The California Consumer Privacy Act (CCPA) is a privacy law similar to the GDPR, designed to improve privacy rights and consumer protection for residents of California. The following checklist can help you identify what your organization should do for CCPA website compliance.
Obligations
You are obligated to comply to CCPA when your organization:
Is for-profit and conducts business in California.
Collects personal data of California residents, and determines the purposes and means of processing consumers' personal information.
Meets one of the following thresholds: - Has annual gross revenues in excess of $25 million; - Or possesses the personal information of 50,000 or more consumers, households & devices; - Or derives 50% or more of its annual revenue from selling consumers' personal data
When your organization processes (with the exceptions as stated in civil code – section 1798.145): - Personal data such as name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, and passport number. - Commercial information such as records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies. - Biometric information. - Internet or other electronic network activity such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement. - Geolocation data. - Audio, electronic, visual, thermal, olfactory, or similar information. - Professional or employment-related information. - Education information that is not publicly available and personally identifiable, as defined in the Family Educational Rights and Privacy Act.
Or if your organization creates a consumer profile reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes based on any of the information listed above.
Preparation
Within your organization, you should prepare by:
Establishing a governance structure where someone is in charge of data protection.
Training and informing dedicated personnel to properly process new consumer requests to exercise their privacy rights.
Developing and maintaining a data inventory.
Creating and maintaining an incident response plan.
Maintaining records of requests and documentation of the handling of such requests in order to demonstrate your compliance.
Ensuring that agreements with service providers are CCPA compliant.
On your website, you should:
Make available two or more designated methods for the consumer to request their information.
Inform the consumer before the point of data collection about the categories of personal information you collect and the purposes for which the categories of personal information shall be used. (Right to notice)
Always have a process to allow opt-in, or to give explicit consent, (Right to opt-in), even for consumers of ages between 13 and 16, whose personal information you should not sell by default.
Inform your customers that their information may be sold, and that they have the “Right to opt-out”, or withdraw consent, of the sale of their personal information in case your organization sells consumers’ personal information.
Disclose the consumer’s rights to request the deletion of their personal information. (Right to erasure)
Disclose to your consumers in case your organization offers financial incentives for the collection, the sale, or the deletion of personal information.
Include a “Do Not Sell My Personal Information” link to inform consumers that they have the right to opt-out of their personal information sale on your website homepage.
Disclose in its online privacy policy a description of consumer's rights and the categories of consumer's personal information collected and/or sold in the preceding 12 months.
In order for consumers to exercise their rights, you must be ready:
To verify the identity of consumers who request to access or delete their personal information.
To inform the consumer what categories and which specific pieces of personal information you have collected about them upon request. (Right to access)To deliver requested information to consumers free of charge within 45 days, by mail or electronically
To ensure that the information required to deliver is portable, in a readily useable format that allows consumers to transmit this information to another entity “without hindrance”. With the exception for personal information that is collected for “single, one-time transactions.” (Right to portability)
To delete personal information upon the consumer’s request. (Right to erasure)
To provide consumers the right to equal services and prices. (Right to non-discrimination)
Include a “Do Not Sell My Personal Information” link to inform consumers that they have the right to opt-out of their personal information sale on your website homepage.
Disclose in its online privacy policy a description of consumer's rights and the categories of consumer's personal information collected and/or sold in the preceding 12 months.
CCPA compliant?
TRUENDO is an all-in-one CCPA compliance solution for websites and apps. It is a consent management platform with built-in, auto-generated, auto-updated privacy policy and cookie policy. It allows your website visitors to easily and explicitly opt-in and opt-out, its cookie policy provides detailed but eas-to-understand information about the individual services and trackers that collect and process personal data, and their user rights are listed in its privacy policy to help them make well-informed decisions.
CCPA specifies that businesses should include the "Do Not Sell My Personal Information" link/button on their business homepage. It is not included in TRUENDO. However, it is the responsibility of the website holder to include such a link/button on their website, typically the footer.
Have a Shopify site that needs to meet CCPA website requirements? Check out our Shopify integration page.
DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.
Let's get started
Start being GDPR, ePrivacy and CCPA compliant today.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.