California was the first state in the US to introduce data protection legislation. The California Consumer Privacy Act (CCPA), enacted on January 1, 2020, provides strong protection for its consumers' rights by means of several principles that must be respected by companies.
Find out if your organisation is affected. Didomi can help you become compliant thanks to our CCPA checklist that you will find in this article.
Note: The successor to the CCPA, the California Privacy Rights Act (CPRA) went into effect on January 1, 2023.
Learn more in our latest blog post on CPRA, and download your CPRA compliance checklist:
Summary:
- CCPA: Who is concerned?
- CCPA Checklist: are you compliant with all the requirements?
- How do I prepare for CCPA ? 10 steps to follow
CCPA: Who is concerned?
Who is involved in CCPA compliance and what data is covered by the CCPA?
Which companies must comply with the CCPA?
If you answer yes to any of the next three questions, then you will need to ensure your company is CCPA compliant.
- Do you earn 50% or more of your revenue from selling the personal information of California residents?
- Are you a for profit business making at least $25 million gross annual revenue?
- Do you hold more than 50,000 users’ or devices’ data?
However, there are companies that are exempt from the CCPA compliance:
- Financial companies covered by Gramm-Leach-Bliley
- Credit reporting agencies under the Fair Credit Reporting Act
- Health providers and insurers already under HIPAA
If you think that your organisation isn’t involved, keep in mind that privacy is becoming a global issue and it's best to be prepared for what promises to be a new ecosystem of data collection.
What data is covered by CCPA?
The CCPA has a very broad definition of 'personal data'. The CCPA defines personal data as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The data which is covered by the CCPA is:
- Identifiers such as name, age, postal address, email address, IP address, passport number; or other identification;
- Customer records such as name, personal address, credit card number, telephone number, social security number, driver’s licence, or other identification;
- Characteristics of protected classified information such as religions affiliation, race, mental and physical disability, marital status, or other identification;
- Biometric information;
- Internet or other electronic network activity information such as browsing history and search history;
- Geolocation data;
- Income or any other similar information related to the employment;
- Education information;
- Other identifiable information.
This long list of personal data is meant to protect consumers from not only highly intrusive advertising, but also from data breaches.
CCPA Checklist: are you compliant with all the requirements?
You’re maybe wondering right now “Do I have to follow the CCPA checklist?”. Let's look in detail at the requirements listed in the regulation and then take some time to think if you’re correctly following them.
The CCPA lists a number of principles that must be respected by companies:
A - The “right to know”
B - The right to opt out of sales
C - Provide a notice collection
D- The right to non-discrimination
E - The right to delete
The “right to know”
Companies must provide clear information about what kind of information they collect, use and share. Also they must give information about how and why they use that information and for what purposes.
The right to opt out of sales
Except in special situations, companies are not allowed to collect user data if the user has decided to opt-out. In addition, after the user has opted out of the processing of their data, the company must wait 12 months before requesting to sell the user's data again.
Provide a notice collection
The company’s notice must contain a list of the categories of companies collecting user data, as well as the purposes for which the data is collected. If the company sells the user's personal data, then the notice must contain a 'Do not sell' link too. Finally, there must be a link to the privacy policy that explains in detail the company's privacy practices.
The right to non-discrimination
Companies must not deny users' rights because of their gender, race, language, religion, etc. Rather, they must guarantee equality.
The right to delete
Companies, as well as their suppliers, must delete the user's data as soon as it is requested by the person concerned.
Not sure if you comply with all the points listed above? Don't panic! Didomi is here to offer you solutions that ensure 100% CCPA-compliant data collection.
{{discover-our-cmp}}
How do I prepare for CCPA ? 10 steps to follow
To make compliance easier for you, Didomi has prepared a checklist with 10 steps to follow. Do not hesitate to contact us if you have any questions. One of our CCPA experts will be happy to help you.
{{request-a-demo}}
Step 1: Get familiar with CCPA requirements
- Inform yourself
- Find out whether your company needs to become CCPA compliant. If the answer is yes, then it is time to move on to the next step and get closer to compliance.
Step 2: Align your teams and suppliers
- Communicate changes with your teams
- Form your transition team (legal and privacy, marketing, IT)
- Talk to key vendors to align your transition date so that they can support a CCPA-compliant Consent Management Platform (CMP)
Step 3: Check your sites and apps
- List all your properties
- Identify all third parties who have access to your data
Step 4: Conduct a legal audit
- Identify the purposes for which you need a compliant CMP
- Identify the CMP that matches your needs
Step 5: Choose the right Consent Management Platform (CMP)
- Choose a CMP that allows you to easily manage the collection of user
- Choose a CMP that allows you to optimise consent across all channels (web, mobile, app, etc.)
Step 6: Build and customise your user interface
- Set up the text in the first layer of the banner and ensure that the user has access to several options
- Design your second layer to allow users to easily select and manage preferences
Step 7: Set up and ensure your CMP is CCPA compliant
- Provide clear information on your banner about how data will be collected and processed
- Ask the user for consent via the banner
- The banner must contain a link to the privacy policy
- The banner must contain a list of the categories of companies that collect the user's data
- The banner must contain a link "Do not sell my personal information".
- Use simple and accessible language
Step 8: Personalize the look & feel of your banner
- Do AB tests to check what banner works better for your website/app (colour, format, size, etc.)
- Apply your branding to your banner (logo, font colour)
Step 9: Do a test before launching your CMP
- Test all your channels with the help of our experts to make sure everything is working well
- Perform a final legal review with your legal team.
Step 10: Launch your CMP
Congratulations! Your compliant CMP is live on your website and applications. Besides, Didomi can ensure that you boost your performances without losing your data visualisation.
The Didomi CMP is easy and fast to implement, it’s entirely customizable according to your preferences, and 100% CCPA compliant. Feeling inspired? Want to implement one yourself? Contact us!
{{request-a-demo}}