The CCPA applies to businesses that collect personal information from California consumers. Let’s define each of these terms in the context of the official CCPA legislation:
Businesses — Under the CCPA, businesses meet one of the following thresholds:
- Makes $25million+ in annual gross revenue
- Annually buys, sells, or engages in the exchange of 50,000+ consumers’ personal information for commercial purposes
- Makes 50%+ annual revenue from the sale of personal information
Personal Information — Personal information is any piece of data that can be reasonably linked to an individual. Information lawfully made available from federal, state, or local authorities is not considered personal information under the CCPA if this information is used for purposes compatible with the purposes for which the data is “maintained and made available” to the public. All other types of publicly available information are within the scope of CCPA.
Consumers — Consumers are California residents.
1. Provide a Notice of Collection
The CCPA requires you to provide consumers with a notice of what personal information you’ve collected in the past 12 months, along with details about your purpose for collecting that information.
Categories of Personal Information
Your notice of collection must list which categories of personal information your business collects from consumers. The CCPA lists the following as categories of information:
|Personal identifiers||Name, email address, social security number|
|Commercial information||Records of purchase, property records, transaction histories|
|Information described in subdivision (e) Section 1798.80 of the California Civil Code||Passport number, driver’s license number, state ID number|
|Protected classifications||Race, gender, sexual orientation|
|Biometric information||Fingerprints, call recordings, facial recognition|
|Electronic network activity||Browsing records, search history, internet preferences|
|Geolocation information||IP address, mobile app location, search settings|
|Sensory information||Audio recordings, thermal data, visual settings|
|Professional information||Employment history, employment records, application information|
|Education information||Exam details, admissions history, attendance records|
|Inferences used to create a consumer profile||Aptitudes, behavior, preferences|
Here’s an example of how Caderet Grant’s notice of collection lists the categories of personal information they’ve collected in the past 12 months:
Types of Personal Information Collected
In the example above, you’ll notice that next to each category of personal information is a list of types of personal information collected.
Your list should be as exhaustive as possible, and each type of personal information should be grouped with the corresponding category.
Purpose of Collection
The next item in your CCPA notice of collection should be your commercial or business purpose for collection.
State why your business collects each category of personal information and how you use this information.
Check out Daimler’s privacy notice and how they state their purposes for collection under the heading “How we use it”:
Like you can see in the example, your explanation of purpose doesn’t need to be extensive or formal. Use plain language and be transparent so consumers can easily understand why you need their personal information.
Sources of Collection
Alongside each category of personal information, list what sources this information is collected from. See the example above for reference.
Common sources include:
- Directly from the consumer
- Social media
- Analytics software
- Third parties
Data mapping can help you determine each piece of personal information you collect and where that information comes from.
Sharing or Sale of Information
The last activity that your notice of collection needs to address is whether you share or sell any categories of personal information. The CCPA defines “selling” as:
selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating […] for monetary or other valuable consideration
You need to specify whether each category of personal information is sold (as defined above) or simply shared.
Whether you outline this information within a table or its own section, you need to explain whether you share or sell information, who with, and for what purposes.
2. Explain Consumer Rights
Right to Access
The right to access allows consumers to request you provide them with logs of the personal information you’ve collected from or about them.
Keep in mind two unique features of the CCPA right to access:
- A consumer can only request access to their personal information twice in a year.
- Once you’ve verified a consumer’s request, you need to provide them with their requested information within 45 days. A one-time extension of up to 90 days may be possible, but you’re required to notify the customer of reasons for such extension within the first 45 days after receiving the request.
Toyota’s policy clearly explains this right and what information consumers may request from the business.
Right to Deletion
Right to Non-Discrimination
The CCPA also grants consumers the right to not be discriminated against because of actions they take regarding their privacy rights. For example, you can’t penalize a consumer who requests the deletion of their personal information.
Forms of discrimination that are prohibted under the CCPA include:
- Denying goods, services, or discounts
- Charging different prices
- Providing a different quality of goods or services
- Implying that you’ll discriminate against them if they act on their consumer rights
You also need to explain to consumers how they can act on their rights. Methods can include a form, webpage, phone number, or email address.
3. Add a Do Not Sell My Personal Information Link
A Do Not Sell My Personal Information link directs consumers to a method where they can opt out of the sale of their personal information.
When consumers click this link, they should be taken to a form, page, or portal that allows them to request their personal information not be sold. Once you receive this request, verify it immediately and honor the consumer’s right to opt out.
4. Provide Contact Information
While a toll-free number or email address is the minimum CCPA requirement, it’s recommended that you add multiple contact methods (as Blueair does in the example above).
5. Post Your Policy
- Website footer
- Main menu
- Checkout pages
- Sign-up pages
- Help centers
6. Update Your Policy