If your company does business with residents of California, you have to comply with the CCPA regulation in order to avoid hefty fines, which can be US $7,500 per willful violation. With the CPRA coming into effect January 1st, 2023, there are additional regulatory responsibilities. But does this include you?
If you run a for-profit company, you’re obligated to comply with the CCPA if your business:
- receives, processes, or transfers data from over 50,000 Californians per annum
- gross annual revenue exceeds US $25 million
- at least 50% of your annual revenue comes from selling data belonging to Californians
Under the CPRA, these obligations have changed. Now a business needs to meet one or more of these thresholds:
- Receives, processes, or transfers data from 100,000 or more consumers or households in California per annum (also no longer includes “devices”)
- Annual gross revenues from the preceding calendar year exceeding US $25 million
- At least 50% of annual revenue comes from selling or sharing data belonging to Californians
While it may be confusing for many to make entirely sure that a website is completely compliant with California’s privacy laws, we have compiled a checklist for website providers to stay on top of CCPA and CPRA regulations.
CCPA/CPRA Compliance Checklist
Does it include all relevant information? The CCPA/CPRA require website providers to be transparent with the type of data they collect from users, such as:
- What kind of information you collect and process
- Why you collect and process this information
- How do you collect and process this information
- The methods for users to to request access, change, move, or have their personal data deleted
- The method for verifying the identity of the person who submits a request
- Sale or sharing information for users’ personal data and how they can opt out of their data being sold or shared (requires the website to have a clear “Do Not Sell Or Share My Personal Information” link)
2. Right to Disclosure
If you sell or share information about consumers who are protected by the CCPA or CPRA, you must inform them before data collected about them is shared with third parties or sold. This can be done through the use of a consent management banner or pop-up when the user visits your site.
3. Collect and store consent
The CCPA and CPRA require obtaining prior consent from consumers before selling or sharing their personal information. Obtain consent directly from visitors that are over age 13 (includes minors 13 to 16 years old), or from parents or legal guardians if they are under 13. Also understand what is now classified as “sensitive” personal information and how it must be handled.
This link must be made clearly available on your website homepage, and can be done via the use of a CMP.
5. Make sure that users can contact you
The CCPA/CPRA grants your California users the rights to:
- access the personal data you have collected from them or ask questions about its use
- request changes or corrections to their data
- request and receive a copy of their data to move it somewhere else
- opt out of the sharing or sale of their data or the use of automated decision-making technologies with it
- limit the use and disclosure of sensitive personal information
- have it deleted, and
- experience no retaliation following an opt-out or exercising of other rights
You have a duty to provide a straightforward means for submitting such requests, as well as the requirement to respond to them promptly.
6. Set up a system for identity verification for users submitting requests
If a business cannot reasonably verify the consumer’s identity to an appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified or fulfilled.
To be compliant with the CCPA, websites must also honor the Global Privacy Control (GPC) signal, which enables website visitors to set their privacy and consent preferences once and have them respected on all sites they visit.
A consent management platform enables privacy compliance with the CCPA, CPRA, and more regulations, and ideally respects the GPC signal, as the Usercentrics Consent Management Platform does.
Get in touch with one of our experts to get answers to your CCPA and CPRA questions.
*Usercentrics does not provide legal advice. To ensure your compliance with the CCPA, CPRA or other regulations, consult qualified legal counsel and review your privacy compliance operations regularly.