California Consumer Privacy Act (CCPA)
What is the CCPA? And how do we help?
What is CCPA?
The CCPA or California Consumer Privacy Act gives California consumers new privacy rights such as the right to know what data businesses collect about them, to obtain a copy of that data, to request that it be deleted and to request that it not be sold. Here’s the official statute and the statute in a Google document where you can ask and answer questions.
How CCPA Toll Free Helps
The CCPA generally requires businesses subject to the law to (1) establish a toll-free number (a privacy hotline) and (2) to provide a Do Not Sell My Personal Information link / interactive web form, in each case to enable consumers to register their privacy preferences . We simplify compliance with this aspect of the law.
Follow Privacy Best Practices — In No Time!
Did you know more than ten states have bills pending that endorse or require toll-free hotlines and elements of the CCPA? There is no reason to limit your privacy hotline and privacy request manager web for to California consumers. Offer it to everyone before it’s required and differentiate your business as a privacy a leader. You can set up your hotline and interactive web form in minutes.
Lean how businesses comply with the California Consumer Privacy Act (“CCPA”), including how to use CCPA compliance software and services to streamline your privacy operations. Here is a series of eight articles indexed below— updated as of December 2020 and based on the final CCPA law, as amended, and the latest final regulations promulgated by the California Attorney General.
- Personal Information—CCPA Right to Know, Delete and Do Not Sell Requests
- What is a “sale” or “sell” under ccpa?
- What Contact Methods Must I Provide to Consumers Under CCPA?
- How to verify CCPA requests?
- How to respond to CCPA requests?
- How to document CCPA compliance?
- What are the differences between COPPA and CCPA?
- What is discrimination under CCPA?
Personal Information—CCPA Right to Know, Delete and Do Not Sell Requests
To Which Consumers Does the CCPA Apply?
Any resident of California is in scope for CCPA’s privacy protections. While businesses can choose to deny these rights to people living in other places, once they implement a privacy compliance program, many businesses choose to offer the same privacy rights to all consumers globally.
This is a choice that is not only consumer friendly and “privacy forward,” but it also acknowledges the global trend of increasing privacy legislation. For a list of domestic privacy bills, see our legislation tracker.
What Counts as Personal Information Under CCPA?
Any information that can be linked to a given person or household meets the definition of “personal information” under CCPA. This includes contact information such as a consumer’s name, mailing address and email address, even if this information is revealed in public records such as those collected by records aggregators like spokeo.com, truthfinder.com and beenverified.com (hint: to remove personal data from these sites, try Brand Yourself).
Besides these basics, personal information includes data such as a consumer’s online surfing and shopping history (if linkable to an identifiable person rather than being stored anonymously), and it also includes geolocation history, images of consumers, email contents, and other identifying information such as a driver’s license or bank account number. Particularly vexing for businesses because it shows up frequently in log files, an IP address is also personal information under CCPA.
Lastly, any interest categories such as “pet lover” or “travel enthusiast” that a consumer might be placed in based on e.g., online activity, are also associated with the consumer or household and are therefore personal information.
Most importantly, you must explain the following four basic rights that CCPA provides for consumers as well as how to access them:
1. The right to know about the personal information your business collects, discloses and sells
2. The right of consumers to ask your business to delete their personal information
If a consumer makes a delete request, you should delete all the personal information that you would have furnished to the consumer if she or he made a right to know request. Note there are important exemptions that apply, enabling businesses to keep a considerable amount of information after receiving a delete request. For more information, see “Responding to delete requests.”
3. The right to opt out of sales of personal information
Explain a consumer’s right to request that you do not sell their personal information, if you do so. If a consumer opts out, stop transferring data in any manner that would be considered a sale, and do not ask a consumer to opt back in for at least 12 months. The Ann Taylor website uses a banner that pops up when a user hovers over the legal text in on its homepage footer. The banner does a good job of explaining a consumer’s Do Not Sell right in the context of a business that does not “sell” information in the traditional sense:
We do not exchange your personal information in exchange for monetary consideration. We may allow certain third parties (such as online advertising services) to collect your personal information via automated technologies on our Sites in exchange for non-monetary consideration.
4. The right to non-discriminatory treatment
Explain to consumers that if they exercise their privacy rights, your business will not treat them any differently, e.g., charging higher prices or denying them access to certain features. The CCPA does provide some exceptions to the non-discrimination rule that allow loyalty programs. For more information, see “Privacy Rights Discrimination and Loyalty Programs.”
