How to get your website ready for CCPA compliance
The California Consumer Privacy Act (CCPA), which came into effect since January 1st, 2020, aims to protect consumers privacy and rights when it comes to collection and use of their personal data. As per the Act, besides having the right to know about the type of data collected as well as whether it is disclosed or sold, consumers can also refuse to allow their personal data to be sold.
Additionally, they can access their personal data as well as request businesses to delete any personal information collected from them. For businesses, the new Act calls for complete compliance with all the points laid down in the CCPA. Furthermore, the rules apply to them even if their business does not operate in the State of California but gathers personal data of residents of the State.
What types of websites need to comply with CCPA?
Effectively, CCPA becomes applicable to most businesses operating in the United States that might collect personal data of California residents. However, the Act lays down the following guidelines that make it mandatory for businesses to comply.
Any business whose gross revenue per year is more than $25 million.
If the business either buys or sells personal data of over 50,000 individual consumers or households.
Over half of the annual revenue of the business comes from selling the personal information of consumers.
What upgrades are necessary to the website for CCPA compliance?
Privacy policy
While ideally, you should have your legal team involved in updating the website privacy policy to comply with CCPA, there are a few things that you can do right away. The main points that it needs to outline are the type of personal information that is collected and the purpose for which the business collects it.
The following points must be included in the privacy policy:
The description of consumer rights and what all it encompasses under CCPA.
A clear description of a method that consumers can use to submit CCPA requests to the company.
A complete list of the various categories of personal information of consumers that the business has collected during the preceding 12 months.
A complete list of the categories of consumers personal information that the business has sold in the preceding 12 months (or a mention that no information has been sold if that is the case)
A complete list of the categories of consumers personal information that the business has disclosed (but not sold) in the preceding 12 months (or a mention that no information has been disclosed, if that is the case)
Furthermore, companies must update the privacy policy on their website at least once in the preceding 12 months as per the CCPA guidelines.
Facilitating opt-in/opt-out across the website
The language related to the website opt-in/opt-out check-boxes should be updated to meet the Act’s requirements for both minors as well as adults. Moreover, these check-boxes should be provided everywhere or on any page where consumer data is collected on the website.
Ease of requesting information
The business should define protocols that make it easy for employees to respond to consumer requests to access their personal information. These should include verification of the consumers identity as well as confirmation of the mode of communication for the electronic delivery of the personal information to the consumer. The process should also include guidelines that allow consumers to request deletion of their information from the records.
Data collection and processing
Adequate measures should be implemented for ensuring that the consumers’ rights are protected throughout the cycle of data collection and processing. It could range from updating security protocols if data is stored in the cloud or encryption of data to prevent breaches resulting from un-authorized access.
Back-end design
While the front end must include a ‘Do Not Sell My Personal Information’ link, the back-end system should also be updated to handle access and requests, especially for verification of identities of persons who request personal data.
Special concern for minors
As per the CCPA, while businesses can collect personal data of children aged between 13 and 16 based on their consent, such data cannot be sold if the children are below 16. For children under 13, parental consent is mandatory before data can be collected. The website should include provisions such as online forms or buttons that facilitate such consent to be collected and recorded before any data of minors is collected or processed.
Checklist for CCPA compliance
The following points will help in assessing whether your website meets the CCPA compliance requirements:
Does the Privacy Policy meet the CCPA Requirements, and has the policy been updated within the preceding 12 months?
Does your website offer easy options for consumers to opt-out of selling personal information?
Is it easy for users to review their personal information or contact you to get more details about it?
Does the website have a provision for obtaining prior consent from children/minors before their personal information is collected? Is evidence of such consent recorded electronically?
Is it easy to verify the identity of users who make requests to access or delete their personal data?
Do you need to make changes if your website is already GDPR compliant?
If your website is GDPR compliant, then the chances are that it already complies with some of the provisions laid down by CCPA. However, GDPR compliance does not guarantee CCPA compliance as the scope of the two laws differ significantly.
GDPR focuses on ensuring ‘privacy by default’ for the entire EU. In contrast, CCPA aims to provide a more transparent environment for California residents to exercise their right to privacy and to control how businesses can use their personal data.
Whereas GDPR provides EU users with the opportunity to consent prior to their personal data being collected and used, CCPA facilitates an opt-out option to consumers.
The similarities between the two include the right to information, access and deletion of personal data of consumers. Additionally, both the Acts have an extraterritorial scope, which means that the rules apply to any business, irrespective of its location, that collects personal data of consumers or users as defined by the respective Act (EU users and California residents).
Conclusion
We follow an end-to-end approach in helping clients to comply with the provisions of CCPA. The services include creating opt-out links or buttons on the front end of the website to updating the back-end systems and processes to ensure data is collected and processed as per the guidelines. Additionally, we incorporate the required security checks and mechanisms for identity verification and prevention of data breach to ensure that our clients’ websites are CCPA compliant.