Knowledge Hub

CCPA Compliance Checklist: Is your company ready?

Knowledge Hub Knowledge CCPA Compliance Checklist: Is your company ready?

The enforcement of the California Consumer Privacy Act (CCPA) is set to begin on July 1, 2020.  It’s extremely important to abide by the CCPA regulations – in order to demonstrate full commitment to data privacy to customers, creating trust and a strong competitive advantage while also avoiding substantial fines, up to $7,500 per user whose data was compromised or mishandled.  

CCPA applies to 40 million California residents (even on vacation) and hundreds of thousands of businesses that interact with them, but does this include you?

If you run a for-profit company, you’re obligated to comply with the Act if your business:

    1. Has gross revenues that exceed $25 million
    2. Receives, processes, or transfers data from over 50,000 Californians annually , or
    3. 50% of annual revenues (at least) comes from selling personal data belonging to Californians

So, now that you have identified if CCPA applies to you, why bother complying? 

Risks of non-compliance with CCPA:

 

Fines per intentional violationUp to $7,500 per incident
Fines per every non-intentional violationUp to $2,500 per incident
Damages awarded in individual or class-action lawsuits, per violation$100 – $750

 

Checklist – What you need to do to comply with CCPA

 

Requirement Key Points Further Details
Disclose Information
  • Privacy Policy
  • Point of Data Collection (e.g. Contact Form)
  • Purpose: Inform consumers of your intentions at or before the point of data collection. 
  • Language: Make sure the privacy policy is available in the languages in which your business provides information in California. 
  • In practice: This can be done through the use of a banner or pop-up for when the user visits your site.
Inform users about their CCPA Rights 
  • Add a description of consumers’ Rights under CCPA
  • Right to Know 
  • Right to Delete 
  • Right to Non-Discrimination
  • Right to Opt Out
Make sure your Privacy Policy is updated & Preferences are stored for 12 months
  • Privacy Policy Updated every 12 months
  • Ask for opt-in one more time, and only 12 months after the consumer has opted-out.
  • Updating: Once you’ve made your Privacy Policy CCPA-compliant, don´t forget to reflect this by updating your Privacy Policy’s information as well as the ‘effective date’ even if you don’t make any other changes to the Policy – every 12 months.
  • Transparency: The date of the last update must be clearly visible.
  • Data Sold: List all the categories of personal information your business has sold in the past 12 months. 
Include a “Do Not Sell”- Link (Opt-Out) 
  • Wording:“Do not sell my personal information”
  • This link must take the user to a page where they can opt-out of the sale of their data. 
  • Availability: Easily available on your website homepage
  • Method: through the use of a Consent Management Platform (CMP). 
  • Result: it is illegal to sell the user’s data once they have clicked on this link. 
Take in Consumer Rights Requests
  • Provide at least two contact options to opt-out e.g.
    • toll-free phone number
    • webform
    • Email
  • Rights Request: CCPA grants your Californian users the right to access the personal data you’ve collected from them, the ability to make changes to this information, move it somewhere else, or delete it. 
  • Duty: You have the duty to provide a system for submitting such requests.
  • Privacy Policy states the methods to request access, change, move, or deletion of their personal data.
Verify Consumer Rights Requests (set up a system)
  • Enable consumers to attach evidence when submitting a request to verify their identity and proof of residency.
  • Set up a system to verify requests 
  • If a business cannot reasonably verify the identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified.
Keep track of Consumer Rights Requests 
  • Find and retrieve consumers’ data across cloud-based and on-premise systems to assist in fulfilling a request
  • Integrations with common business systems such as CRMs, Marketing Automation, CASBs, CMDBs, etc
  • System: Determine a way to track all Consumer Rights Requests. 
  • Time Period: Your business must keep records of all CCPA requests and its responses for 2 years.
Fulfill Consumer Rights Requests
  • Fulfillment within 45 days 
  • Extend Period to 90 days
  • Frequency: Make sure the user makes requests only 2 times / year.
Collection of Personal Information from Minors (anyone 16 years old or younger)
  • >13 years old: Create a process for minors to affirmatively authorize the sale of their data. 
  • <13 years old: create a process for the guardians of those minors to provide authorization to have their information sold.
  • Valid Consent: Before a website operator can process minors’ personal data, an explicit consent (opt-in) must be obtained. 
  • Opt-in: The CCPA provides for an opt-in obligation for minors between the ages of 13 and 16. 
  • Parents/Guardians: When 13 or younger, it is necessary to obtain consent from parents or legal guardians.

The CCPA isn’t (only) aimed at businesses based in California. It’s aimed at any business that processes the personal information of consumers in California. Failing to have a website CCPA-compliant could result in a fine of up to $7,500 per violation. Meet all CCPA requirements – with the help of the Usercentrics Consent Management Platform (CMP).

As you see, CCPA wording is open for interpretation and is expected to change.

Therefore, preparing for CCPA can seem overwhelming and time consuming. If you would like to focus on complying with CCPA regulations in a smooth and easy way, the Usercentrics Consent Management Platform (CMP) is the perfect tool. Embed specific features automatically and simplify the entire process to meet the CCPA’s requirements quickly and effectively. In line with the developments of law, the Usercentrics tool will be up and running in August 2020. 

With the Usercentrics CMP you can:

Create and manage a CCPA compliant transparent privacy policy

Inform users of the collection of personal data  

Easily include a “do not sell my personal information” ink as an Opt-out option for users giving them the opportunity to say “no” to the selling their personal data 

Ensure that user preferences are stored and documented in a legally compliant way

 

01a _ CCPA _ First Layer _ Banner active | Usercentrics

 

01b _ CCPA _ First Layer _ Wall active | Usercentrics

 

Usercentrics does the Research for you

All Usercentrics customers receive free access to our extensive legal document database – which includes data processing services and accompanying legally relevant information such as scope, purpose, place and duration of processing. You want to learn more about our Usercentrics CMP? Feel free to approach us any time for advice and a summary of the various options our CMP offers for a CCPA-compliant implementation.

DISCLAIMER

The decision to implement a data protection-compliant CMP is ultimately at the discretion of the data protection officer and/or the legal department.

These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation with respect to the implementation of a CMP solution. Please consult a qualified lawyer should you have any legal questions.