020, marking a significant milestone in the journey toward securing consumer data rights.
Get started with a CCPA ready Privacy Policy
Get StartedUnderstanding the CCPA
The CCPA, akin to other influential privacy laws, is designed to empower consumers and strengthen their control over personal data. To ensure compliance, it’s vital to comprehend the core components of the CCPA:
1. Consumer Rights Under CCPA
-
- The Right to Know: Consumers can request information about the personal data businesses collect, disclose, and sell.
- The Right to Access: Consumers have the right to access their personal information held by businesses.
- The Right to Deletion: Consumers can request the deletion of their personal data.
- The Right to Opt-Out: Consumers can opt out of the sale of their personal information.
- The Right to Non-Discrimination: Businesses must not discriminate against consumers who exercise their privacy rights.
2. Defining Personal Information
-
- In the context of the CCPA, personal information includes a broad range of data, encompassing identifiers, characteristics, commercial information, internet activity, and more.
Is the CCPA Applicable to Your Business?
To ensure compliance with the CCPA, it is essential to determine whether the law applies to your business:
1. Geographic Scope
-
- Do Business in California: The CCPA applies to businesses that conduct activities in California or serve California residents, regardless of where the business is based.
2. Data Processing Activities
-
- Processing Personal Information: The CCPA applies to businesses that collect, process, or sell the personal information of California consumers.
Exemptions from the CCPA
While the CCPA is extensive, certain entities are exempt from its provisions, including:
- Small Businesses: Businesses with annual gross revenues under $25 million may be partially exempt.
- Certain Data Brokers: Certain data brokers may be exempt under specific conditions.
- Regulated Entities: Businesses subject to specific federal and state data privacy laws may enjoy some exemptions.
Ensuring Compliance
To ensure compliance with the CCPA, follow these crucial steps:
- Determine Applicability: Assess whether your business falls under the jurisdiction of the CCPA by evaluating its geographic reach and data processing activities.
- Privacy Policy: Create a comprehensive and easily accessible privacy policy that includes all mandatory elements. Your policy should inform consumers about data collection, processing, and the purposes for which their information is used.
- Data Rights: Develop a system that allows consumers to exercise their data rights, including access, deletion, and opting out of data sales. Train your staff to respond promptly to these requests.
- Data Mapping and Inventory: Conduct a comprehensive audit of the data you collect and process to identify personal information and ensure that it aligns with CCPA requirements.
- Security Measures: Implement appropriate security measures to protect personal information. Regularly assess and enhance your data security protocols to minimize the risk of data breaches.
Looking Ahead
The California Consumer Privacy Act has been in effect since January 1, 2020. To maintain compliance and ensure your business remains aligned with CCPA regulations, consider the following:
- Data Mapping and Inventory: Regularly update your data mapping and inventory processes to account for any changes in data collection and processing.
- Data Breach Response Plan: Maintain a robust data breach response plan to address potential breaches promptly and in compliance with CCPA notification requirements.
- Privacy Policies: Regularly review and update your privacy policies to reflect any changes in data handling practices or CCPA regulations.
- Ongoing Staff Training: Continue to train your employees to ensure they are knowledgeable about the CCPA and understand the steps required for compliance.
How Can GetTerms Assist You
If your business falls under the jurisdiction of the California Consumer Privacy Act (CCPA), it’s crucial to maintain compliance and ongoing adherence to this landmark legislation. GetTerms offers a wide range of services to help you efficiently address compliance requirements, including the creation and updating of privacy policies, staff training, and data breach response planning. Take advantage of GetTerms’ services today to ensure ongoing compliance with the CCPA and other pertinent privacy regulations. We are here to support your journey towards compliance and data protection excellence.