What is a sale under CCPA?
The CCPA defines “sell” or “sale” broadly to include many information transfers that would not ordinarily be considered a sale. There is no requirement for money to change hands in order to make a sale. Essentially, any information you share with a third party, where that third party does not promise to use the information only as needed to serve your business, is considered a sale.
Am I Selling Personal Information if I use Facebook Ads?
If you share consumer information with Facebook e.g., by adding the Facebook pixel to your site, Facebook will both help you to target relevant ads to your consumers, and they will also use the data they collect about your consumers to enhance their own databases and to help other businesses engage in better ad targeting. Facebook admits this is a sale by you to them, and they offer a setting called Limited Data Usage that you can enable either for all consumers or just those who have clicked your Do Not Sell button.
Does CCPA Require a Cookie Banner and What Should my Cookie Banner Message Say?
Here, the Accept button dismisses the banner and the Customize button leads to information about how to make privacy choices such as rejecting cookies and making other CCPA information requests. If you’re a WordPress publisher, Complianz.io provides a simple but powerful CCPA plugin to help you implement a cookie banner for CCPA. For businesses using other platforms, including Shopify and Squarespace, we recommend the privacy banner tools offered by TrustArc and Secure Privacy.
Businesses that “sell” personal information according to the CCPA’s definition also need a link called, “Do Not Sell My Information” in their homepage footer that enables consumers to opt out of personal information sales. CCPA Toll Free provides a solution for collecting and managing CCPA rights requests, including “Do Not Sell” functionality.
Note you should provide privacy notices in all languages in which you usually do business with or advertise to consumers.
Do I Need a DPA or Service Provider Agreement for My Vendors for CCPA?
Unlike GDPR, the CCPA does not require a data processing agreement with vendors. However, to be certain that working with a particular vendor will not be deemed an information “sale” to that vendor, check to the vendor’s MSA, TOS or other contract to see if it says the vendor is acting as your “service provider” for CCPA purposes. Service provider is a special CCPA status for vendors that agree to limit their data usage to serving your interests only, ensuring that the transfer is not a sale. If the vendor does not have service provider terms in their contract, ask them to sign a standalone agreement such as this model CCPA Short-Form Addendum.
Remember, if you work with a vendor that does not promise to be your service provider, then you may be selling personal information to the vendor, triggering the requirement for you to include a Do Not Sell My Personal Information link in your homepage footer.
What Contact Methods Must I Provide to Consumers Under CCPA?
Your business needs to offer at least two, and possibly three, contact methods to consumers enabling them to make privacy rights requests:
1. Provide an interactive web form or an email address
2. Provide a toll-free or 800 phone number
The CCPA provides that businesses must provide a toll-free number to accept right to know and deletion requests. However, there is an exception if your business never interacts with consumers offline, and if you only collect information about your consumers from them directly. While offline interaction is easier to control, having a direct relationship is not due to all of the information collection that happens routinely as part of online advertising activities (e.g., retargeting and other forms of interest based advertising are predicated on information collected on third party sites rather than from your owned and operated properties). This means businesses exploiting modem marketing techniques need the toll-free number. For more information about this requirement, see Do I Need a Toll Free Number for CCPA.
For convenience, you can combine your toll-free number and webform into a single privacy manager panel, as this distribution company does, with Option 1 as the webform and Option 2 as the toll-free number.
3. Provide your primary method of interaction if different.
If neither of the two contact methods above include the primary method by which you interact with consumers, provide your primary method as a third contact option. E.g., if you have an offline storefront, provide a method for consumers to make requests in your store. Note the mandate to provide your “primary method” only applies to receiving opt-out requests and to answering additional consumer inquiries.
For all of the contact methods you provide, if you offer a choice to delete or opt out of selling less than all information, you must present an option to delete or opt out of selling all information with more prominence than any partial options.
A Guide to Verifying Consumer Requests for CCPA
A business must verify all CCPA right-to-know and deletion requests before fulfilling them, using a reasonable and documented verification method. A business is not, however, required to verify opt out of sale requests. What follows are a summary of the principles needed to design processes to verify CCPA requests.
General principles for verifying requests
The diligence and methods you use to verify requests should be proportional to the sensitivity of the personal information your business holds about the consumer. For sensitive information such as financial or precise geolocation information, a more robust process is needed than for less sensitive information like shopping history.
You cannot require a consumer to create an account with your service in order to make a request, but if they already have one, you can require them to use it. You also cannot require the consumer to pay any out-of-pocket fees, or if there are fees (e.g., for a notary) you must reimburse them.
