Before we get to our list of tips, here’s a quick refresher on what the CCPA is and who it applies to. The California Consumer Privacy Act is intended to provide California consumers with rights regarding how their personal information is collected and used. The law gives Californians four categories of rights: the Right to Disclosure, the Right to Access, the Right to Deletion, and the Right to Opt Out.
These rights relate to the personal information that might be collected on a consumer by a business. Personal information includes data such as name, address, email address, social security number, IP address, and more.
The CCPA provides detailed requirements dictating how businesses can collect and process personal data, how they must inform customers about their rights regarding collected data, and how they must respond when a customer exercises those rights. The CCPA is the most comprehensive privacy law in the US and we strongly recommend that every business operating in California or serving Californian customers get to know its provisions.
It is worth noting that the scope of the CCPA is limited. The law only applies to businesses that:
- make over $25 million a year in gross revenues or
- that process data on more that 50,000 Californians each year or
- that earn over 50% of their revenue from selling the personal data of Californians each year
If you don’t meet one of these qualifying criteria, then your business is not impacted by the CCPA.
However, because new data privacy laws are emerging elsewhere — Washington, New York and Virginia, to name a few — we recommend that all businesses understand the CCPA and comply with it to some degree. Adhering to the law’s requirements, even if only partially, will put your business in a better position for complying with forthcoming privacy laws. Additionally, every business should take the privacy of their customers’ data seriously and adhering to the CCPA requirements is a good way to demonstrate that.
2. You must abide by the data collection purposes you cite in your policy.
And always have your policy reviewed by a qualified attorney.
4. Create a separate cookie notice.
Under the CCPA’s stipulations, privacy policies and other privacy notices (e.g. cookie notices) must be updated at least once every 12 months. Adding this date to the page will make it easier for you to manage. You should also set a reminder in your calendar to update the policy at least once each year
7. Make sure you provide users with two methods for contacting your business about their rights.
The CCPA states that businesses must provide two ways for customers to contact the business for data disclosure, access, deletion or opt out requests. One of those methods should be a toll free number, see section 1798.130 of the CCPA.
Please let us know if you have other tips that we should add to this list.