Frequently Asked Questions
Have a question? See below. For other questions, email email@example.com.
What is the CCPA?
It’s the California Consumer Privacy Act that’s effective as a 1/1/20. Here’s the official statute and here’s the statute in a Google document where you can ask questions and provide feedback. Briefly, the CCPA says a business must:
- Deliver the personal information they collected about the consumer in response to a “verifiable consumer request.”
- Delete the personal information they collected about a consumer and direct their vendors (“service providers”) to delete it as well, in response to a verifiable consumer request.
- Display a “Do Not Sell My Personal Information” link on their homepage that enables consumers to opt out of the sale of the consumer’s personal information.
- Display a toll-free number that consumers can call to register privacy preferences.
And the CCPA says businesses must not:
- Discriminate against a consumer who exercises their CCPA rights (but they can charge different prices or provide goods or services in certain circumstances).
- Sell personal information of consumers known to be less than 16 years of age, unless the consumer, if aged 13 to 16 years, or the consumer’s parent or guardian, for consumers under 13, has affirmatively authorized the sale.
Does CCPA apply to me?
The CCPA applies to for profit businesses that are “doing business” in California and that do one of the following:
- Have > $25 million in revenue (likely from all jurisdictions, although the CCPA is ambiguous on this point); or
- Buys, receives, sells, or shares personal information about 50,000 or more consumers, households, or devices (if your website serves 50,000 or more unique visitors, you’ve likely collected sufficient analytics data); or
- Derives >= 50% of annual revenue from selling CA consumers’ personal information (this is probably most relevant to data brokers and other marketing or ad tech businesses).
“Doing business” in California can include entering into repeated transactions within California, maintaining a physical presence in California such as offices or servers, and having employees in California. It is possible for a business to be “doing business” in California, whether or not it is incorporated, qualified or registered under California law. For more information, the latest version of this resource is helpful in addition to seeking legal advice.
Do I really need a toll free number?
The CCPA requires businesses to make available to consumers two or more designated methods for submitting requests related to their rights under the CCPA, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet website, a website address. See this blog post for details.
What personal information does the CCPA pertain to?
The CCPA defines “personal information” very broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This is much broader than other U.S. privacy laws and is similar to the EU’s definition in the GDPR. In fact goes beyond the GDPR to include information related to “households” rather than specific persons, however it still excludes aggregated or de-identified data.
Examples include not only names, phone numbers, mailing and email addresses or a Social Security number, but also so IP addresses, cookie IDs and other unique identifiers.
How do consumers submit requests under the CCPA?
Businesses must provide consumers with at least two different methods for submitting requests, including a toll-free telephone number as discussed here. Businesses with an online presence also need to publish information about a consumer’s rights under the CCPA on their main homepage or in a separate, readily accessible, California-specific page. Note the draft regulations for CCPA also require an interactive web form.
How do I respond to consumer requests?
A business has 45 days to respond to consumer requests, plus an additional 45 days if the business informs the consumer during the first 45 days that it needs additional time to respond.
Business may not charge consumers for responding to requests and they cannot discriminate against consumers who exercise their requests.
For example, a business charge a consumer a different price or provide different or lower-quality goods or services to a consumer who exercised his or her CCPA rights. CCPA does, however, permit a business to offer different goods or services where the difference is “reasonably related” to the value to the consumer of the consumer’s data.
Businesses can also encourage consumers to provide access to data by offering financial incentives programs (e.g., cash payments) for the collection, sale or deletion of personal information. The incentives must not be unjust, unreasonable, coercive or usurious. Businesses must obtain opt-in consent for incentive programs, must disclose all material program terms in advance, and must offer consumers the ability to opt out of the programs at any time.
Do I really have to stop selling personal information if requested?
California consumers can have the right to opt out of a business selling their personal information. Businesses need to advise consumers if they sell personal information and let them know they can opt out of sales. Businesses must also provide a “clear and conspicuous link” on their homepage called “Do Not Sell My Personal Information” that enables consumers to opt out of personal information sales. A business cannot require consumers to create an account in order for them to opt out of personal information sales. See our Do Not Sell page for details.
Do I really have to delete personal information if requested?
If a consumer sends a business a “verifiable request” to delete personal information, the business must comply and direct its vendors (aka “service providers”) to comply unless an exception applies.
Businesses do not need to delete information if it’s needed to:
- complete a transaction or perform a contract with the consumer
- detect security incidents or protect against fraud or illegal activity
- identify and fix errors in service functionality
- exercise free speech
- comply with a legal obligation
- engage in scientific research
- engage in other internal uses reasonably aligned with consumer expectations
A “verifiable request” is one where the business verify that data in question is associated with the requester. The level of due diligence should be proportional to the sensitivity of the information to be disclosed or deleted. Note businesses cannot require consumers to create an account to fulfill CCPA requests. The California Attorney General will issue more guidance on verifiable requests.
Who can enforce the CCPA and what are the penalties for non-compliance?
For most violations under the CCPA, only the Attorney General of California can bring suit, and damages are generally up to $2,500 per violation, or up to $7,500 per intentional violation.
Consumers may, however, sue directly under the CCPA where unencrypted data is subject to a breach that resulted from a failure to implement reasonable security practices. In this scenario, consumers can recover $100 to $750 each per incident for statutory, or their actual, provable damages if more. This “private right of action” carries a high risk of class-action lawsuits in case of a data breach.
What is it like working with CCPA Toll Free?
We make compliance easy with our self-service tools and transparent pricing. For details on how our service works, see the Implementation Guidance and Video Tutorial sections of our Help Center, or just sign up for an account. We do not require a credit card for sign up and accounts are free for 14 days.
Do you provide custom features or services?
Yes! If there’s a feature you want, email us at firstname.lastname@example.org. Forthcoming features include deeper API integrations and outsourced contact center staff to interact with your consumers. We also provide professional voiceover services for your customized greetings. While our website content is vetted by lawyers, we do not provide legal advice and nothing on our website should be taken as such.