Do not collect new information from consumers to verify a request where feasible, and in particular, avoid asking for identity documents like a driver’s license or passport. If you must collect new information to verify a request, do not use it for any other purpose—either delete it after use or maintain it strictly as part of your CCPA compliance documentation.
You may use a two-step verification process if desired, e.g., emailing a consumer with a link to click in order for them to confirm their request.
How to verify right-to-know requests
Right-to-know requests can take one of two forms under the CCPA: a request for the categories of information you maintain about a consumer or a request for a copy of the information you maintain about them. In the case of a request for the former, verify two or more data points about the consumer, and in the case of the latter, verify three or more data points about them. For example, you can verify the person making the request knows the consumer’s name, state of residence and has access to their email address. These three data points may suffice when the information to be disclosed is not very sensitive. For more sensitive information, it may be prudent to verify a full mailing address rather than state, and also a phone number.
Whenever you intake a right-to-know request, per the CCPA, you should obtain a declaration signed under penalty of perjury from the consumer that she or he is requesting information about themselves. Save those declarations as part of your compliance records.
How to verify delete requests
The rules for verifying delete requests track those for verifying right-to-know requests explained above—you should verify two data points, or three data points in the case of more sensitive personal information.
How to verify opt-out requests
CCPA does not require businesses to verify opt out requests. You are allowed to do so if desired, but any verification process must be simple, with minimal steps for consumers to follow, and you cannot include steps designed to discourage or prevent the consumer from opting out. If you do implement verification procedures and you reasonably believe a request is fraudulent, you are permitted to deny the request provided you explain your reasoning to the consumer.
What to do if you cannot verify a request
Workflows for Responding to CCPA Requests
Your first CCPA deadline is to acknowledge right-to-know and delete requests within 10 calendar days. In your acknowledgment, let the consumer know about your identity verification procedures and by when they can expect you to fulfill their request. Your second CCPA deadline is to verify and fulfill right-to-know and delete requests within 45 calendar days; however, if you need additional time, you can notify the consumer that you are taking an extension of an additional 45 days (90 days total). When you notify the consumer about the extension—which can be part of your initial acknowledgement or in a later notice—you should explain why you need additional time.
The deadline to fulfill a “Do Not Sell My Personal Information” request is 15 business (not calendar) days, and you do not need to provide the acknowledgement within 10 calendar days.
General principles for responding to requests
You should always comply with CCPA requests to the extent possible. If for some reason you cannot comply, explain why to the consumer and provide them with information about your appeal procedures if you provide a right to appeal (providing a right to appeal is not required).
Do not charge consumers for responding to CCPA requests. In fact, as noted above under principles for verifying requests, if the consumer will incur any fees as part of your verification procedures, you should reimburse them.
However, there is one area where you can impose fees for responding to CCPA requests: if requests from a given consumer are “manifestly unfounded or excessive,” including due to repeat requests, you can either (1) charge a reasonable fee to offset your administrative cost of responding or (2) deny the request and inform the consumer as to the reason for your denial. Note that it is up to you to demonstrate that a request is unfounded or excessive.
How to respond to right-to-know requests
As noted above, right-to-know requests can either ask for the categories of information you maintain about a consumer, or for a copy of the information you maintain about them. Either way, fulfill it based on the information you have collected during the 12 months prior to the date you received the request.
Requests for categories of information
For requests for categories of information, provide the following based on what you collected for the individual consumer (or answer generically if you collect the same information from all consumers):
- the categories of information you collected (e.g., contact information, email analytics)
- the categories of sources you collected it from (e.g., from the consumer directly, email service providers)
- the business purposes for which you collected each category (e.g, providing services to the consumer, marketing)
- the categories of third parties to which you disclosed or sole each category (e.g., operational service providers, ad platforms)
- the business purposes for which you disclosed or sold the information (e.g., providing services to the consumer, marketing)
Requests for copies of information
For requests for copies of the information you collected, include everything that meets the definition of personal information.
However, you should never include sensitive information such as financial account numbers, passwords, biometric data and copies of government identification documents. You may also exclude any information that you cannot readily access if you maintain it exclusively for legal or compliance purposes provided that you notify the consumer about what categories of information you are excluding.
Be sure to use reasonable security measures when sending personal information to consumers. If a consumer has established a password protected account with you, you must use it to provide the information. If not, you must offer the consumer a choice of receiving their information another reasonably secure electronic means (e.g., email attachment containing an encrypted zip file) or delivery via postal mail.
