Data Privacy Laws

CCPA Compliance FAQs

Everything from what is data, to who is a collector and who you share data with has already changed.  Did you change with it?

FREQUENTLY ASKED QUESTIONS

CCPA FAQs include common questions many web masters, bloggers, churches and even governments have on compliance.  If you dont see an answer to your question feel free to ask it using our Submit A FAQ form.

Spoiler: CCPA and GDPR Are Now In Effect. If you aren’t compliant it can cost you nearly a thousand dollars per web visitor!

CCPA Basics

You may be missing the point, or getting overly fixated on a term.  Until the law is challenged in a California court the interpretation is arguably open but the spirit of the law would suggest a consumer is someone who consumes something.

A Consumer Is:

We operate under the idea that a consumer can be anyone who purchases or rents goods or services regardless of if they purchased these from you directly.  That two people are not consumers until they exchange something for something else.  Notice though that the data revolves around the exchange of something.

If they have bought or if you want them to buy, or if people in the dataset have indicated they want to buy something … then they are a consumer.

Example CCPA Consumers:

A list of all students in a school system is not a CCPA personal data privacy issue.  

A list of the parents of all of those students who may be marketed too for the sale of tutoring services would be a CCPA issue.

If your site stores data on citizens of California, regardless of if they are a customer of yours directly, you need to error on the safe side and meet your obligations to the CCPA.

  • Clarifying something …. Article 6 of CCPA deals directly with minors. I gave an example using “students” … its not a CCPA issue if these are college students. :-).

  • Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    CCPA applies to any entity that meets any one of the following three criteria:

    1. Has $25 million in annual revenue
    2. Holds personal data on 50,000 or more consumers
    3. Makes half of their revenue through the sale of personal data

    The first item is easy to determine.  If your organization had more than $25 million in revenue you must comply.

    The second is clear but some have asked about the use of the wording “personal data and “consumer.”  Its not worth getting hung up on these two words and likely they will be determined in courts.  For our certification purposes personal data can be any identifiers that allow traceability, for instance an IP Address.  It also would include a string of numbers and letters used to replace the IP Address.  If its unique to one user it is personal, the combination of identifiers that are not unique that together form a unique pattern is an identifier.

    The word consumer should be straight forward.  This is anyone that buys a product.  It doesn’t have to be your product that they buy, they are still a consumer even if they don’t buy from you directly.

    The second bullet is the one that most likely will cause the pain point on many small businesses.  Regardless of how you utilize the data, if you hold or have data on 50,000 people you must comply.

    Finally the third criteria is also pretty obvious.  If you make money selling data and that accounts for half of your revenue you must comply with CCPA.

     

    EXAMPLES:

    • I have a mailing list that has 50,001 email addresses on it.  Do I have to comply?  YES, you hold over 50,000 users data.
    • I have the addresses of 49,999 customers do I have to comply? No, you will if you get one more address.
    • I lost money last year and didn’t turn a profit.  My business did $26,000,000 in sales but our costs were more.  Do I have to comply?  YES, you made more than $25,000,000.
    • I buy and collect data on voters for political campaigns but we don’t hold the data we collect.  This makes up our income.  Do I have to comply?  YES, it makes up over half of your income.
    • I have Google Analytics do I have to comply?  No, not neccessarily based on just the use of Google Analytics.  If you retain and hold data collected by Google Analytics that can be used to identify a visitor you only have to comply if you hold more than 50,000 users data.

    Additionally, it is important to note that the word “consumer” is used in the law.  This means the data must revolve around the exchange of something for something whether directly with you or indirectly.

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    It is done.  It went into enforcement January 1 2020.  It will likely be debated and possibly ammended and court cases could be filed but … its finalized.

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    The California Consumer Privacy Act (CCPA) was enacted in 2018 and takes effect on January 1, 2020. This landmark piece of legislation secures new privacy rights for California consumers. On October 10, 2019, Attorney General Xavier Becerra released draft regulations under the CCPA for public comment.

    The CCPA grants new rights to California consumers

    • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
    • The right to delete personal information held by businesses and by extension, a business’s service provider;
    • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
    • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

      The CCPA applies to certain businesses

    • Businesses are subject to the CCPA if one or more of the following are true:
    o Has gross annual revenues in excess of $25 million;
    o Buys, receives, or sells the personal information of 50,000 or more consumers, households, or

    devices;
    o Derives 50 percent or more of annual revenues from selling consumers’ personal information.

