This article explains about CCPA – California Consumer Privacy Act. You will learn what is CCPA, who will be affected, the rights and exceptions of CCPA, CCPA v/s GDPR, CCPA and Cookie usage.
“Security is just an illusion and privacy is a myth” – Unknown
You may have heard this or some variation of this somewhere. Well, now is the time that says privacy is not a myth anymore. We can point out hundreds of things that have changed over a decade. But in the world of cybersecurity, the biggest change is the change in people’s perception of privacy.
People became more concerned about their privacy and aware of their right to maintain it. Governments have made huge improvements to cybersecurity, introduced new laws, made major amendments, and imposed many regulations and guidelines.
CCPA is one such privacy law intended to protect the privacy of consumers residing in California. In this article, you will learn everything you need to know about CCPA and cookie usage for your website.
California Consumer Privacy Act, or CCPA, is a comprehensive data protection law aimed at protecting the privacy rights of consumers residing in California, United States. The law came into effect in 2018 and allows users to have more control over the personal information that businesses collect about them.
California is a big business market in the United States. It is the world’s largest sub-national economy with a gross state product of $3.4 trillion as of 2021, according to Statista. So it is evident that CCPA will affect a vast number of for-profits doing business in California.
CCPA regulations are based on physical location and apply to any entity that collects or maintains the personal information of people residing in California.
CCPA will apply to those for-profits doing business in California and meet any of the following criteria:
1. Revenues exceeding $25 million annually.
2. Obtains and manages personal information of over 50,000 customers, households, or devices annually.
3. Obtains 50% or more of its revenue from selling personal information.
As of now, CCPA is only applicable to for-profit businesses and does not affect non-profit organizations.
CCPA gives certain rights to consumers to have control over the personal information they entrust to businesses.
Firstly, the right to know about the personal information collected by businesses. Consumers have the right to access any of the personal info a business collects and sells. They can request reports about what data is being collected, and why it is collected, used, shared, or sold. Businesses are entitled to provide the information that they have collected over the preceding 12 months, upon user request, free of charge.
Secondly, consumers have the right to delete personal information collected from them. They can request businesses to delete their personal information. Businesses should have proper designated methods to receive requests from consumers for the deletion of their personal information.
Thirdly, the right to opt-out of selling their personal information. Businesses should provide a clear and distinct “Do Not Sell My Personal Information” link on their website to allow consumers to submit an opt-out request. Businesses don’t require consumers to verify their identities to opt out.
Lastly, consumers are entitled to the right to non-discrimination in their exercise of CCPA rights. The CCPA prohibits businesses from denying goods or services, charging different prices, or providing lower levels or quality of goods and services to consumers for exercising their rights.
Also Read: Saudi Arabia Personal Data Protection Law: An Overview
For-profits having business in California are subject to the CCPA, regardless of where they are physically located. However, it is important to note that there are some nuanced exceptions to consumer rights defined under CCPA.
Businesses can deny consumers’ rights under CCPA if they can demonstrate that the personal information they collected was used to:
1. Complete the transaction
Businesses may deny consumers rights if the data they collected is important for completing the transaction to provide the goods or services requested by the consumer.
2. Comply with legal obligations
Businesses can collect information about consumers to oblige with the legal requirements. For example, tire manufacturers were statutorily required to maintain purchase records of consumers for three years. Businesses will be exempted if they collect, store or maintain the personal information of their customers to obligate with legal requirements.
3. Maintain security
Businesses may deny consumers’ requests for deletion if the information is stored to detect security incidents, prevent and respond to malicious, deceptive, fraudulent, or illegal activities, and prosecute those who are responsible.
4. Protect freedom of speech
CCPA has exceptions to consumer rights when it comes to free speech. Businesses will be exempted from CCPA while exercising free speech or ensuring the right of another consumer’s free speech. Exemptions are also allowed for exercising another right provided for by law.
5. To enable lawful uses
Exceptions will be allowed for collecting personal information for internal purposes and lawful uses. This is solely based on the relationship between the consumer and the business. For example, records of clinical trials will be excepted by CCPA as it is allowed for lawful uses.