How to respond to delete requests
The CCPA gives businesses a lot of flexibility in responding to deletion requests. You can deny a request to the extent you need the information to provide services to the consumer, to comply with laws, to find or fix errors, to maintain security and for other reasonably anticipated internal uses (e.g, improving your services, maintaining internal controls over financial reporting).
If you deny a request on one of these bases, disclose the applicable bases to the consumer and then make sure to use the information for those purposes only going forward. Since using the information will be restricted going forward, it makes sense to include every permissible purpose for which you are retaining the information in your disclosure to the consumer.
For information that does not fall into one of those exceptions, you must within the 45/90 day deadline:
- Actually delete it, except that for backup copies, you can delay deletion until the next time you access them even if beyond 90 days;
- Render it anonymous or “de-identified” by removing the information capable of being associated with the consumer; or
- Aggregate it with other information so that it cannot be associated with the consumer.
You do not need to inform consumers as to which method you used to delete their information and you should disclose to consumers that you will maintain a record of their deletion request as part of your CCPA compliance records.
How to respond to do not sell delete requests
When you receive a do not sell request, review your relationships with third parties to which the transfer of information constitutes a “sale” and stop transferring the consumer’s information to those parties. Relationships may have both a non-sale or “service provider” component, and also a sale component (e.g., loading Facebook elements on your page without “limited data usage” enabled is deemed a sale, and otherwise it is not a sale). For these relationships, you do not need to stop all transfers to the third party as long as you stop the “sales” to them.
Importantly for do not sell requests, you only need to take action on a go-forward basis—you do not need to inform third parties to which you sold the information previously to stop using it. But, as soon as you receive a do not sell request, if you do sell any information to a third party before you process the consumer’s request, then you must inform the third party that they may not further sell that consumer’s information.
How to respond to household requests
The CCPA provides consumers the right to request information about their entire household instead of about themselves alone.
If the household has a password-protected account with your business, you can process the household requests via that account using your normal procedures. If there is no household account, then you should deny right-to-know or delete requests for household information unless (1) each household member is a party to the request and (2) you can verify the identity of each member and their status as a household member. Note if a household member is younger than age 13, make sure to obtain parental consent before disclosing any household information, being mindful that the parent may not be a member of the household. For more information about requests involving children, see this guide.
Soliciting and Responding to opt-in requests
Once you receive a do not sell request, you must wait at least 12 months before you ask a consumer to opt into sales again. However, if the consumer initiates a transaction or other request that requires a sale of information, you may request an opt in at that time as needed to fulfill the request.
When a consumer opts in to the sale of their information, you should use a double opt-in (two-step) process:
- The consumer should clearly manifest their desire to opt-in via any available method (e.g., webform, email); and
- The consumer should then separately confirm their request, e.g., by clicking a link in an email you send to them asking for confirmation.
Working with requests from authorized agents
The CCPA not only allows consumers to submit requests directly, but it also enables them to appoint a third party “authorized agent” to submit requests for them. For example, firms like Say Mine and Brand Yourself submit requests en mass to businesses on behalf of consumers.
When a right to know or delete request comes from an agent, you should be sure to verify the consumer’s identity in accordance with your usual procedures, and you can also require the agent to demonstrate that the consumer has authorized the agent, e.g., by providing you with a signed authorization document.
When a do not sell request comes from an agent, you can only require the agent to provide proof that they are authorized to act on the consumer’s behalf.
Do Not Track browser settings under the CCPA
Do Not Track (NDT) is a browser setting that consumers can use to indicate they do not wish to be tracked online (see here for details). Recall that the flow of information about consumers or their devices among publishers, ad tech companies and brand advertisers that occurs as part of the routine delivery of interest based advertising (IBA) can be considered a sale under CCPA.
According to the CCPA, if a consumer sets an opt-out status in her or his browser or device, you as a business must respect that choice and you should treat the choice as being made directly from the consumer rather than an agent.
How to Document and Audit CCPA Compliance
You must maintain CCPA compliance records for 24 months, including the date of each request, what rights the consumer exercised, the contact method the consumer used to make the request, the date of your response, the nature of your response, and your basis for denying a request if you denied the request in whole or in part. If you receive a request to delete personal information, do not delete your associated compliance records.
