14 ways to comply with the California Consumer Privacy Act (CCPA)

13 minute read time.

This article was originally published on the Sage Advice website on September 17, 2019 by Keir Thomas-Bryant

The California Consumer Privacy Act (CCPA) is intended to give California consumers and households control over their personal information that’s used and sold by businesses. It comes into law on January 1, 2020.

You may consult our CCPA quick start guide to get an overview of what the CCPA requires from your business but, in summary, the CCPA means consumers have a right to learn what personal information is being collected about them, and how their personal information is sold or disclosed to third parties.

Under the CCPA, California consumers will have the right to ask that you disclose to them what personal information you hold about them or their household, and they can tell your business not to sell their personal information, and request you and your service providers delete their information entirely.

Below are 14 suggestions for things you can do right now as part of your business’ CCPA preparations. This should not be considered a substitute for legal or professional advice.

Note: The CCPA is subject to several amendments currently in progress in the California legislature that could alter its impact on businesses. We will update this article once there is final resolution of the pending bills.

1. Work out if the CCPA impacts your business

There are clear rules on whether businesses need to comply with the CCPA.

The first is, of course, whether you provide services or goods to California consumers or households. This has far-ranging consequences because even a business in Europe or South America might ship to California.

Chief among the requirements listed within the legislation is that businesses with gross revenues of $25,000,000 or below are exempt if they don’t buy or sell the personal information of consumers, households or devices.

That covers a lot of businesses. It means the CCPA is unlikely to affect many sole proprietor businesses.

However, you’ll need to constantly monitor gross revenue in case it crosses the threshold. If you anticipate that it will in the future then you should ensure your business is prepared for the CCPA. Bear in mind consumers can request data going back 12 months from the date of request (see also heading #2, below).

If your business buys or sells personal information about consumers, households, or devices—doing so either alone or in combination with another business—then the CCPA applies only if your business buys or sells the personal information of 50,000 or more consumers, households, or devices, or your business derives 50% of more of its annual revenues from doing so.

There’s no stipulation that those consumers have to be active users of your business. This could include dormant accounts, for example, or a database of potential leads. You might cross the 50,000-consumer threshold even if your customer base is smaller than this.

Again, if your business creates new policies involving the sale or purchase of personal information then you will need to be aware of the above requirement and prepare in advance.

Note that throughout the rest of this article, we assume your business is impacted by the CCPA.

2. Prepare for the CCPA’s “look back” period

You might already know that, under the CCPA, receiving a disclosure request from a consumer means eligible businesses have to disclose personal information for 12 months prior to the date of the request.

But did you know this includes the period before the CCPA came into effect? This is informally referred to as the “look back” clause and it means that businesses could need to disclose personal information going back as far as January 1, 2019.

It’s important to understand what this actually means because it sounds worse than it is. It doesn’t mean you have to keep any personal information for the look back period if you wouldn’t ordinarily, or recreate this information if you’ve deleted it for legitimate reasons.

But it does mean the following:

  • You should collate all the personal information for the look back period, so it’s in one place and accessible in time for the CCPA’s introduction on January 1, 2020 (and remember that the CCPA isn’t just about digital data—under the scope of the CCPA, personal information could be written notes, or even something like a sales ledger that personally identifies a consumer or household).
  • Any processes put into place to organize and categorize personal information to comply with the CCPA’s requirements should also apply to existing data for the look back period.
  • As per the requirements of the CCPA, you’ll need to disclose the privacy practices of your business for the look back period, or details about personal information that has been sold.

3. Ensure your staff are trained for the CCPA

Any individual within your business who is responsible for handling customer inquiries about privacy practices or compliance with the CCPA has to know about the CCPA’s requirements, according to the legislation. There are already many training courses and certifications available for CCPA preparedness. Just hit Google. Notably, there’s no requirement for CCPA qualifications or any kind of structured training, so you could simply request colleagues learn more on their own.

However, the legislation states that the staff within a business needs to be able to help consumers exercise their rights under the CCPA.

This is significant. The implication is that your business should be proactive. If somebody contacts your business and says they’ve heard of the CCPA but don’t understand how it works, your business has to be able to direct them as to how they can exercise their rights. For example, they should be informed that their personal information can be deleted, or that they can request your business discloses it to them.