There are some clear distinctions between GDPR and CCPA. Both CCPA and GDPR are among the toughest cyber security laws in the world, though there are some overlaps and differences.
Complying with GDPR doesn’t give you full compliance with CCPA. Both these regulations have different definitions for personal information.
In CCPA, personal information is defined as information that can be used to identify or can be related or associated directly or indirectly with a particular consumer or household. Whereas GDPR defines personal information as any information that can be used to identify a particular person.
There are differences in terms of data subject rights, exceptions, scopes, and privacy notices for both of these regulations. Unlike GDPR, CCPA has a wide coverage of households and devices, in which devices or any online activity can also be considered personal information if they can be linked to a person or household.
Also Read: US Data Privacy Laws – A Comprehensive Overview for Businesses
Many websites use cookies for marketing and advertising purposes. Website cookies collect the personal information of site visitors and sell it to third parties. As cookies and tracking scripts collect information about IP addresses, which can be associated with a person, they will be considered personal information as per CCPA.
Unlike GDPR, CCPA follows an opt-out mechanism for cookie usage. This means businesses need not obtain prior consent for using cookies on their website. CCPA does not require websites to create cookie banners, instead, they should give an opt-out option for website visitors.
The law also requires businesses to disclose information about cookie usage and to inform consumers about what data is collected and how it is processed or stored.
CCPA cookie policy management
It is important to have a cookie policy page on your website to comply with CCPA. A cookie policy is a disclosure statement that you give to your consumers about the active cookies on your website.
To comply with CCPA a cookie policy should contain:
- A brief explanation of cookies and disclosure of their use.
- Disclose what types of cookies are active on the website and what data they collect.
- Information on the purpose of using cookies
- Information about opting out of cookies
CCPA cookie consent management
Although the CCPA does not require websites to obtain prior consent from site visitors or create cookie banners, it does contain certain requirements regarding cookie usage.
You should allow users to change, revoke or give partial consent for using specific types of cookies. It is also important to give an opt-out option to your website visitors.
CCPA cookie banner
There are no specific requirements for cookie banners on your website to comply with CCPA. However, you can disclose the use of cookies using a cookie banner. The cookie banner can also be used for giving users the option to opt out of cookies. An ideal banner should have a button or a link that says “Do not sell my personal information”.
Cookie banners can also be used for linking cookie policy, and easy access to cookie preferences. Refer to this article to learn how to create a CCPA-compliant cookie banner in WordPress.
CCPA cookie compliance tool
We have compiled all the CCPA cookie-compliant requirements into a simple plugin that facilitates an all-in-one cookie compliance solution.
This WordPress Cookie Consent plugin will help you comply with all major cookie laws in the world. The plugin can help you comply with the EU’s GDPR, LGPD of Brazil, CNIL of France, and the California Consumer Privacy Act (CCPA).
You don’t have to bother about creating a cookie policy from scratch, the plugin has cookie policy templates ready for you. It comes with a cookie scanner that lists all the active cookies on your website.
You can obtain explicit or implicit consent from your users, create beautiful cookie banners on your website, and, more. The plugin automatically blocks third-party cookies until getting consent from the site visitors.
It stores a consent log from visitors as proof of compliance. You can obtain granular consent from your site visitors based on cookie categories.
In a nutshell, this is the only plugin you need to comply with laws like CCPA, GDPR, and POPIA for cookie usage.
Also Read: California Privacy Rights Act (CPRA) – A Handbook Guide
Conclusion
Laws like CCPA and GDPR are introduced to protect the privacy of users and website visitors on the internet. Apart from the privacy point of view, these regulations have set a standard for websites and businesses across the world.
It is essential to comply with these international regulations to attract customers and investors for your business regardless of whether you do business in California or the EU. You can generate a sense of trust from your customers by showing them you value their privacy.
The plugin we mentioned in this article will help you comply with any major cookie laws in the world. If you want to learn more about privacy laws like GDPR and POPIA, we recommend you read the following articles.
All You Need to Know about Compliance with POPIA, WordPress and GDPR: a Helpful Guide.
Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice we recommend you contact a professional.