Tools to Track Compliance
You can use a spreadsheet to keep track of consumer requests if you wish. To employ best practices, use privacy compliance tracking software from vendors like CCPA Toll Free, TrustArc and Securiti.ai. Readers who watch our video training course at CCPAfreetraining.com and obtain our training certificate will receive a 20% discount on CCPA Toll Free’s solution. Note you can sign up for a CCPA Toll Free trial account with no credit card required using the link at the top of this page.
Additional Security Measures
You must use reasonable security measures to protect your compliance records and you may only use them for compliance purposes.
- the number of requests to know, to opt out and to delete received;
- how many requests you complied with;
- how many requests you denied in whole or part, including how requests were unverifiable, not from a consumer, requested exempt information, or were denied for another reason; and
- the average number of days it took you to complete each type of request.
You can provide this information for all privacy requests or only requests from California consumers, but if you aggregate you must maintain separate internal records about California consumers.
CCPA vs. COPPA: working with children’s information
COPPA and the CCPA are compatible statutes. Compliance with COPPA does not eliminate the need for compliance with CCPA or vice versa, so obtaining parental consent under the CCPA does not eliminate the need to do so under COPPA where required. Neither statue requires you to know or to ask how old your consumers are, and the rules change under both statutes as soon as you know that you are collecting information from a child.
Under CCPA, as soon as you have actual knowledge or a strong reason to know that a consumer is younger than age 16, you must obtain opt-in consent before selling their information. In other words, the CCPA flips from an opt-out to an opt-in statute for children. How you should obtain the opt-in varies depending on the age of the consumer.
Children under age 13
If the child/consumer is younger than age 13, only a parent or guardian can provide the opt in, and you must verify that the person making the opt in is the child’s parent or guardian using a reasonable and documented method. E.g., you can require a signed and sworn statement to be sent to you electronically or via post. You can also require possession of a payment card or obtain and then delete a copy of a government ID.
Note how these rules differ from those for verifying an adult consumer’s identity. In that context, the CCPA encourages businesses to verify consumers without requesting any new or sensitive information such as a government ID, and in the context of opting in a child, the CCPA explicitly allows this practice.
As part of processing an opt in, inform the parent of their right to opt out again later and how they can exercise that right.
Children over age 13
For children aged 13-15, the child herself or himself can opt in the sale of their personal information using the same two-step opt-in procedures that you use for adults who are opting into sales after first having opted out of (see Soliciting and Responding to opt-in requests). As part of processing an opt in, inform the child of their right to opt out again later and how they can exercise that right.
Privacy Rights Discrimination and Loyalty Programs
Discrimination is defined as treating a consumer who exercises her or his CCPA rights differently from other consumers. Discrimination can take a number of different forms, including charging higher prices, responding more slowly to support requests, or providing lower quality or less featureful goods or services. Even implying that you will or may take a discriminatory action if a consumer exercises their privacy rights is a prohibited form of discrimination. In other words, you should not undertake any activity that tends to discourage consumers from exercising their CCPA privacy rights.
Implementing loyalty or frequent shopper programs
Notwithstanding CCPA’S prohibition against discimination, the law recognizes as legitimate the well-established custom of providing discounts or other incentives to consumers who join loyalty programs, even if membership in those programs requires consumers to share and not to opt out of the sale of personal information.
CCPA not only permits businesses to maintain loyalty programs, but also freemium business models and even paying consumers a financial incentive for the use of their information, as long as in each case these programs follow certain rules. The key consideration for all of these programs is that any difference in pricing or services, or any payments offered, must be reasonably related to the value of the consumer’s information to your business.
To determine the value of the consumer’s information, consider factors such as:
- The average value of similar information in any available marketplaces;
- How collecting, selling or deleting the information impacts your revenue; and/or
- Your expenses related to collecting the information and providing your program.
If you cannot estimate the value of the consumer’s information in good-faith, or you cannot show that your program features are reasonably related that value, you may not offer the program.
- Explain your price or service differences, or the payments you provide, in exchange for the collection and retention and/or sale of consumer data.
- Explain all of the program terms, including how to opt in and out of the program
- Provide your estimate of the value of the consumer’s data, how you calculated it, and how that value relates to your program features.
Free CCPA Training and CPE Credit
The CCPA requires businesses not only to update their privacy policies but also to train their staff in privacy compliance. If you are a privacy professional in need of formal training, CCPA Toll Free offers a free, CPE eligible 30 minute video course and a training certificate at www.ccpafreetraining.com. This CCPA Compliance series is adapted and condensed from the CCPA Free Training content (see all training slides, including image credits, here).