The California Consumer Privacy Act (“CCPA”) has new requirements that will impact your website if your company is regulated by the law. Because the CCPA is written broadly, with the goal of protecting California consumers in an online era, many non-California businesses are discovering that it will impact them because of their online activity. The first step in determining whether you need to make CCPA updates to your website is to determine whether the CCPA even applies to your organization. If the CCPA does apply, your organization needs to ensure it meets all the CCPA website standards.
I. CCPA Applicability
How do you know whether the CCPA applies to your organization? The CCPA applies if you are a for-profit entity that collects and/or processes the personal information of any California residents and you meet at least one of the following requirements:
- An annual gross revenue (not profit) of $25 million or more;
- If you obtain the personal information of at least 50,000 California residents, households, and/or devices per year;
- If at least 50% of your annual revenue comes from the sale of Californians’ personal information.
Nonprofit entities are generally excluded by the law but will have to comply if they handle personal information on behalf of a for-profit entity. There are also rules governing compliance for companies that share common branding (see our post for more information if you have parent or sibling organizations).
In determining whether your organization meets the requirements for falling under the regulatory reach of the CCPA, it is important to remember that the definition of personal information in the CCPA is very broad. You can take our free CCPA Applicability Quiz to determine whether your business is regulated by the CCPA.
II. CCPA Website Requirements
A. Do Not Sell My Personal Information
The CCPA’s most clear website requirement impacts businesses’ homepages. Any regulated company must have a clear link on its homepage that says “Do Not Sell My Personal Information.” The link must be “clear and conspicuous” and take consumers to another page that allows them to opt out of the sale of their information.
No specific parameters for this “clear and conspicuous” link are provided in the text of the statute, but the Attorney General is specifically granted the power to implement a “recognizable and uniform opt-out logo or button [for use by] all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information.” During the public meetings the AG held earlier in the year, commenters suggested that the AG should implement a uniform opt-out logo similar to the AdChoices logo used in online advertising to link customers to choices regarding cookies and tracking technologies. It is currently unclear whether any such clarification is forthcoming.
Additionally, the CCPA-regulated businesses must include certain information in their online privacy policies and any other policies that specifically identify Californians’ privacy rights. Companies will need their updated privacy policies to include: (1) a description of consumers’ rights under the CCPA, (2) a description of at least one designated method for consumers to submit CCPA requests to them, (3) a list of categories of consumer personal information they have collected in the preceding 12 months, (4) a list of categories of personal information they have sold in the preceding 12 months (or, if businesses have not sold personal information, they shall so state), and (5) a list of categories of personal information they have disclosed (not sold) for a business purpose in the preceding 12 months (or, if they have not disclosed personal information, they shall so state). Under the CCPA, regulated businesses must update their privacy policies at least once every 12 months.
The required description of consumers’ rights under the CCPA (see (1) above) will need to include notice that:
- California consumers have the right to opt out, which is the right to, at any time, direct a business not to sell their information to third parties;
- Consumers’ information may be sold (or that consumers’ information will not be sold);
- Businesses that have been directed by a consumer not to sell the consumer’s information are prohibited from selling that information unless the consumer later expressly authorizes the sale of the personal information;
- Businesses may not sell the person information of minors without (1) the minor’s prior consent if the child is aged 13-16, or (b) the minor child’s parent’s consent if the child is less than 13.
III. Designated Method for Submitting Requests
In addition to the mandated opt-out of sale option, the CCPA also grants California consumers the right to request access to personal information collected about them. Regulated businesses must provide at least two designated methods for submitting consumer requests: a toll free number and a web address. (Businesses that do not operate a website can provide a mailing address or other applicable contact information as their second designated method for submitting requests.) The website should allow consumers to make requests on the site, to link to a place where they can make requests, or give them an email or other point of contact to which they can send requests.
Businesses that take online consumer requests will also need to build a web-based process for verifying the requests. It is important to be aware of how the requests should be handled. Requests should not, under the law, be answered without first being verified. Honoring information access requests without a verification process puts a company and its consumers at risk.
A verifiable request under the CCPA is a request made by a consumer that enables a regulated business to “reasonably verify” the person to be the consumer about whom the business has collected personal information. The CCPA authorizes the Attorney General to make regulations regarding the verification process, but, at this point, the AG has not done so. Businesses are currently moving forward with the creation of verification procedures based upon the type of information they already collect. For example, a business that does not collect phone numbers should not start using phone numbers for verification if it has another piece of information it is already collecting that could be used instead. Businesses should work to ensure that their consumer request verification processes do not actually expose them to additional security risks.
IV. Additional Requirements for Minors’ Personal Information
While the opt-out of sale option is open to all California consumers at any time, organizations cannot sell minors’ personal information without prior consent under the CCPA. For those organizations that deal in minors’ personal information, they should build a process to ensure that their website or apps obtain prior consent for the sale of such information. Under the CCPA, companies must obtain that consent from children aged 13-16 years and from their parents for children under 13 years of age.
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.