Tag: CCPA website compliance

  • Your Rights Under CCPA

    “Privacy” by doegox from Flickr (Creative Commons License)

    The California Consumer Protection Act (CCPA) went into effect today (January 1, 2020)! California residents just got a lot more rights under this law, at least from the businesses that have to comply with it.

    (If your company makes less than $25 million per year and have contact information for less than 50,000 California people, devices and households; there’s a good chance you don’t have to comply with this law.)

    Your CCPA Rights

    Under the CCPA, California residents have the following six rights:

    1. The right to know whether your personal information is being collected – and the purpose it’s being used for.

    2. The right to know what personal information is being collected about you – upon verifiable request.*

    3. The right to request the specific categories of personal information being collected and the sources from which they were collected, the business or commercial purpose for collecting the information, and the categories of third parties with which the business shares information.

    4. The right to opt-out of the sale of your personal information. (Also, a third party cannot sell your personal information unless you are given specific notice and the opportunity to opt out.)

    5. The right to delete your personal information – upon verifiable request.* This includes the deletion of the personal information the business has, and it must direct service providers to do the same. The law states nine reasons why a business may decline such a request, including to provide you with the goods and/or services you requested.

    6. The right to not be discriminated against if you opt-out. A business can’t charge different rates or provide different level of service solely because you won’t allow the sale of your information. However, a business can provide a different price or quality of service if the difference is reasonably related to the value provided to you by your personal info. It’s ok for a business to give financial incentive for you to allow the collection of your personal information.

    * The CCPA states that the California Attorney General may provide guidance about what constitutes a verifiable request.

    What about Rewards/Loyalty Programs?

    The sixth right would have created a problem for rewards and loyalty programs, so the legislature created an exception for these. A business can charge different rates or provide a different level of service if it is part of its rewards/loyalty program without being at risk of price discrimination in violation of CCPA.

    Requesting Your Information

    Under CCPA, you may submit two requests within a 12-month period that a business give you a copy of the personal information it has for you, assuming you’re a Californian. (A business may do this for all its customers, but it’s not required to do so.) The business must provide this information at no charge, by mail or electronically, within 45 days. If more time is needed, the business must inform you within the first 45 days, that it may take up to 90 days to provide you a copy of your information.

    Required Notices Under CCPA

    Businesses must provide notice at or before the point of collecting your personal information under CCPA. If it’s being collected online, this will likely occur in the business’ privacy policy, with notice on the page where the information is requested.

    (The General Data Protection Regulation (GDPR) in the European Union requires a business to prove it received consent to collect your information.  To be compliant with this law too, the business should be a box you have to check that you agree to voluntarily share your information with it.)

    A CCPA-compliant notice must include:

    • What categories of personal info are collected and how it’s used by the business;
    • What categories of personal info are collected, disclosed, or sold; and that
    • You have the right to opt-out of having your personal info sold.

    The business is also required to have a “Do Not Sell My Personal Information” conspicuously on the its homepage and privacy policy with a link to page where you can opt-out. The business cannot ask you to opt-in again for at least 12 months. 

    My CCPA Cheat Sheet

    Complying with CCPA is no easy task, especially if your business must comply with CCPA and GDPR. I created a CCPA Cheat Sheet that I use with my clients and update it as more information and guidelines are provided about this new law. I give my cheat sheet out for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.