Remember that discriminating against consumers who exercise their rights under the CCPA is prohibited, so care needs to be taken at all stages when dealing with any consumer who contacts the business with a CCPA inquiry or request.

4. Find a way to identify California residents

From a consumer request perspective, the CCPA only applies to consumers legally defined as California residents (see “Who can request disclosure of information or request deletion of information under the CCPA?” within our earlier quick start guide).

Therefore, your business will need to be able to identify which of your consumers are legally defined as a California resident. This will be required in order not only to inform them of their CCPA rights, but also to ensure that no one outside California places additional and possibly malicious burdens on your business by making invalid requests.

If your business tracks personal addresses as a component of user accounts then identifying California residents is obviously relatively straightforward, and to facilitate keeping these records you may choose to shift to mandatory user accounts for consumers, rather than offering features such as guest checkout—although don’t forget that you can’t force consumers to create an account for the purposes of making a CCPA request.

As discussed below (see #11 “Create a separate California-only website”), it’s permissible to create a California-specific version of your website. This can help profile California residents.

5. Find a way to identify California minors

How you treat minors who are also California residents is important. The CCPA says businesses can’t sell the information of minors under the age of 16, although it’s possible for those between the age of 13-16 to opt in to the sale of their personal information.

Therefore, if your business sells the personal information of consumers it will need to:

  • Be able to identify California minors;
  • Provide a way for those minors between the age of 13-16 to opt in to the sale of their personal information;
  • Provide a way for parents or guardians of minors under the age of 13 to opt in;
  • Block the sale of personal information relating to California minors, unless they opt in.

Once again, the use of customer accounts (both online or offline) should allow you to facilitate this, although you may need additional fields within the account data profiles in order to record the above information. You may need to modify your sign-up procedures as well in order to account for the above.

Note: It’s not allowed to simply claim ignorance about the age of your consumers by not collecting this information. Doing so will be interpreted within the legislation as having had actual knowledge of their age and could therefore put your business in breach of the CCPA.

6. Get a toll-free number for CCPA requests

The legislation states that businesses must provide a toll-free phone number for consumers to submit CCPA requests.

This is because those behind the CCPA want it to be as easy as possible for consumers to exercise their rights.

The toll-free number will provide one of a minimum of two methods by which the CCPA legislation demands consumers can make requests. For most businesses the second should be a specific website address—although if the business doesn’t have a website then, in addition to the toll-free number, it can offer a mailing address, email address, or “other applicable contact information”—including any new “consumer-friendly” means of contacting a business that might arise in the future. Although the legislation mentions no specifics, this might include a new type of messaging service, as one example.

Of course, there’s nothing stopping a business from providing all of the above.

Toll-free numbers are inexpensive and you can purchase virtual California-based numbers even if your business isn’t based in the state.

7. Learn what the CCPA does not require you to do

There’s a lot of confusion, incorrect assumptions, and poor advice about the CCPA. For example, people have referred to it as California’s version of Europe’s General Data Protection Regulation (GDPR).

The CCPA has a much narrower focus, although this doesn’t mean it requires less preparation work.

The CCPA doesn’t require businesses to collect additional personal information about consumers for one-time transactions. It doesn’t place restrictions on the kind of data you can store about consumers. It doesn’t require businesses to link any data that isn’t maintained in a way that would be considered personal information. Unless a consumer specifically requests to opt out, it doesn’t stop businesses from selling or buying personal information.

Learn more about the California Consumer Privacy Act

Sage's dedicated CCPA home page contains useful resources and training that can help your business adapt and become compliant in time for the new legislation.

Learn more

8. Start structuring your business’ personal information for the CCPA’s disclosure requirement

The CCPA requires businesses to be able to disclose to consumers their personal information. This can be done via mail delivery or electronically. The latter should be in a “portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance.”

The data also needs to be in a format that’s “reasonably accessible to consumers.”

This could mean that you need to either reorganize your business data in a way that facilitates all of the above, or put in place compatible conversion and export processes. Ideally you will want these processes to be as easy as possible so that as little staff time as possible is spent complying with CCPA requests.

