Inspired by the GDPR, the California Consumer Privacy Act of 2018 (CCPA) is the toughest data privacy law in the United States to date, but Clym can help make your website compliant easily and stress free.
Effective January 2020, the law will significantly impact the way businesses collect and process personal data by expanding the California consumer rights in terms of data privacy.
The CCPA considers to be personal information any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Who does the CCPA apply to?
The CCPA applies to any for-profit organisation that conducts business in California that:
- Has a gross revenue greater than $25 million.
- On an annual basis, collects, buys, receives, sells or shares the personal information of at least 50,000 California consumers, households or devices.
- Obtains at least 50% of its annual revenue from the sale of California consumers’ personal information.
The CCPA aims at protecting consumers that:
- Are in California for more than just a temporary period or transitory purpose.
- Are domiciled in California, but are out of the state for a temporary period or transitory purpose.
What personal information is covered?
- Identifiers such as name, surname, initial, alias, postal address, IP address, unique personal identifier, social security number, driver's license number, account number, passport number, etc.
- Biometric information such as health data, face, fingerprints, retina, DNA, etc.
- Commercial information, including records of personal property, purchased, obtained or considered products or services, purchasing or consuming histories and tendencies.
- Geolocation data such as device location history.
- Internet activity such as browsing and search history, as well as information regarding consumers’ interaction with a website, application or advertisement.
- Education information not otherwise available.
- Employment or professional information not otherwise available.
- Inferences drawn from any of the information identified in this section that contribute to the creation of a consumer profile regarding the consumer’s preferences, characteristics, behaviour, attitudes, etc.
What are the exceptions?
The following types of personal information are exceptions from the CCPA's requirements:
- Medical data or protected health information governed by the California Confidentiality of Medical Information Act, the Insurance Portability and Accountability Act of 1996 (HIPAA) or the "Common Rule" applicable to clinical trials.
- Personal information governed by the federal Gramm-Leach-Bliley Act and implementing regulations or the California Financial Information Privacy Act.
- Personal information provided by credit reporting agencies governed by the Fair Credit Reporting Act.
The CCPA must not restrict a business' ability to:
- Comply with federal, state or local laws.
- Comply with a regulatory, civil or criminal inquiry or investigation.
- Cooperate with law enforcement agencies in an investigation regarding the activities performed by the business, a service provider or a third party.
- Collect or sell personal information if that commercial conduct takes place wholly outside of California.
What are the CCPA Penalties?
FOR INTENTIONAL VIOLATIONS
FOR ACCIDENTAL VIOLATIONS
California Consumers' Rights
Right to know
By consumers’ request, businesses must disclose what personal information they collected, why they have collected it, how it is used and who else has access to it.
Right to delete
Under the CCPA, a consumer has the right to request the deletion of any personal data that an organisation has collected about that customer.
Right to opt-out of sale
Consumers have the right to request businesses that they stop the selling of their personal information to another business or third-party.
Right to non-discrimination
This right protects consumers against discrimination after having exercised their rights under the CCPA, ensuring they will not be treated differently.
Private right of action for security breaches
Consumers whose non-encrypted personal information was subject to unauthorised access, theft or disclosure are granted a private right of action.
Make your website fully compliant for the
CCPA and GDPR regulation today!
Not sure about what you need to do to become compliant? Schedule a private consultation with one of our consultants.
CCPA Compliance Requirements
- Make sure your Policies include information on your data collection and sharing practices with regard to personally identifiable information (PII) for the past 12 months. Specify how, why and what PII you collect and process.
- Verify the identity of users submitting access or deletion requests.
- Provide users with a way to opt out of the sale of their personal information.
- Enable users to opt-in or out of cookies at any moment.
- Document and maintain records of compliance.
- Ensure the security of personal information through reasonable security and privacy practices.
CCPA Compliance Checklist
CCPA-Compliant Policies And Procedures
Make sure your policies and procedures include information about California consumer rights, how they can submit requests related to these rights, what personal information you have collected in the past 12 months, how it was collected and for what purpose.
Additionally, you must also mention what personal information categories you disclosed or sold to any third parties in the last 12 months.
How Clym can help:
Learn More about Document Management
- Jurisdiction-flexible policies, terms, agreements and procedures.
- Real-time policy update and versioning, allowing you to create, modify and publish new versions of your policies instantly, in a transparent way.
- Flexible set up per country, enabling you to stay connected with your users and adapt to new privacy requirements, regardless of their location.
- Embeddable policies that can be included anywhere on your website. When you edit them, you only need to do it in one place, as they will be update on all pages.
- Document sharing through unique URLs for easier agreement and procedure sharing with your partners.
Inform your users before or at the point of collection about what categories of personal information you are collecting about them and for what purposes.
Don’t collect any other information or use it for other purposes than the ones presented to the consumer. Enable them to easily opt-in or out of cookies.
How Clym can help:
Learn More about Cookie Consent
- Automatic cookie website scanner that identifies all the cookies used on the website, what data they collect and automatically assigns them to a processor from our repository of 100+ third-party vendors.
- Comprehensive cookie consent management through our advanced cookie tag manager, cookie indexation, supplier whitelisting and piggybacking prevention.
- Brandable cookie notice layouts with your company’s logo and colors for a consistent user experience.
- Customisable opt-out/opt-in configuration for non-essential cookies.
- Consent collection for loading embedded content such as videos or forms.
Identity Verification For Consumer Requests
Before disclosing any information, make sure you verify the identity of the consumer making the request. In doing so, you need to provide data subjects with a way of doing this.
How Clym can help:
- Consumer identity verification using a unique confirmation link that is sent to the data subject's e-mail address.
- Verification status for all received requests.
- Platform linking between consumers' profiles and their submitted requests to facilitate request fulfilment.
Reasonable Data Security and Privacy
Under the CCPA, you have the obligation to ensure the security of consumers’ data and to prevent unauthorised access to their personal information through reasonable privacy and security practices.
How Clym can help:
- Data encryption, anonymisation and strict platform access control policies to help you minimise the risk of losing customer data.
- Anonymised consumer profiles where we group all their consent actions and requests.
Look Back Requirement
When receiving a disclosure request, you must provide the information for 12 months back, which means you need to properly map the personal information you collect.
How Clym can help:
- Data mapping through data classification by data point and category, including sensitive information.
- Management of processing purposes, data processors, legal bases and retention periods.
- Data processing agreements management for each data processor.
Records Of Compliance
To really stay on the safe side, make sure you keep records of compliance to be able to prove you respected California consumer rights and the CCPA’s requirements overall.
How Clym can help:
Learn More about Consent Receipts
- Integrated audit system for user consent actions and cookie management where everything is digitally signed and cannot be altered.
- Automatically generated consent receipts for all consent-related actions that the user performs. These include what type of data was collected (without disclosing PII), the collection purpose, retention period, legal base, and who else has access to it.
- Public consent recipes ledger where we store all consent receipts, which allows you, your data subjects or other parties to verify consent receipts.
Want to learn more about Privacy Regulations?
Clym is the data privacy platform that helps organisations meet their data protection obligations. Cookies, Consent, Requests, Policies and more are all managed in a secure and adaptive application.
2020 © Clym Ltd. Registered in England & Wales, No. 11332037