Get step-by-step instructions for making your website CCPA-compliant in this California Consumer Privacy Act Mega-Guide. This covers:
What CCPA is
CCPA website requirements for businesses
How to make your website CCPA-compliant
CCPA Fines and Penalties
Writer’s Note: I won’t lie – there’s… a ton to CCPA. But we’ll get through it, together. So let’s put on our thinking caps and get compliant.
What is the California Consumer Privacy Act?
On January 1st, 2020, the California Consumer Privacy Act became effective after the bill was signed on June 28th, 2018 by Gov. Brown.
The goal was to enhance privacy rights and consumer protection. Specifically, California residents must be able to:
Know what personal data is being collected about them.
Know whether their personal data is sold or disclosed and to whom.
Say no to the sale of personal data.
Access their personal data.
Request a business to delete any personal information about a consumer collected from that consumer.
Not be discriminated against for exercising their privacy rights.
Now, businesses that collect personal information from California residents must comply with new privacy laws. Even if your business doesn’t operate in California, your website still must be CCPA compliant if you collect any personal data on California residents. That includes many businesses in the United States.
We should clarify – this “personal data” is really user data – it can be anything from a name, email or phone number, to geo-region or online behavior.
So, if there’s a chance your business could collect California residents’ data, and you meet the guidelines specified in the next section, you’ll want to ensure compliance.
CCPA and GDPR
“But wait, we’re already GDPR compliant – isn’t this the same thing?”
GDPR is similar but different, and you must still adhere to CCPA laws.
And while this law only covers California, this is just the first state to enact a privacy law like this. In the future, I expect most states to adopt some level of protection like this, so it’s good to get ahead now.
So, what types of companies and websites must comply with CCPA?
What Websites Must Comply with CCPA?
The CCPA applies to any for-profit business that collects and processes consumers’ personal data, which does business in California and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million.
- Buys or sells the personal information of 50,000 or more consumers or households.
- Earns more than half of its annual revenue from selling consumers’ personal information.
Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
A California Resident is defined by state law as anyone who:
- Is in California for other than a temporary or transitory purpose.
- Is domiciled in California, but is outside the state for temporary or transitory purposes.
How to Make your Website CCPA-Compliant
Here’s the meat of the article – a step-by-step walkthrough in CCPA website requirements. Before we get into the nitty-gritty details, here’s your high-level overview of necessary website updates.
- Add a hyperlink on your homepage that says “Do Not Sell My Personal Data”: This link should lead people to a landing page.
- Create a landing page with options to request, move, change or delete data: There’s more to it – but we’ll give full requirements and some examples in the next section.
Those are the three primary changes you’ll make to your website to ensure compliance and avoid fines. Let’s dive into those three deliverables in more detail and show you how to make the needed updates.
1. Add a Homepage Hyperlink that says “Do Not Sell My Personal Data”
Even if your business doesn’t sell personal data, you still need a link on your homepage stating “Do Not Sell My Personal Data”. This link must lead users to a landing page.
For the link itself, there’s no mandated standard for the size or placement of the link. What we do know, is:
- The link must be placed on the homepage.
- The link must be present, even if you don’t sell personal data.
- The link must be clearly visible and clickable – it can’t be hidden – that’s another way a bad user-experience can actually cost you.
2. Create a Landing Page to Request/Remove Data
When someone clicks the homepage link, “Do Not Sell My Personal Data”, they’ll be taken to this landing page.
Your landing page needs three main elements:
- A description of your policy for selling personal data: this is where you describe your data collection policy – the kind of data you collect, how you use that data and your data-selling policy.
- A description of the California Residents’ protected privacy rights: basically, you need to inform users of the new level of protection offered by CCPA and their rights to access any data you may have collected.
- A form: this allows people who want to request, move, change or delete data to do exactly that. In the form, you should include the option for people to select what you do with the data.
Offer a 2nd Option to Request Data
CCPA mandates that you make two or more methods available to consumers for making data-related requests and exercising their data protection rights.
So basically, you need two-options for people to request or remove data.
This landing page counts as one option. The second option should be a toll-free number. You can offer more than two methods, of course, but those first two are required.
Tips for Creating a CCPA Landing Page
Tip 1: If you don’t sell data, great – you should say so. But you still need to give users the option to request, move, change or delete personal data.
Tip 2: You need to place a form on the landing page that allows people to request or remove data. I’d recommend making a drop-down field option that allows people to select how they want data to be handled: requested for their viewing, moving, changing or deleting personal data.
Tip 3: The landing page doesn’t have to be fancy, but it does need to be clear and direct.
Tip 5: While not mandated, it’s best practice to give people a “success message” that confirms that the request has been received and you’re working on providing or changing the data as they specified.
The easiest way to do this is to direct people to a Thank-You page after submitting the form. The page should have a simple confirmation message like, “We received your request and will provide the information to you in 30-days or less.”
Honestly, you’re going to want to get your legal team involved to assist in this. But you can do a lot of the heavy lifting right now.
- A description of consumers’ rights under the CCPA;
- A description of at least one designated method for consumers to submit CCPA requests to them;
- A list of categories of consumer personal information they have collected in the preceding 12 months;
- A list of categories of personal information they have sold in the preceding 12 months (or, if businesses have not sold personal information, they shall so state); and
- A list of categories of personal information they have disclosed (not sold) for a business purpose in the preceding 12 months (or, if they have not disclosed personal information, they shall so state).
Under the CCPA, regulated businesses must update their privacy policies at least once every 12 months.
Tip 1: You can add a lot of clarity – and accelerate the process – if you give your legal team a full-list of all the types of data you collect. Data like:
- First and last name
- Phone number
- Area code
- Type of information downloaded from your website
- IP address
- Professional employment data
All that and more. Basically, list literally every type of information that website users can give you.
Tip 2: Don’t forget about any microsites or subdomains you own, and the information you collect from those sources, as well.
Tip 4: The CCPA doesn’t restrict you from selling data, but if you do, you must disclose and allow users to opt-out.
Writers note: we don’t work with any clients who sell their users’ personal data – but we still follow CCPA requirements, just in case.
Tip 5: IF you sell data for 13-16-year-old minors, you must gain prior consent before selling their data. For minors younger than 13, you need consent from their parents or guardians.
Writers note: Look – if you’re someone who sells peoples’ data, don’t. It’s lame and you know it.
Tip 6: Be sure to keep every consent obtained from minors, parents or guardians.
Tip 7: Keep documentation of everyone who has given or rejected consent, along with the date they submitted the request.
Tip 8: Are you using a CRM? If so, you need to specify this, as well as any other sources where data might be collected or processed.
CCPA Fines & How to Avoid Them
Non-compliance will cost you.
Not just huge fines, but the Attorney General may initiate a civil case against you or your business if you remain non-compliant 30-days after being notified of a violation.
And that’s a $ 7,500 fine per violation. So, if you violate the CCPA-rights of 1000 users, you could receive a fine of $7,500,000.
One Last Thing
Congratulations – not only did you reach the end of this 2,000 word CCPA-Guide, but now, you should have everything needed to meet CCPA website requirements.
One thing’s for sure – CCPA isn’t going away anytime soon, and these regulations are sure to spread to other states. Already, we’re building in a CCPA-compliance process in every website we build.
And one last thing – CCPA-compliance demands a decent amount of work. If it becomes overwhelming, or you want another set of eyes to double-check your compliance, give Axiom a call. We can plug in and help make your compliance bullet-proof (or, fine-proof) or just manage the process for you.