Website Tips For CCPA Compliance
Website Tips For CCPA Compliance

The California Consumer Privacy Act’s (“CCPA”) July 1, 2020 enforcement date snuck up on a number of companies, as many had their attentions elsewhere dealing with the global pandemic. Many still find themselves out of compliance with the new regulation, and are either scrambling to implement an appropriate compliance framework or, in the alternative, burying their heads in the sand (we don’t recommend the latter).  Given that many companies are still unclear about what they can and should be doing to comply with CCPA, we thought it would be helpful to share a few tips and steps to take to improve your website and privacy program to ensure the California Attorney General (“AG”) does not determine that your company is out of compliance. 

Do Not Sell My Personal Information

One of the most contentious, and still misunderstood, aspect of CCPA (and is easy to check by the AG or consumers) is the “Do Not Sell My Personal Information” link requirement as well as the definition of “sale” under the CCPA. Many companies are taking the position that because they’re not data brokers that this means they don’t “sell” information; however this is a common misunderstanding of the provision. Some things to consider:

  • Even if your business is not a data broker, you should review your AdTech activities, such as reviewing your cookies and trackers on your website. If you’re using common tools like Google Analytics or Facebook Pixel, this may fall under the definition of “sale” of data
  • If you’re using cookies or tracking scripts, or sharing/selling data in any way, you should outline this in your privacy policy
  • Explore whether your sharing activities are exclusively to “service providers” or businesses that would not meet the “sale” criteria and make sure the privacy policy accurately discloses those activities

Your website can accommodate this requirement by incorporating a compliant “Do Not Sell My Personal Information” link

Privacy Policy

CCPA requires a number of privacy policy disclosures, and you’ll need to make sure yours includes:

  • Effective date
  • CCPA specific disclosure requirements (if you’d like, you can link to a separate California-specific privacy policy)
  • Update every twelve (12) months
  • Web forms and contact methods (such as a toll-free phone number) for a California consumer to make a data subject access request (“DSAR”)
  • DSARs must be responded to within a certain period of time, and failing to do so can result in significant fines and penalties
  • Accurate descriptions of personal information collected, purposes of collection, and any sharing/selling activities
  • Contact information where consumers may submit questions or concerns about the business’s privacy policy and processing activities

Opt Out Mechanisms

CCPA requires that companies provide consumers with a way to “opt-out” of data collection. One of the most common data collection point is on a company’s website, and likely the most common personal information collected is a website visitor’s IP address. If your website is using cookies or tracking scripts (most do), then it’s highly likely that you’re collecting personal information. If that’s the case, then you need to provide consumers with a way to “opt-out” of cookie collection. If you think that this can be accomplished by “Do Not Track” signals or emails, you’d be wrong. The best way to manage this opt-out functionality is by using a cookie consent management platform.

What Happens If I Don’t Comply?

CCPA does have a 30-day “right to cure” provision, which generally allows businesses 30 days to rectify any issues like the ones described above. So if your website isn’t compliant you will likely have time to fix the issue. However, if a business receives one of these letters, it will result in an all-hands-on-deck fire drill given the magnitude of the penalties that can be assessed for noncompliance.  If your business receives a notice of a potential violation of the CCPA from the California AG’s office, make sure that you reply within the 30 days provided by the CCPA. Further, these letters request that recipients outline not only what they did to resolve any potential violations but also what they are going to do in the future to prevent the violation from occurring again, so be sure to include future assessments, legal opinions, and technology implementations that are on the business’s CCPA compliance roadmap. 

How Can Clym Help?

Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues.  Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.