The California Consumer Privacy Act (CCPA)—the most comprehensive personal data privacy legislation anywhere in the United States so far—is officially being enforced. Is your website in compliance? Does it need to be? What does it take to comply with the CCPA, and how do you prove that you’ve met those requirements?
Let’s start by reviewing what the CCPA is all about.
THE GIST OF THE CCPA
The CCPA was created shortly after the first major data privacy legislation, the European Union’s General Data Protection Regulation (GDPR), was adopted. Its goal is to protect the personal information of California residents, ensuring that they have rights over their data and a way to enforce those rights.
For the CCPA’s purposes, “personal information” includes any “information that identifies, relates to, or could reasonably be linked with” an individual or their household. This includes the obvious, such as names, social security numbers, and email addresses. But it also includes a user’s internet browsing history, user names, purchasing history, and more. It also encompasses any “inferences from other personal information” that, in combination with other data, could be used to create a personal profile about what a user likes or dislikes. For years, companies have been able to collect this data and use it to target their marketing and increase their sales. They’ve even been able to sell that personal information for a profit. And individuals haven’t been able to do much about it. The CCPA seeks to change that dynamic.
The CCPA grants California residents four central rights:
- the right to know what personal information a business collects about them, including how it is used and shared;
- the right to have a business delete any personal information it has collected about them (with some exceptions);
- the right to opt out of any sales of their personal information; and
- the right not to be discriminated against should a user exercise any of these rights.
Businesses that violate the CCPA can be penalized by fines of up to $2,500 per “unintentional” violation and up to $7,500 for each intentional violation. Customers also have the right to sue any company that experiences a data breach implicating their personal information.
So, does the CCPA apply to your business? It does if your organization is a for-profit business that does business in California and meets at least one of these three qualifying criteria:
- has a gross annual revenue exceeding $25 million;
- buys, receives, or sells the personal information of at least 50,000 California residents; or
- derives 50 percent or more of its annual review from the sale of California residents’ personal information.
On August 14, 2020, the Office of Administrative Law in California approved final regulations for the California Consumer Privacy Act (CCPA), but even before then the California Attorney General announced that enforcement had begun as of July 1, 2020. The AG’s office immediately sent out letters to companies that it believed were not in compliance. The initial wave of letters “focused on businesses that operated online and were missing either key privacy disclosures or a ‘Do Not Sell’ link” that the AG believed to be necessary.
If your organization is subject to the CCPA, how do you keep from getting one of those letters?
FIVE TIPS FOR CCPA COMPLIANCE
CCPA compliance is complex; what we’re offering here is neither legal advice nor a comprehensive guide to the CCPA. That said, these five tips will give you a good start on making your website CCPA compliant.
1. Add a “Do Not Sell My Personal Information” link to your homepage.
This is the first and most important step you should take. In his July 1 announcement that the CCPA was being enforced, the California AG emphasized that “The website of every business covered by the law must now post a link on its homepage that says ‘Do Not Sell My Personal Information.’” He further advised that California residents should “Click on it. Remember, it’s your data. You now get to control how it’s used or sold.” Note that this language should not be abbreviated or shortened; your link should include the entire phrase “Do Not Sell My Personal Information.”
2. Provide notice anytime you’re going to collect personal information.
Anytime you are going to collect any personal information from a visitor, you need to provide notice, in “plain, straightforward language,” that you are going to collect that information. The collection statement must inform the visitor what categories of personal information you are going to collect and why you are going to collect that personal information. This notice should also provide a link to your privacy policy webpage and, if your company sells any personal information, a “Do Not Sell My Personal Information” link.
3. Create a clear, understandable privacy policy and make sure visitors can find it.
You need a plainly written privacy policy that clearly explains what personal information your company collects and why you’re collecting it. This page should include a recitation of what rights California consumers have under the CCPA and how they can exercise those rights. Your privacy policy should be easy to find; there should be a link on your homepage, at the very least.
4. Provide data request forms and link to them.
The CCPA gives consumers the right to make specific data requests. Your website needs to offer a way for them to make those requests, including:
- a request to know what categories and specific pieces of personal information your company has collected from them, where that information was collected from, and the purpose behind its collection;
- a request to delete any of their personal information that your company has collected; and
- a request to opt out from having any of their personal information sold.
These request forms should be “clear and conspicuous” enough that website visitors don’t have to search for them.
5. Make sure website visitors know how to contact you online and offline.
The CCPA requires that any business that collects personal information should provide consumers who seek to assert their rights with at least two different methods for submitting a request. Your website should be one of those methods, but be sure to also list a phone number where consumers can contact you.
ARCHIVE YOUR WEBSITE FOR PROOF OF COMPLIANCE
We’ve said it before and we’ll say it again: your compliance with laws, rules, and regulations is only ever as good as your ability to prove that compliance. This is certainly true for CCPA compliance.
If you want to prove that your website is compliant today, you can point someone to the website and have them look for themselves. But how can you prove that your website met these requirements in the past? You probably add to or amend your website frequently. So what will you do if someone claims that they tried to find your privacy policy on July 30, 2020, and it wasn’t clearly posted? What if someone claims that they clicked on your data request link and it didn’t work?
Scenarios like these illustrate why you need a plan for archiving your website—and we don’t just mean taking screenshots. With a fully functional website archiving system, your archives look just like the original live site. An archiving solution crawls the entire source website, locating and capturing all of its content to create a replica website that can be navigated as if it were live. A website archive lets you click through links, complete fillable request forms, and navigate through your full website, demonstrating that all of the necessary information was there and that all of your links worked.
[View source.]