California Consumer Protection Act (CCPA) and how Siteimprove can help
By Sean Needham
Since May 2018, when EU’s General Data Protection Regulation (GDPR) was enforced, we have experienced a global movement on Data Protection and Data Privacy from regulators as well as consumers, who are becoming aware of their rights. It is a much-needed change that pushes organizations handling personal data to be aware, responsible and accountable for how they are processing and potentially selling data. Mishandling personal data can cost organizations financial and reputational damage.
91% of consumers are concerned with how their data is being used and protected - so it is an advantage to organizations to take user data concerns seriously and to show consumers that personal data is being handled with respect.
Other than making this change merely for consumers, the rights the California residents earn from the California Consumer Protection Act (CCPA) are with a few exceptions:
California Consumer Protection Act (CCPA) came into effect on January 1 of 2020 and changes the legal requirements for what companies can do with personal data in the state of California.
With a few exceptions, California residents gain new data rights, including the right to:
- Be informed what personal data is being collected;
- Be informed whether a company is selling that personal data, and to whom;
- Be given the opportunity to say no to the sale of their personal data;
- Be given access to their personal data;
- Be able to request the deletion of their personal data; and
- Not be discriminated against for exercising their new data rights.
The CPPA applies for certain businesses:
- Businesses are subject to the CCPA if one or more of the following are true:
- Has gross annual revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
- As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
CCPA came into effect on January 1, 2020 – though do note that the office of the Attorney General office’s website states “The Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020.”
CCPA compliance imposes new business obligations:
- Businesses subject to the CCPA must provide notice to consumers at or before data collection.
- Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete.
- For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
- As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
- As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
- As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
- As proposed by the draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
- In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.
CCPA and GDPR
The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are separate legal frameworks with different scopes, definitions, and requirements. A business that complies with GDPR and is subject to CCPA may have additional obligations under CCPA.
- For example, under GDPR, companies must undertake a data inventory and mapping of data flows in furtherance of creating records to demonstrate compliance. Additional data mapping may be important to reflect the different requirements under CCPA.
- Under GDPR, companies must develop processes and/or systems to respond to individual requests for access to personal information and for erasure of personal information. These processes and/or systems may be applied to handling CCPA consumer requests, although businesses may need to review and reconcile the different definitions of personal information and applicable rules on verification of consumer requests.
- Under GDPR, companies must draft and execute written contracts with their service providers (“processors”). Companies may need to review these contracts to reflect requirements under CCPA.
Siteimprove Data Privacy
Siteimprove Data Privacy supports you in working towards CCPA compliance by managing the personal information you hold on websites. It is a data privacy content solution, which facilitates your efforts to control what personal information is located across the sites and files you are responsible for.
Regain control of personal data
Fundamental to being in control of the data your organization has made available online is to have a full overview of owned domains so all pages and files can be checked. Not checking all sites, represents the risk that personal data that should not be public is available online. Siteimprove’s IP & Domains detects domains that could potentially belong to your organization. You can reject domains that aren’t yours or add domains the crawler hasn’t identified. This gives you a full and updated overview of all the sites your organization owns and are responsible for.
Respect individuals’ privacy requests
Under the CCPA businesses must create procedures to respond to requests from consumers to opt-out, know about, and delete their personal information. With Universal Search, you can instantly locate personal information across all HTML pages, documents, and metadata. Flag personal data for removal and ensure you know whenever it pops up again using Tracked Search Terms.
Prove your compliance efforts
Under the CCPA businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance. User Action Logs, as well as Tracked Search Terms, keep a record of the actions you take within the Data Privacy module, so that your compliance efforts are visible to management and compliance authorities.
Be transparent about what data is collected
The 'right to know' what personal information is collected, used, shared or sold, also requires insight into what cookies are being placed and who the information is being shared with. The Siteimprove Cookie Tracker automates the process of identifying your website’s cookies and shows you cookie names, whether you or a third party set the cookie, the path of pages that set the cookie, the time to expiry, and whether it is secure.
Reach out to your contact at Siteimprove if you'd like to know more about Data Privacy. If you are new to Siteimprove then you are welcome to schedule a personalized demo.
 California Consumer Protection Act (CCPA) Fact Sheet, Office of the Attorney General. California Department of Justice.