The California Consumer Privacy Act (CCPA) is a set of data privacy regulations that came into effect in 2020. It applies to any organisation that does “business” in California that meets certain criteria.
At its core, the CCPA was created to give Californian citizens more control and protection over their personal information. It includes tighter regulations around the collection and sale of personal information, particularly for the Internet age.
What is “personal information” under the CCPA?
Under the CCPA, personal information is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Beyond people’s names, addresses, emails, and social security numbers, information such as geolocation data or IP addresses are also considered personal information (you can view a more exhaustive list of the different types of personal information here).
To achieve CCPA compliance, you should start by reviewing your current privacy practices to see if all types of personal information that you collect about customers are being accounted for.
What needs to be disclosed in a CCPA policy?
- Cookies and pixels.
Cookies and pixels are online tracking tools that collect information about visitors to your site that is often used for retargeting and other online advertising purposes.
You might already have these covered off with a cookie banner on your website, but you’ll need to ensure that your website has a link or other mechanism that allows visitors to opt-out of tracking.You will also need to disclose exactly what and how many types of cookies are being used on your website, and why, so that users can make an informed choice on opting out or not.
- Do Not Track.
“Do Not Track” refers to a browser setting that users can use to signal that they don’t want their information tracked, while visiting a certain website.
Under the CCPA, users have the ‘Right to Opt-Out’ of the sale of their personal information to third parties. Here, “sale” also covers sharing information that benefits your business in any way. For instance, you could be tracking users through a Facebook pixel on your site and disclosing that information to Facebook to fuel your next advertising campaign.
While you aren’t legally obligated to acknowledge a user’s Do Not Track request, you must disclose whether or not your business will recognise these requests.
- The Right to Know and Delete.
The Right to Know refers to users’ right to request for a business to disclose any personal information that is collected about them, and the Right to Delete enables users to request the deletion of this information.Your policy will need to include explanations of what these rights mean for users and how they can exercise them.You’ll also need to inform users upfront about your data collection and deletion practices.
For example, the CCPA states that organisations must respond to a deletion request within 45 days, which should be reflected in your policy.
- Shine the Light.
Originally passed in 2003, “Shine the Light” is another Californian privacy law that was intended to provide more transparency on business’ data sharing practices.
To demonstrate compliance with the law, you’ll need to disclose whether you share information with any third parties, and, upon a customer’s request, list the types of information that has been shared and the third parties it was shared with.
Again, you will have to explain to users how they can submit a request for the above information.