The New California Consumer Privacy Act (CCPA) Explained

January 31, 2020

CCPA Explained DesignHammer

Back in May of 2018, we published an article explaining a new privacy legislation called the GDPR (General Data Protection Regulation) in Europe. To recap for those who missed our last post, the GDPR stated that websites were not allowed to not track cookies from European IP addresses without the user first consenting to their data being collected. As a European law, the implications of the GDPR lay in European jurisdiction and have little to no effect on American citizens outside of now having to have to accept or reject the data collection efforts made by a majority of websites. But as of 2020, there is a new player in the internet privacy game, this time on American soil. Enacted in California, new web legislation titled “the California Consumer Privacy Act” (CCPA) has officially gone into effect, adding limitations to companies can do with personal data they have collected on users via their website.

Filed for the benefit of Californians and in the interest of protecting their personal data; these stricter regulations have granted Californian residents the right to know what data has been collected about them, how a company is using that data, and what they can do to protect it. This legislation was filed in California just a few months after the GDPR went into effect in Europe, and taking into account that the global concern over personal data and internet privacy is rising higher and higher with each passing year, it’s safe to assume that what was started in Europe will likely become a national, if not global, standard.

In this article I will be offering a condensed summation of the information and implications of the new CCPA legislation, as well as the answers to some frequently asked questions, such as; what does this mean for US organizations? How is it any different from the GDPR? And what can I do to make sure my site is compliant?

A Little Background Info:

The right to internet privacy has been a hot topic over the last couple of years, particularly since the emergence of the GDPR in Europe. But many internet users on American soil weren’t very knowledgeable on the subject until Mark Zuckerberg’s awkward testimony to Congress regarding Facebook’s questionable data privacy practices back in April of 2018. After this very public revelation by Facebook’s CEO, many United States citizens became increasingly more aware and concerned about what kind of personal data they were unknowingly giving up to large corporations. That being said, there is a large number of Americans who do not seem particularly perturbed by this news; after all, giving up our internet behavior does make consumerism easier. For readers who do not know what we mean by this, we are referring to the fact that most (if not all) retailers whose websites you’ve visited in the past are tracking your internet shopping habits in some way or another. With this data, businesses can easily deliver targeted, relatable advertisements and content to your social media feed(s). These companies and/or organizations know their user bases well, they know what gender you are, which retailers you prefer to shop at, what your political affiliation is, which news sources you read, even what kind of computer or phone you are using to access your accounts–the amount of data being collected on any given user is almost endless.

Those who do care about their right to internet privacy, however, have been pushing their agenda for years. Netflix’s 2019 documentary The Great Hack provides a brilliant explanation on how data mining works, who’s doing it, and why the collection of personal data can be dangerous and harmful to the general population. Take the Cambridge Analytica data scandal for example. During the period before the 2016 presidential election, the British-based “political consulting” firm conspired with current President-Elect Donald Trump’s marketing team to mine as many personal data points on social media users as possible. With a better understanding of the current user base, the overall political climate, and access to better advertisement targeting features on social media, Trump’s marketing team became able to target very specific ideological advertisements to the people who were more likely to engage with them. Many social media users aren’t aware that every fun facebook quiz that they may have caved into taking in the past has actually collected several data points on them. Many quiz sites are designed to collect information about who you are as a person so it can then be sold to other organizations to use for whatever they please. Cambridge Analytica bragged that they had collected 5,000 data points on more than 230 million Americans, giving a lot of power to whoever purchases that information. If you are concerned about Facebook spying on you, you can always visit your Ad Preferences to learn more about how their algorithms have been identifying and defining "you" as a person.

Enter the California Consumer Privacy Act

The GDPR had companies scrambling to make their sites compliant back in 2018, but fast forward to 2020–a new law in California has followed-suit in regards to the internet privacy of their residents. The California Consumer Privacy Act (CCPA) went into effect on January 1st of this year. This means that many U.S.-based organizations are no longer exempt from their obligation to inform visitors that their data is being collected, and, if they haven’t already, will have to make a significant change to the ways in which they track data on their website.

