Hands on a keyboard

Navigating the California Consumer Privacy Act (CCPA)

Does your site attract or do business with Californians?  If so, you have no doubt heard of the California Consumer Privacy Act (CCPA). The formal enforcement date for this statute is July 1, 2020. It is coming up fast (and the first class-action lawsuit is already out there). 

What you may be wondering is… do you need to worry about the CCPA? What kinds of businesses does CCPA affect? And what do you need to do if your business must comply with the regulations? 

About the CCPA

The state of California passed the CCPA in 2018. It went into effect in January 2020. The law gives residents more control over who can retain (and profit from) their information. It gives them more options if a data breach impacts their personal data.

The act endeavors to give Californians more transparency. They must be given access to their data on request. They have the “right to be forgotten,” and may request the deletion of their data at any time. These requirements align with the EU General Data Protection Regulation (GDPR).

Affected Businesses

Only a subset of businesses acquiring information about residents are required to be compliant with CCPA, but it affects more companies than you might think.

The CCPA applies to you if you fit any of the following definitions:

  1. You make more than $25 million in revenue per year.
  2. You collect information on 50,000 or more Californians per year.
  3. You make 50% or more of your revenue per year by selling information.

The “collecting information” definition is the trickiest one. This would include any of these:

  • Online advertising impressions. 
  • Email addresses you collect to book appointments or start conversations.
  • Data needed to complete online transactions.

What it means to “sell” information

According to the language in the CCPA, selling data looks like this:

“Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

It is important to note the last part of this statement. It means that “selling” data can be more than a financial transaction. For example, if you engage in data sharing (exchanging your data for other company’s data), that’s “valuable consideration.”

What qualifies as personal data

I will paraphrase the source here. I’ve cut this down to focus on typical website data. The language in the CCPA states any of the following qualify as personal identifiers:

  •  A real name, alias, or postal address.
  • An Internet Protocol (IP) address or email address.
  • Any account name, social security number, driver’s license number, passport number, or similar.
  • Commercial information, including products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory, or similar information.
  • Professional or employment-related information.
  • Education information.
  • Inferences drawn from any of the information identified here that create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Updating your site to comply with CCPA

At this point, you should have a good idea of whether you need to comply with the CCPA. If you do, take these steps next.

  1. Add a link that reads “Do Not Sell My Personal Information” — no exceptions. This is the language you need to use. Place the link in the footer of your site, by your privacy policy.
  2. This link points to a “Do Not Sell” page. It should talk about your data collection policies, and how or if you sell data to third parties. Even if you don’t sell information, having a page saying so is a good idea.
  3. Add a form, making it easy for users to request you do not sell their information. The user can’t be forced to have an account or otherwise “log in” to use this form.
  4. Be prepared to exclude that person in any sales information for 12 months.
  5. Add language to your privacy policy that links to the “Do Not Sell” page. 
  6. Use a cookie management tool like CookiePro. This gives users a list of granular categories for data you track. Parallel those categories in your “Do Not Sell” page. 
  7. Consider additional data you may be selling. Data your partners may be collecting, for example, when serving ads on-site. 

Interested in a deeper look into user privacy, data, and tracking? Check out my presentation on Responsible Tracking from WordCamp US 2019.