    • As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.

    The CCPA imposes new business obligations

    • Businesses subject to the CCPA must provide notice to consumers at or before data collection.
    • Businesses must create procedures to respond to requests from consumers to opt-out, know, and

      delete.
      o For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website

      or mobile app.

    • Businesses must respond to requests from consumers to know, delete, and opt-out within specific

      timeframes.
      o As proposed by the draft regulations, businesses must treat user-enabled privacy settings that

      signal a consumer’s choice to opt-out as a validly submitted opt-out request.

    • Businesses must verify the identity of consumers who make requests to know and to delete, whether

      or not the consumer maintains a password-protected account with the business.

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Compliance with CCPA means a site has addressed each of the requirements set forth for data privacy.

    The CCPA grants new rights to California consumers

    • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
    • The right to delete personal information held by businesses and by extension, a business’s service provider;
    • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
    • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA. 
    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    California Consumer Protection Act

    It was passed in 2018 and became effective January 1 2020.

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    First, the primary way consumers order from the business should be one of two methods available.

    If primarily consumers buy goods in person at a physical location, then requests to opt-out should be accepted in person at a location.

    If a business mostly uses mail order forms, then a mailed request should be a form.

    Common forms include via web form, phone number and email address.  You should provide a minimal of two forms but the CCPA also notes that if business is entirely conducted online a simple email address is sufficient.

    We recommend that all organizations provide consumers to ability to opt out via an email address and web form at the least.  These two methods can be easily used in conjunction together.

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Personal Information is open to interpretation until the law is challenged in the California court system.  Until that point we feel it is best to operate under the following expectation of what personal information is as:

    Any unique identifier, or combination of identifiers that can be used to make a unique identifier.

    Example:

    I asked 50,000 people what was their favorite color and wrote down the answers. Does this need to comply with CCPA?  No.  There is no unique identifier.

    I asked 50,000 people who bought an item at the local market if they were satisified and wrote down their answers. Does this need to comply with CCPA?  No.  There is no unique identifier.

    I tracked the web visits of 50,000 visitors and noted their IP Address.  Does this need to comply with CCPA?  Yes.  There is a unique identifier.

    I tracked the web visits of 50,000 visitors and noted their IP Address, but recorded a different number based upon a defined formula.  Does this need to comply with CCPA?  Yes.  There is a unique identifier.

    I tracked the web visits of 50,000 visitors and recorded the time and date of their first visit as an identifier followed by the product code they first viewed.  Does this need to comply with CCPA?  Yes.  There is a unique identifier.

    Summary of Personal Data:

    If yu are able to look at your data and see multiple data points of the same visitor you have a unique identifier and that is personal information.  Its the ability to single out one person or company in your data.

    You can view the CCPA law on our site as well as the CCPA Regulations determined by the Attorney General.

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    CCPA does not specifically target cookies.  Its just that cookies are used to track visitors and this is the behavior that CCPA is concerned with.

    So if your site doesn’t have cookies, but you get data from visitors such as in a web form you need to comply with CCPA.  Further if a site doesn’t track a visitor but uses cookies it doesn’t have to have a cookie banner.

    Most sites use cookies to track users so a cookie banner helps meet those data privacy requirements.

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    No.  CCPA is an opt-out law.  It assumes everyone is in and has already consented.  BUT before collecting information a business must inform the visitor of their right to opt out.  This is easily accomplished with the banner that most sites have added.

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    It does require an easy means for consumers to opt out of the sale of data and in the primary method in which a business interacts with its customers.  Many sites are using webforms.

    No.  CCPA does not require a toll free number.

    It does require that a means to opt out be made available to consumers in the manner inwhich they interact with customers.  It also requires that there be two methods to opt out.

    SO … if you primarily do business over the phone, and customers make orders primarily using a toll-free phone line then consumers should be provided a means to opt out over the phone, it does not have to be a seperate toll-free line if you already have one for orders.

    This could be accomplished while they are waiting to speak to an operator through an automated menu, or while speaking to an agent … but a phone number is not required of everyone.