CA/VA/CO Privacy Laws – Chart Comparison & Info. Summary
| SUBJECT | Californa (CPRA) | Virginia (VCDPA) | Colorado (CPA) |
| APPLICABILITY | For-profits that do business in CA, meeting one of three thresholds:
1. Revenues over $25,000,000; 2. Collect personal information of over 100,000 consumers or households; or 3. Generate at least half of revenues from sales of personal information. |
Persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that:
1. Control or process personal data of at least 100,000 consumers per year; or 2. Control or process personal data of at least 25,000 consumers and derive more than half of gross revenues from the sale of personal data. |
Controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and:
1. Controls or processes the personal data of 100,000 consumers or more during a calendar year; or 2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. |
| PERSONAL DATA | Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, not including publicly available information or deidentified or aggregate consumer information. | Personal data means any information that is linked or reasonably linked to an identified or identifiable natural person, not including de-identified data or publicly available information. | Personal data means information that is linked or reasonably linkable to an identified or identifiable individual, not including publicly available information. |
| SENSITIVE INFO. | Sensitive personal information means (in summary) personal information that reveals certain information about a consumer. The specific categories of sensitive personal information are listed in the statute and include data types similar to those listed in Virginia and Colorado, and information such as Social Security number, driver’s license, state identification card or passport numbers, account log-in, financial account, debit card or credit card numbers in combination with any required security or access code, password or credentials allowing access to an account, and precise geolocation. | Sensitive data means a category of personal data that includes data revealing racial or ethnic origin, religious beliefs, physical or mental health diagnosis, sexual orientation, or citizen or immigrant status, as well as processing of genetic or biometric data for identification, precise geolocation data, and personal data collected from a known child. | Sensitive data means personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, a person’s sex life or sexual orientation, citizenship, or citizenship status, as well as genetic or biometric data that may be processed for the purpose of uniquely identifying an individual. The definition also includes personal data from a known child. |
| KEY EXEMPTIONS | [Note: The Personnel and B2B exemptions in CA are scheduled to sunset January 1, 2023, although many expect they will be extended.]
1. Information (not institutions) subject to GLBA or California financial privacy laws 2. Institutions and information subject to HIPAA 3. Data regulated by FCRA, DPPA, FERPA, and others 4. Non-profit organizations |
1. Institutions subject to GLBA and its implementing regulations
2. Institutions and information subject to HIPAA 3. Personnel data 4. B2B information 5. Data regulated by FCRA, DPPA, FERPA, and others 6. Non-profit organizations |
1. Institutions subject to GLBA and its implementing regulations
2. Institutions and information subject to HIPAA 3. Personnel data 4. B2B information 5. Data regulated by FCRA, DPPA, FERPA, and others 6. Data maintained by state institutions of higher learning for non-commercial purposes |
| CONSUMER RIGHTS | |||
| Right of Access | Yes | Yes | Yes |
| Right of Portability | Yes | Yes | Yes |
| Right to Correct | Yes | Yes | Yes |
| Right to Delete | Yes | Yes | Yes |
| Opt-out Right | Yes | Yes | Yes |
| Opt-in Right for processing Sensitive Data | No
(Note: May limit use and sharing.) |
Yes | Yes |
| Non-Discrimination Right | Yes | Yes | No |
| Private Right of Action | Yes | No | No |
| BUSINESS/CONTROLLER OBLIGATIONS | |||
| Notice to Consumers | Yes (Notice at Collection specifically required) | Yes | Yes |
| Privacy Policy | Yes (California Privacy Policy specifically required) | No (although required disclosures may be incorporated in the privacy policy) | No (although required disclosures may be incorporated in the privacy policy) |
| Contractual Reqs. for Third Party Service Providers/Processors | Yes | Yes | Yes |
| Data Processing Impact | No | Yes | Yes |
| ENFORCEMENT | |||
| Right to Cure | None (Note: the existing right to cure sunsets January 1, 2023) | 30 days | 60 days |
| Enforcer | Dedicated enforcement agency (CPPA),
Attorney General, and Private litigants |
Attorney General | Attorney General and District Attorneys |
Get started with a CCPA ready Privacy Policy
Get StartedRelated Articles
