1. What Is the CCPA?
The CCPA is a California data privacy law that sets requirements for how businesses can lawfully handle Californian consumer data.
- Consumer — Under the CCPA, a consumer is any California resident. Therefore, “consumer” refers to those protected by the law.
- Personal information — Personal information is any data that can be used to identify a person, household, or device. This includes actively-given information like names and email addresses, as well as passively-collected information like that from cookies or analytics software.
- Do Not Sell My Personal Information — A Do Not Sell My Personal Information link directs consumers to a page, portal, or form where they can request that their personal information not be sold. Websites must include this link on their homepages and in their privacy policies to comply with the CCPA.
Who Needs to Comply with the CCPA?
Although the CCPA is based in California, businesses from around the world are subject to comply. You need to comply if you:
- Make $25 million or more in gross revenue each year
- Annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more California consumers, households, or devices
- Make 50% or more of your annual revenue from the sale of consumers’ personal information
1. What Personal Information Is Collected
- Contact information (e.g., email address, phone number)
- Residential information
- Employment history
- ID information (e.g., social security numbers, employment ID number)
- Credit card information
- Biometric data
- Browsing information
- Cookie data (information collected by cookies or similar tracking technologies)
- Visual, audio, facial, and thermal data
These are common examples of categories of information that businesses collect from consumers. The official CCPA text further outlines categories of protected personal information.
2. With Whom You Share or Sell Personal Information
One of the primary goals of the CCPA is to regulate the buying and selling of personal data. The legislation seeks to do this is by mandating businesses disclose third parties with whom they share or sell personal information.
This privacy notice includes a table that clearly outlines what categories of information are shared for commercial purposes, and with whom they’re shared:
Although you don’t need to detail your data sharing in a table, strive to match this level of transparency in order to maximize your notice’s CCPA compliance.
3. What Rights California Consumers Have
Under the CCPA, consumers have been granted unique rights. These include:
- The right to request access to information collected from or about them
- The right to request information be edited or deleted
- The right to not be discriminated against based on actions they take regarding their data
- The right to opt out of the sale of their personal information
This sample privacy notice includes an explanation of each right, and provides links for California consumers who wish to act on their rights.
4. Do Not Sell My Personal Information Link
NerdWallet gives consumers detailed instructions on how they can opt out of the sale of their personal information.
1. Use Plain English
- Avoid legalese
- Explain everything carefully, yet concisely
2. Label Your California Sections or Policy
- Website’s footer
- Website’s menu
- Sign-up pages
- Checkout pages
- Contact forms
Many companies have implemented CCPA privacy policies since the institution of the law. Look at how other businesses follow CCPA guidelines in their privacy notices to get a better idea of how your CCPA privacy statement should look.
First, they clearly label the section dedicated to California consumers. Within this section, they provide a detailed table of categories of personal information they may collect, where it may be collected from, how it may be used, and with whom it may be shared:
The above example is only an excerpt from the privacy statement’s California notice of collection section. The table continues to extensively detail the site’s handling of California consumer information.
This section explains the CCPA right to opt out, and gives users instructions on how they can request that their personal information not be sold.
Finally, the LA Times policy includes a section on California consumers’ rights under the CCPA:
- Ensure your entire policy uses plain English, readable text, and is formatted for easy navigation.
- Label your CCPA policy or CCPA section of your policy to indicate that it’s for California consumers.
- Add a notice of collection, in which you detail what categories of personal information you collect, how you collect it, how you use it, and with whom you share it. (This section is most commonly formatted as a table).
- Add a section titled “California consumers’ rights.” Explain the rights Californians have under the CCPA and how they can act on these rights (for example, how they can request your website deletes their personal information).
- Add a Do Not Sell My Personal Information link (or section) that allows consumers to opt out of the sale of their personal information.
- Implement systems that allow you to handle CCPA requests, such as Do Not Sell requests.
- Add accurate contact information to your policy.