    In fact, if you are an exclusively online business you are only required to provide an email address. We recommend though that all sites offer a web form and an email address to ensure the two form minimal is met and as these two methods offer a very low level of effort.  This also provides for coverage in the event your business communications change.

    It does require an easy means for consumers to opt out of the sale of data.  Many sites are using webforms.

    From the CCPA Regulations:

    (a) A business shall provide two or more designated methods for submitting requests to opt-out, including, at a minimum, an interactive webform accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” or “Do Not Sell My Info,” on the business’s website or mobile application. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.

    (b) A business shall consider the methods by which it interacts with consumers when

    determining which methods consumers may use to submit requests to opt-out, the manner in which the business sells personal information to third parties, available technology, and ease of use by the average consumer. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer.

    (c) If a business collects personal information from consumers online, the business shall treat

    user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.

    Additionally the CCPA Law states:

    (1) (A) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115.

    Category: CCPA Basics

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Types Of Data

    Category: Types Of Data

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    What Are CCPA Penalties

    The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.

     

    • Privacy Regulations Coordinator
      California Office of the Attorney General
      300 South Spring Street, First Floor
      Los Angeles, CA 90013

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    How can you not afford it?  Take the number of web visitors your site receives including return visitors and multiple that by $750 penalty and you quickly see that a site cant afford not to meet CCPA.

    Cost estimates for CCPA compliance

    • According to estimates in the Standardized Regulatory Impact Assessment for the CCPA regulations, the CCPA will protect over $12 billion worth of personal information that is used for advertising in California each year

    Estimates range between $464 million to $14 billion will need to be spent by businesses to comply with CCPA.

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Yes.  The GDPR which went into effect May 2019 saw 27 companies fined in 2019.  Total of these fines was € 428,545,407 or $476,542,064.  So nearly half a billion in fines in 2019.

    Was anyone in the US not in the EU fined?  Yes.  Marriott, for failing to protect from a data breach affecting 339 million guest records. Google has been fined and the largest fine was British Airways for a data breach…

     

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Whats Protected By CCPA

    You may be missing the point, or getting overly fixated on a term.  Until the law is challenged in a California court the interpretation is arguably open but the spirit of the law would suggest a consumer is someone who consumes something.

    A Consumer Is:

    We operate under the idea that a consumer can be anyone who purchases or rents goods or services regardless of if they purchased these from you directly.  That two people are not consumers until they exchange something for something else.  Notice though that the data revolves around the exchange of something.

    If they have bought or if you want them to buy, or if people in the dataset have indicated they want to buy something … then they are a consumer.

    Example CCPA Consumers:

    A list of all students in a school system is not a CCPA personal data privacy issue.  

    A list of the parents of all of those students who may be marketed too for the sale of tutoring services would be a CCPA issue.

    If your site stores data on citizens of California, regardless of if they are a customer of yours directly, you need to error on the safe side and meet your obligations to the CCPA.

  • Clarifying something …. Article 6 of CCPA deals directly with minors. I gave an example using “students” … its not a CCPA issue if these are college students. :-).

  • Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Who Must Comply With CCPA

    CCPA applies to any entity that meets any one of the following three criteria:

    1. Has $25 million in annual revenue
    2. Holds personal data on 50,000 or more consumers
    3. Makes half of their revenue through the sale of personal data

    The first item is easy to determine.  If your organization had more than $25 million in revenue you must comply.

    The second is clear but some have asked about the use of the wording “personal data and “consumer.”  Its not worth getting hung up on these two words and likely they will be determined in courts.  For our certification purposes personal data can be any identifiers that allow traceability, for instance an IP Address.  It also would include a string of numbers and letters used to replace the IP Address.  If its unique to one user it is personal, the combination of identifiers that are not unique that together form a unique pattern is an identifier.

    The word consumer should be straight forward.  This is anyone that buys a product.  It doesn’t have to be your product that they buy, they are still a consumer even if they don’t buy from you directly.

    The second bullet is the one that most likely will cause the pain point on many small businesses.  Regardless of how you utilize the data, if you hold or have data on 50,000 people you must comply.

    Finally the third criteria is also pretty obvious.  If you make money selling data and that accounts for half of your revenue you must comply with CCPA.

