May 31, 2021

CCPA Website Checklist

CCPA Website Checklist

The California Consumer Privacy Act (CCPA) is designed to improve privacy rights and consumer protection for residents of California. The following checklist can help you identify what your organization should do to stay compliant.

Obligations

You are obligated to comply to CCPA when your organization:

  • Is for-profit and conducts business in California.
  • Collects personal data of California residents, and determines the purposes and means of processing consumers' personal information.
  • Meets one of the following thresholds:
    - Has annual gross revenues in excess of $25 million;
    - Or possesses the personal information of 50,000 or more consumers, households & devices;
    - Or derives 50% or more of its annual revenue from selling consumers' personal data
  • When your organization processes (with the exceptions as stated in civil code – section 1798.145):
    - Personal data such as name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number.
    - Commercial information such as records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
    - Biometric information.
    - Internet or other electronic network activity such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
    - Geolocation data.
    - Audio, electronic, visual, thermal, olfactory, or similar information.
    - Professional or employment-related information.
    - Education information that is not publicly available and personally identifiable, as defined in the Family Educational Rights and Privacy Act.
  • Or if your organization creates a consumer profile reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes based on any of the information listed above.

Preparation

Within your organization, you should prepare by:

  • Establishing a governance structure where someone is in charge of data protection.
  • Training and informing dedicated personnel to properly process new consumer requests to exercise their privacy rights.
  • Developing and maintaining a data inventory.
  • Creating and maintaining an incident response plan.
  • Maintaining records of requests and documentation of the handling of such requests in order to demonstrate your compliance.
  • Ensuring that agreements with service providers are CCPA compliant.

On your website, you should:

  • Make available two or more designated methods for the consumer to request their information.
  • Inform the consumer before the point of data collection about the categories of personal information you collect and the purposes for which the categories of personal information shall be used. (Right to notice)
  • Always have a process to allow opt-in (Right to opt-in), even for consumers of ages between 13 and 16, whose personal information you should not sell by default.
  • Inform your customers that their information may be sold, and that they have the “right to opt-out” of the sale of their personal information in case your organization sells consumers’ personal information.
  • Disclose the consumer’s rights to request the deletion of their personal information. (Right to erasure)
  • Disclose to your consumers in case your organization offers financial incentives for the collection, the sale, or the deletion of personal information.
  • Include a “Do Not Sell My Personal Information” link to inform consumers that they have the right to opt-out of their personal information sale on your website homepage.
  • Disclose in its online privacy policy a description of consumer's rights and the categories of consumer's personal information collected and/or sold in the preceding 12 months.

In order for consumers to exercise their rights, you must be ready:

  • To verify the identity of consumers who request to access or delete their personal information.
  • To inform the consumer what categories and which specific pieces of personal information you have collected about them upon request. (Right to access)To deliver requested information to consumers free of charge within 45 days, by mail or electronically
  • To ensure that the information required to deliver is portable, in a readily useable format that allows consumers to transmit this information to another entity “without hindrance”. With the exception for personal information that is collected for “single, one-time transactions.” (Right to portability)
  • To delete personal information upon the consumer’s request. (Right to erasure)
  • To provide consumers the right to equal services and prices. (Right to non-discrimination)
  • Include a “Do Not Sell My Personal Information” link to inform consumers that they have the right to opt-out of their personal information sale on your website homepage.
  • Disclose in its online privacy policy a description of consumer's rights and the categories of consumer's personal information collected and/or sold in the preceding 12 months.