What is the CCPA Exactly?

The first consumer privacy act in the country, the SB-1121 California Consumer Privacy Act Bill was actually filed in 2018 and written to go into effect January 1st of 2020; giving organizations about a year and a half to get their websites up-to-date on the new compliance standards. With California being the world’s fifth-largest economy, this new legislation is a pretty big deal and will affect more than just the large social media companies in the United States. It will affect any business unit that collects large amounts of user data, whether actively (through form submissions) or via cookie tracking applications like Google Analytics.

In an effort to increase transparency between corporations and consumers, any internet user registered under a Californian IP who visits a business’s website must always be informed that their personal information is being collected. Geographically speaking, this law protects any user with a Californian IP address, even if they are working from a laptop in a different state. They must also be informed as to what their data is being used for, they must understand that they have the right to access this data if requested, and the right to opt-out of having their data sold to third parties if they so choose. Conversely, minors under the age of 18 must opt-in to having their personal data collected in the first place.

What exactly falls under the umbrella term that is “personal data,” you may ask? Well CCPA has used the term broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household. This includes cookie data and other “unique identifiers”, referring to any persistent identifier that could be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier, an IP address, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology.

GDPR vs CCPA – What’s the Difference?

CCPR vs GDPR

For starters, some may argue that the CCPA is somewhat “looser” than the GDPR. It incorporates several GDPR concepts, such as the rights of access, portability, and data deletion. That being said, there are still several areas where the CCPA requirements are more specific than those of the GDPR. The CCPA is generally more focused on protecting user data from being sold to third parties without their consent and the law states that businesses must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website homepage. One weird catch about the CCPA is that businesses are still allowed to ask consumers for reauthorization to collect and sell their information even after they have opted-out in the past, as long as businesses wait 12 months before re-asking users for permission.

Geographic Considerations

The scope and territorial reach of the GDPR is much broader, applying to any “data controllers and data processors” (business websites) around the world that collect information on any user with an EU-based IP address. Unlike the CCPA, the GDPR does not include the very specific right to “opt-out of personal data sales” but users can reach the same result by requesting websites to opt-out of processing data for marketing purposes, and to withdraw consent for processing activities.

Personal Data Defined

The GDPR’s broad definition of “personal data” includes “any information relating to an identified or identifiable data subject.” This kind of information (which we listed out in the previous section) is very specifically defined in the CCPA and, unlike the GDPR, also includes information linked and the household or device level. Also, it is worth mentioning that the CCPA’s definition of personal information does not include any publicly available government records.

Regarding Consent

In both the CCPA and the GDPR, legally speaking, “consumers” (CCPA) and “data subjects” (GDPR) both have the right to access their personal information and to request additional information on why the business in question is collecting their data and what it is being used for. In terms of consent, the CCPA states that children aged 13-16 can directly provide consent for their data to be collected, but their data cannot be sold if they are under 16. Children under 13 require parental consent before their user data can be collected. The GDPR has marked the default age of consent at 16, but the personal data of children is also subject to heightened security requirements. In a similar fashion, the GDPR also holds parents responsible for providing consent before their children’s data can be collected and processed.

Whom Does the CCPA Apply to?

More businesses are exempt from the CCPA than the GDPR. The CCPA aims at regulating “Any for-profit entity doing business in the state of California that meets one of the following requirements:”

  1. Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
  2. Has a gross revenue greater than $25 million.
  3. Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
  4. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

On top of this, the CCPA applies to any entity that either:

  1. Controls or is controlled by a covered business.
  2. Shares branding with a covered business (i.e. shared name, trademark, service mark etc.).

The GDPR is substantially different in which parties are regulated, identifying data controllers and processors that:

  1. Operate from the European Union and process the personal data of any European citizens, regardless of where the data processing takes place, it applies to businesses processing data within and outside of the European Union.
  2. Are not established in the EU but still process data subjects’ personal data for the purpose of offering goods or services, or simply just to monitor their behavior.