     

    EXAMPLES:

    • I have a mailing list that has 50,001 email addresses on it.  Do I have to comply?  YES, you hold over 50,000 users data.
    • I have the addresses of 49,999 customers do I have to comply? No, you will if you get one more address.
    • I lost money last year and didn’t turn a profit.  My business did $26,000,000 in sales but our costs were more.  Do I have to comply?  YES, you made more than $25,000,000.
    • I buy and collect data on voters for political campaigns but we don’t hold the data we collect.  This makes up our income.  Do I have to comply?  YES, it makes up over half of your income.
    • I have Google Analytics do I have to comply?  No, not neccessarily based on just the use of Google Analytics.  If you retain and hold data collected by Google Analytics that can be used to identify a visitor you only have to comply if you hold more than 50,000 users data.

    Additionally, it is important to note that the word “consumer” is used in the law.  This means the data must revolve around the exchange of something for something whether directly with you or indirectly.

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    CCPA applies to B2B, B2C or any other distinction you want to come up with as it is irregardless of your business model or industry.  Keep in mind that businesses are “people” under the law.  They can buy and sell property, pay taxes even be sued and held responsible for murder.  Film Recovery Systems was convicted of manslaughter in 1986.  So its easily argued that a business is a person.

    CCPA applies to entities that are any one of the following:

    • Have 25 million in revenue.
    • Hold 50,000 consumers data. (this is a sticking point for many websites.  If you hold the IP Addresses of 50,000 visitors and record their behaviors … or if you have an email list thats 50,000 people you in fact do have this criteria met and would be open to CCPA requirements.)  An easy work around is to not retain 50,000 consumers data.
    • Make at least half of their revenue from the sale of personal data.

    What may be the source of this question is if CCPA is required of a site that shares information with a third party such as Google Analytics.  Let’s say your T-shirt website does $100,000 in revenue and you use Google Analytics.  Your revenue is below the requirement, you don’t necessarily hold the personal info of 50,000 people.  And you don’t have the means to send a mailing to all of your web visitors last week….so no you don’t have to comply.

    Google And thats where Google would be a Service Provider.  As a third party collecting info may be able to distinguish who visited you last week, because thats what they do….its why Google Analytics is free.  You get stats and they get creepy amounts of aggregated data.  So they do have to comply with CCPA.  If your site doesn’t offer an opt-out method, thats fine for you … but anyone not offered an opt out is assumed to have opted out of the sale of their data.  This would mean Google cant use the data it collects on your site for anything other than the use of your site.  This may change the nature of Google Analytics pricing because they made it free to you so they could get that data and use it.

    Not complying though with CCPA may be a mistake even for this Tshirt website.  Adding the appropriate notices and privacy statements may be best especially if your site uses services such as Google Adsense.  Your use of Adsense means you collect money from the sale of data.  If it makes up less than half your revenue you’re likely in a grey area…and grey areas are the wrost place to be because your likely not expecting anything.

     

     

     

    For more on this see the question: Who must comply to CCPA?

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Bloggers nor any specific type of content are noted in CCPA regulations.  But that doesn’t mean Bloggers don’t have to comply.  Whats important is your sites collection and use of data.

    Who must comply?

    • Businesses are subject to the CCPA if one or more of the following are true:
    o Has gross annual revenues in excess of $25 million;
    o Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
    o Derives 50 percent or more of annual revenues from selling consumers’ personal information.

    • As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    If a union falls into the following categories it will need to comply.

    Organizations are subject to the CCPA if one or more of the following are true:
    o Has gross annual revenues in excess of $25 million;
    o Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
    o Derives 50 percent or more of annual revenues from selling consumers’ personal information.

    • As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.

    Comment on this FAQ

    Your email address will not be published. Required fields are marked *

    Load More

    ccpa certified site

    Become a CCPA Certified Site!

    If you're ready to make a smart decision we're glad you're on our site.  Become a member of our certified sites.

    Step One

    CCPA Applicant Site

    This is the first level of site membership that every site starts out at, you are not certified yet but we're working on it together.

    Step Two

    CCPA Certified Site

    Upon successful completion of our CCPA Assessment your site is ready to join the next membership level. CCPA Certified Site.