The regulatory landscape has shifted once again, and California regulators have pushed through new CCPA website requirements.
Following proposition 24, organizations will now have to address the changes to the CCPA.
Join us in this article to explore what these new changes mean, how they affect your business, and how you can become CCPA website compliant.
Changes in the CPPA Website Requirements
With proposition 24, the legislators of California and voters have decided to crack down on organizations in the personal data business and those who heavily rely on it. The new proposition has given more power to consumers and has dramatically restricted the time available for companies’ to rectify mistakes.
The proposition has also created a new authority in California, the Privacy Protection Agency, to enforce violations.
With the new proposition came new CCPA website requirements. First, we will answer some questions that many businesses affected by this change are asking.
“I am Compliant with the GDPR. Must I Make These Changes?”
If your organization is General Data Protection Regulation (GDPR) compliant, this gives you a slight advantage, and it’s a significant first step. Unfortunately, there are enough differences within both regulations that being GDPR compliant and applying the same techniques to California residents will not be enough.
However, the new proposition is similar to two existing rights in the GDPR, and those are:
- The right to be forgotten.
- The right to erasure.
More on the rights under the CCPA later. Although the new requirements are not entirely the same, later, you will see that there are possibilities to transfer the techniques if you are already respecting the rights and freedoms outlined by the GDPR.
Do the CCPA Website Requirements Apply To My Business?
CPPA applications are relatively straightforward, and you will immediately recognize whether your organization has to apply these new requirements.
The first prerequisite is that your organization has to be a for-profit organization. Usually, non-profits need not comply with the website requirements. These requirements will also apply if they process California residents’ personal data on behalf of a for-profit organization.
So if you are a for-profit organization and collect or process the personal data of California residents, and you also satisfy one of the conditions listed below, then you will need to comply with the new requirements.
The Extra Conditions (Must satisfy at least 1)
- The annual revenue, not profit but revenue, is $25 million or more of your organization.
- Your organization collects or processes the personal data of 50,000 Californian residents or more.
- Lastly, if you generate 50 percent of your revenue from the selling of personal data.
Please note that the legislation refers to a California resident as a natural person who:
- Is living in California, is not there temporarily or in transit to another state or country.
- Anyone employed under a short-term (1-year) contract.
- Is domiciled in California but is in another state temporarily or is in transit.
Rights Of The Consumer
You must be aware of the rights the consumer has under the updated website requirements. This section will briefly describe what your organization can and can not do concerning consumer rights.
- Rights to Fair Treatment: you can not discriminate against the consumer if they choose to opt-out. This discrimination could take the form of:
- Providing the consumer with lower quality goods or services;
- Change in prices due to the consumer’s decision to opt-out;
- Blocking consumer access to certain services.
- Right to Be Forgotten: in the privacy policy, consumers can access the personal data held about them and request that all their data be deleted. Your organization must delete the user data.
- Right to Access: the consumer can access their data after a verification process (more on this method later).
- Right to Opt-Out: The consumer has a right to opt-out of any data selling and marketing. This article will explore how your organization can comply with this right later on.
These are the general rights that apply to CCPA website compliance. The next section will explore the CCPA website requirements in more detail and how these rights will be applied in organizational management.
The CPPA Website Requirements
There are two significant changes to the CPPA that affect the websites of organizations.
The main change is that organizations are now required to have a button that will direct consumers to a page that will allow them to opt-out of the sale of their information.
The second significant change is to the privacy policy, which will now require some extra information.
In the coming sections, we will explore what these changes mean and how you should apply them.
Don’t Sell My Data
Consumers now have the right to opt-out of any personal data selling business. The website requirements state that your organization must make it evident to the consumer that they have this right and how they can act on it.
The legislation states that the website’s homepage must have an option for consumers to be redirected to an opt-out landing page. However, it does not say how you can make the button or link apparent.
There are talks with state legislators on how they can create a standardized button to use on websites. But at the time of writing this article, there is no such button, so it is up to your organization to make it obvious, but it must say something along the lines of “do not sell my personal data.”
