CCPA Enforcement Date Checklist

January 1, 2020 was the official effective date of the California Consumer Privacy Act (CCPA), but July 1, 2020 is the official enforcement date. In this post, we’re breaking down the CCPA for you and covering what it’s about, who it affects, and best practices for compliance.

CCPA FAQ

What is the CCPA and who does it impact? 

The California Consumer Privacy Act is intended to strengthen privacy rights and consumer protection for residents of California. If a business that collects the personal data of individuals meets one or more of the following conditions, they must adhere to the CCPA: 

• Earns $25 million or more in revenue annually. 
• Processes data of 50K or more consumers, households, or devices. 
• Derives at least 50 percent of its annual revenue from selling personal information.

How do companies comply with CCPA?

The process of compliance with CCPA begins with understanding the importance of consumer rights and finding ways to protect those rights.

Understanding consumer rights such as access, data portability, deletion, sharing/selling disclosures, and opt-out or opt-in, are critical when responding to consumer rights requests. Companies should update rights management procedures, update their privacy policies, and develop a process to automate these requests in order to reduce the cost, time, and resources associated with manual fulfillment.

What are the benefits of CCPA? 

The CCPA incentivizes companies to implement privacy by design to protect the data they collect and share. Increased transparency benefits a business’s reputation, especially as regulations evolve.

Do the California Attorney General’s newly proposed revisions change anything?

The latest operating rules are similar, however, when combined with the CCPA, nearly every part of privacy compliance is modified. If the Office of Administrative Law does not complete the review process in the expedited timeline, then only the “basic” CCPA will be enforced which does not include the operating rules.

What’s the difference between the CCPA and CCPR?

The California Privacy Rights Act (CPRA or CCPA 2.0) expands upon the privacy protections introduced by CCPA. It creates new privacy rights such as allowing consumers to stop businesses from using sensitive personal information and safeguarding children’s privacy by tripling fines associated with collecting and selling of a child’s private data. As this new Act plays out, we’ll be sure to keep you up to date!

CCPA Checklist

If you’re just now implementing your CCPA strategy, here are the top things to consider:

1. Understand what the CCPA is and if it applies to you
2. Determine what data is collected from California consumers and for what purposes they are used
3. Inform visitors what personal information is collected when visiting your website
4. Offer an online form for consumers to access, request deletion, or opt-out of sales of their personal information  
5. Add a “Do Not Sell My Personal Information” link to your the homepage of your website and any page that may collect personal data
6. Create a toll-free number for consumers to make consumer rights’ requests over the phone
7. Maintain detailed, ongoing consent records for compliance
8. Develop a process to respond to consumer requests within 45 days from when the request was made
9. Obtain opt-in consent from children between ages 13-16 to sell their information; a parent or legal guardian required to opt-in on behalf of children under 13 years old
10. Provide consumers who exercise their privacy rights the same products and service quality

CCPA Cookie Banner Best Practices

We recommend including the following when creating a cookie banner for CCPA:

• Information about cookie use that includes details about the purpose of the use of cookies on the site and whether the site shares the information with third party companies. 
• A button to accept or decline cookies. Although the CCPA doesn’t require consumers to opt-in to cookies before the website can drop cookies, it’s considered best practice to still inform the user about the data it collects. The cookie banner can include a link to a cookie settings page where the user can choose to opt-in or out, as well as view exactly what cookies they’re consenting to. 
• The CCPA requires that businesses include a link or button to an opt-out form on your home page. The button should read “Do Not Sell My Personal Information.” The link needs to route to a “Do Not Sell” page on your website. The Do Not Sell page should include a link to your privacy policy and the option to opt-out of personalized advertisements. This button is not considered a cookie banner, but it can be on or near the cookie banner – see the example below. Read more about how to comply with the CCPA Do Not Sell Rule in our blog, CCPA Do Not Sell Rule: The Complete Guide. 
• The consumer must have the ability to withdraw consent for the sale of their personal information at any time in an easy-to-find spot on the website.  

Get Started Today

Whether you’re just getting started or have a CCPA privacy strategy in place, there’s always room to improve! Leveraging CookiePro makes it a breeze to follow numerous regulatory guidelines.

Create your CCPA Do Not Sell Button, Consumer Rights Request form, and CCPA Cookie Banner with CookiePro.

Looking for a more detailed CCPA checklist? We have you covered. Download the CCPA checklist our team put together to help you navigate the CCPA.