You may choose to consult a data-protection specialist for guidance. They will know the correct techniques used to comply with similar legislation, and will closely monitor what the California Attorney General’s office is communicating about these issues.

9. Consult California’s Attorney General to get help with the CCPA

Seeking professional third-party advice is always a good idea and the CCPA legislation says that “any business or third party may seek the opinion of the Attorney General for guidance on how to comply.”

So, go ahead!

10. Update your privacy policies for the CCPA

Unsurprisingly, your business’ privacy policies are required to be updated to reflect the “California-specific description of consumers’ privacy rights.” If you don’t have privacy policies then you’ll need to add the information to your website.

You’re required to update the policies and/or website every 12 months at least, and more frequently should your business start to collect new categories of personal information, or if it changes its policies regarding selling data.

Such policies, or the website, need to be updated to include the following, at a minimum:

  • A description of consumer rights as provided by the CCPA relating to disclosure of personal information, opting out, and deletion of relevant personal information by the business or its service providers.
  • A link to the “Do Not Sell My Personal Information” page on the business’ website (if the business has a website).
  • A statement about how the business will not discriminate against consumers who exercise their rights under the CCPA.
  • Two separate lists, and within the wording of the CCPA there are rules about what data should be listed, and how it should be organized. The legislation should therefore be consulted before taking action. However, in broad terms the first list should display categories of personal information the business has sold about consumers in the preceding 12 months. The second should list categories of personal information disclosed about consumers for a business purpose in the preceding 12 months. In the event there has been no personal information sold or disclosed for a business purpose then this should be stated.

11. Create a separate California-only website for the CCPA

The CCPA legislation requires a business update its website, if it has one.

For example, you need to provide a “clear and conspicuous” link on the homepage entitled “Do Not Sell My Personal Information,” which then links to a page where the consumer can opt out of the sale of personal information. As mentioned above, you’ll need to update your online privacy policies to include CCPA-specific information or, if you don’t make use of online privacy policies, simply update your website so that CCPA rights are discussed.

However, there’s no need to bother every one of your site visitors with CCPA information and options.

By taking “reasonable steps,” the legislation allows you to redirect California consumers to a special version of the website that contains the above mentioned link and information. Acceptable methods of doing this aren’t detailed within the legislation but geo-redirection based on the consumer’s IP address could be one solution. Alternatively, if the consumer has an account on your site and you know them to be based in California then you might redirect them to the special version of the site via a persistent website cookie.

Alternatively, rather than running two concurrent versions of the site, website coding might simply display the required information within the main site if a California visitor is detected. Consulting a website developer will provide a range of solutions.

12. Provide a way for consumers to notify you of CCPA violations

Much has been said about the fines for CCPA violations, and they can be significant.

However, provided the business “cures the noticed violation” within 30 days, and tells the consumer who reported it they’ve both made the fix and that no further violations will occur, then no action should be taken.

You will already have the means necessary for consumers to contact you with regard to the CCPA, thanks to the toll-free phone number among other things. But this needs to be matched within your business with procedures to investigate potential violations, and to enact cures within the stipulated 30 days.

This could make all the difference between running-up fines (and suffering reputational damage to your business), or fixing the problem quietly and quickly.

13. Find a way to verify consumer requests

The CCPA legislation refers to “verifiable consumer requests” and it’s up to the business to verify that the consumer is who they say they are (or that they’re acting with authority with respect to another individual, such as a minor).

The obvious way to do this is via an online customer account, which is permitted by the legislation. However, the CCPA also says that businesses can’t force consumers to create an account to make CCPA requests or to learn about how the business uses and sells data. Therefore, you will need to find a way to otherwise verify a consumer.

14. Read the CCPA legislation—and stay on top of amendments

The CCPA legislation is surprisingly readable for a legal document, and it’s advised that any business affected should take a look. However, there are already many amendments in progress to clarify or alter components of the CCPA. The International Association of Privacy Professionals’ (IAPP) CCPA Amendment Tracker lists these, and you should consult it regularly.

 

Note: We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the California Consumer Privacy Act (CCPA) on their businesses.