You need to keep in mind that, even if you do not sell personal data, the link must still be present and visible on your homepage.
The Landing Page
The button or link needs to send the consumer to a landing page form to fill out to opt-out.
The type of information that you must include are:
- The rights of the consumer
- A form that allows them to opt-out
- A description of your policy of data selling
The landing page can not be deceiving nor spread any sort of misinformation. It must be easy to use and responsive. You must include all relevant information to the consumer on a single page.
Privacy Policy Update
The second significant revisions to the CCPA website requirements lie within the privacy policy.
A privacy policy is a legal document that states the organization’s policy on collecting and processing personal data. Many privacy policies have items such as; how the consumer’s data is used, third-party networks that data is being sold to or used by, and the categories of data collected.
Both the CCPA and the GDPR require your organization to implement a privacy policy as a matter of law, whether you process Californian residents’ personal data or that of EU data subjects.
Although the requirements differ per the regulation, some elements remain the same. However, you will need a separate policy for EU and Californian website portals due to the differences.
For the CCPA, the updated privacy policy requires the organization to include the specific information outlined below.
- The privacy policy must include the rights of the consumer under the CCPA.
- The privacy policy must include all the categories of personal data collected in the last 12 months.
- The privacy policy must include all the categories of personal data sold in the last 12 months.
- The privacy policy must include all categories of personal data disclosed in the last 12 months. “Disclosed” means that the data was not sold but used for other business purposes (i.e., designing new products or services or in a third-party partnership).
- Lastly, the privacy policy must include at least two methods for the consumer to submit a request to access their personal data; more on this later.
You may have noticed a pattern here, 12 months. It is also required in the CCPA that the organization’s privacy policy is updated every 12 months.
Access Request
As part of the new website requirements, your organization will have to suggest two methods to conduct an access request in your privacy policy.
If you are familiar with a Data Subject Access Request (DSAR) from the GDPR, this step will be relatively easy to implement.
Essentially, the new requirements give consumers the right to gain access to any personal information you hold on them. The two methods should include contact information in a toll-free number and a web address (email). Keep in mind that this is not only limited to companies that operate a website, so supply a mail address in place of a web address.
Like the DSAR in the GDPR, the access request needs to have a system in place so the organization can verify the consumer’s identity making the request.
There are web-based Know-Your-Customer (KYC) tools that you can employ to make this process easier, but either way, you will need to verify their identities before releasing any data.
KYC tools are software solutions that streamline ID verification processes. You will often find them in the fintech industry (mostly for anti-money laundering) and any heavily regulated industry.
The Attorney General of California has not mandated a verification method, but businesses have already started verification procedures with personal data they are already collecting.
For example, a cryptocurrency exchange might use tax number verification because they will already hold that type of personal data due to financial regulation. It would not be wise to use driving licenses to verify if they do not collect them already, as that creates a whole new category of personal data, which will create a cascade effect with your policy.
Conclusion and Recap
You should know by now if your organization will have to comply with the updated CCPA website requirements. The regulatory landscape is not looking to slow down any time soon. With data misuse and cyberattacks reaching critical levels, the trends show that new states are likely to adopt similar regulations.
As a recap, the CCPA now requires your organization to integrate the consumer’s rights into the organization’s practice. As discussed in this article, the rights are:
- Right to be forgotten
- Right to access (know)
- Right to Opt-Out
- Right To Fair Treatment
With these rights in mind, your organization should be managing the personal data of consumers in the best way possible, and that is:
- Offering consumers the option to opt-out of any personal data selling in the easiest way possible using obvious homepage hyperlinks. Which will redirect them to an easy to understand opt-out form
- Informing consumers, within the privacy policy, about all categories of data that are:
- Sold in the last 12 months
- Disclosed in the last 12 months
- Collected in the last 12 months
You must update the privacy policy every 12 months.
Regulatory compliance does not have to be a headache for your organization. We understand that sweeping changes like these can leave many organizations in the dark about what to do next.
RSI Security is here for you. We make it our business to keep up-to-date on all data protection regulations, so you don’t have to.
Leverage our knowledge and get help to become CCPA compliant today.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.