If your organization’s website meets any of the above criteria then you are certainly responsible for complying with either the CCPA, GDPR or both. If your site collects any data on Californians and EU you should double-check to make sure your tracking methodology, privacy policy, opt-in measures, and/or personal data collection verification and deletion strategies are compliant with the new laws.

What’s at Stake?

If the CCPA applies to your company’s website, and your site is currently not complying with the standards imposed in this new legislation, you run the risk of private attorneys bringing legal action to your doorstep. Non-compliant businesses should also be prepared to handle class-action lawsuits for statutory damages ranging from $100 to $750 per violation, or actual damages–whichever is greater. That being said, the CCPA still grants companies a 30-day period to resolve violations if at all possible.

For especially severe violations, The GDPR sets forth fines of up to 20 million euros in the case of an undertaking, up to 4% of the company’s total global turnover of the preceding fiscal year–whichever is higher. Less severe violations can fine up to 10 million euros. Company websites can be “caught” and punished through various ways, such as a proactive inspection conducted by independent data protection authorities, by customers or an unsatisfied employee who complains to authorities, revelations made by investigative journalists, or even an accidental self-denouncement made by the company in question. You can view all of the data controllers and processors who have already been fined and penalized since the GDPR legislation went into effect via the GDPR Enforcement Tracker.

How Can I Meet the CCPA’s New Compliancy Standards?

In summary, as of January 1st, 2020, Californian residents can now demand to see who has their personal data, what they are currently doing with it, and who it is being shared with. Your company must have a way to provide users with their personal information within 30 days of their initial request. Generally speaking, your team of web developers and content writers will likely be the ones getting your website in compliance with the new regulations. This team needs to focus on several areas of the site, ensuring to include opt-in/opt-out ability throughout the entire site, updating the privacy policy, ensure ease of opting out and/or requesting information, take on special considerations for minors, and review the ways in which they collect and process data.

If you have taken measures in the past to become GDPR compliant then the good news is that you have already completed over half of the work that needs to be done to meet CCPA standards. Outside of GDPR standards, here’s what else needs to be updated on your website:

Privacy Policy

The privacy policy on your website needs to be updated to include references to the CCPA, information on how to contact your business, and any information on the selling and sharing of personal user data. Be sure to confirm that any language on cookies, data collection points, and opt-in/opt-out disclaimers are conforming to both GDPR and CCPA standards.

Ease of Opting-Out

The language on your website’s opt-in/opt-out checkbox (GDPR-compliant websites will already have this set up) now needs to be updated to meet CCPA requirements for both adults and children. Opt-out check boxes must be added any and everywhere data is collected on the website.

Answering Requests for Personal Information

If your company does not already have procedures set in place for your IT team to access personal information and subsequently respond to user requests for access to their own personal information; these protocols must be developed immediately. By law, users who request access to their own personal information must first prove their identification, usually via an email address or SMS message. Once their identity has been verified, users may request to have their personal information delivered electronically. They also then have the right to request that all of their information be deleted from their records.

Updating Frontend & Backend Data Collection and Processes

On the front end, make sure you add a “Do Not Sell My Personal Information” link on your homepage that is easily accessible to any visitor (i.e. not inconspicuous). On the flip side, and related to the section above, a backend system must be created to verify the identities of anyone requesting user data.

To Conclude:

The California Consumer Privacy Act is an active law that applicable businesses must comply with whether they are ready to or not. Non-compliance will put any company that does business with Californians and meets the above requirements at serious risk. Thankfully, DesignHammer's team of expert designers and developers are here to offer support to any businesses who are concerned about the recent CCPA legislation and want to learn whether or not it affects their website. If the CCPA does apply to you, take solace in the fact that DesignHammer offers simple CCPA and GDPR compliance solutions for business websites and can make your website compliant in no time.

Contact DesignHammer for more CCPA assistance