Everything You Need to Know about CCPA Compliance

As more and more commerce shifts towards tech-centered solutions, the debate over the collection and storage of personal data rages ever wildly on. 

And while many brands, companies, small businesses, and even browser developers might need to rethink their strategy and data sourcing process, the inevitable shift towards privacy and user security can prove to be a profitable one that protects the user without disrupting the profit stream. 

It does not necessarily mean working harder; it just requires working smarter and in a more ethical way. More on that later. 

What does CCPA stand for?

CCPA stands for the California Consumer Privacy Act. 

What is CCPA compliance?

As with the EU’s General Data Protection Regulation (GDPR), the CCPA places heavy emphasis on forcing organizations to protect consumers’ data privacy rights. 

While the GDPR protects those individuals residing within the EU – even regulating organizations based outside of the EU – the CCPA specifically reflects the rights of California residents. 

Looking for more information on the role GDPR plays in AdTech? Check out this article or scroll down to learn more. 

The California Consumer Privacy Act of 2018 (CCPA) provides consumers with enhanced control over the personal data that businesses collect from them, along with regulations to guide implementation. 

According to estimates in the Standardized Regulatory Impact Assessment for CCPA regulations, the CCPA will protect over $12 billion worth of personal information used for advertising in California each year.

When did CCPA go into effect?

The law was passed in 2018 and went into effect on January 1, 2020; however, enforcement began on July 1. 

Why the need for the CCPA?

Widespread, 24/7 access to smartphones and increasingly portable tech translates to educated consumers far more likely to research a company’s ethical standards and practices before opting into marketing materials or connecting with a brand. 

This push for more rigid security measures over how unique data is shared with third-party sites has led to the passage of stricter user-protection laws and regulations. Obtaining consent and providing users with enhanced access to information about the data collected and the right to opt-out. These include the European Union’s passage of the GDPR and U.S.-based CCPA.

Who does CCPA apply to?

The CCPA applies to all for-profit organizations that conduct business in California and meet the following parameters:

• A business with a gross annual revenue of $25 million or more 
• A business that buys, receives, or sells personal data from more than 50,000 California consumers, households, or devices
• A business that earns 50% or more of its annual revenue from the sale of personal data

The CCPA does not apply to nonprofit organizations or government agencies. 

Does CCPA apply to companies outside California?

As is the case with the GDPR applying to companies conducting business in the EU (whether EU-based or not), CCPA applies to companies conducting business with residents in California. If you have customers in California, you are subject to CCPA compliance.

What rights does a user have under CCPA?

Under CCPA, California residents possess certain rights to data privacy and security. They may ask businesses to disclose any personal information they have collected along with the purpose for that data. Additionally, they may request that businesses delete and/or refuse to sell their personal information. It also includes the right to be notified beforehand or at the point when businesses collect personal information, of the types of personal information they are collecting, and what they may do with that information. 

Generally, businesses cannot discriminate against users for exercising rights under the CCPA. Businesses cannot make consumers waive these rights, and therefore, any provision waiving these rights is not enforceable.

The Right to Know 

According to the CCPA, this right allows consumers to know which information a business or organization collects about them, along with how that information will be used and shared. 

Consumers may request that businesses disclose what kind of personal information is being collected, used, shared, or sold; this includes why that information is collected, used, shared, or sold. Businesses must provide the information for the 12-month period prior to the request, free of charge.

Requests can include the following:

• The categories of personal information collected
• Specific pieces of personal information collected
• The categories of sources from which the business collected personal information
• The purposes for which the business uses the personal information
• The categories of third parties with whom the business shares the personal information
• The categories of information that the business sells or discloses to third parties

The Right to Delete

According to the CCPA, consumers have the right to request that businesses delete personal information collected from them. Businesses are required to designate at least two methods for users to submit a right to delete request, potentially including a combination of a toll-free number, email address, website form, and/or physical form. Businesses are not required to provide an online form for requesting deletion.

There are a few exceptions that do apply to the right to delete. For example, certain issues might exist with companies that use other businesses qualifying as service providers. The CCPA treats service providers differently than the businesses they serve. 

The primary business is responsible for responding to consumer requests. If a consumer submits a request to delete to a service provider instead of the primary business itself, then that service provider may deny the request. Consumers must submit requests to the business itself.

Businesses must respond to a right to delete request within 45 calendar days, but that deadline may be extended by another 45 days if a notification is provided. 

The Right to Opt-Out

The right to opt-out gives consumers the ability to request that businesses stop the sale of their personal information; consumers, therefore, can opt out of it. 

With a few exceptions, businesses are not allowed to sell personal information after receiving an opt-out request, unless that user has given explicit authorization allowing them to do so. Businesses must wait for a period of 12 months at minimum before asking a consumer to opt back into the sale of their personal information. 

The CCPA requires that any business that sells personal information provide a clear and obvious “Do Not Sell My Personal Information” link on their website that allows users to submit an opt-out request. Additionally, this has to be done with guest access, as businesses cannot require visitors to create an account in order to submit a request.

The Right to Non-Discrimination

All consumers have the right to non-discrimination for exercising their CCPA rights. If consumers want to protect their personal information or have it deleted or removed, businesses cannot deny them goods or services, charge a higher price, or provide inferior service (or any alternative quality of service or goods) based on that consumer’s decision to exercise their rights under the CCPA. 

That being said, if the personal information is necessary for them to provide consumers with proper goods and services, that business may not be able to complete a transaction without the missing content. 

A brand can offer promotions, discounts, and other incentives for submitting personal data. That can only happen when the financial incentive is reasonably relative to the value of that personal information. That company’s promotional campaign may hinge on the personal information provided to sign up. When a customer opts out of that communication, it may prevent that company from disclosing those special deals. 

All of these confusions can be sorted out by businesses setting up clear notices and communications with customers that outline the process and purpose of collecting data. 

What notices are businesses required to provide under CCPA?

Under the CCPA, businesses and data brokers are required to disclose their privacy practices with certain notices posted publicly. The first of these is the notice at collection. 

Notice at Collection

The required notice given to consumers at collection must list all categories of personal information collected, including the purposes for using that information. This notice must be provided at or before the specific point when the business collects that information. 

This can exist in multiple locations. A pop-up might feature a link to the notice at collection on a homepage or another page where a visitor might place an order or enter personal information. In a physical store location, the notice might be found on a printed sign-up form for a loyalty program, for example.

If that organization sells consumers’ personal information, then the notice at collection must also include a Do Not Sell link, providing users with link access to the privacy policy with all practices and user privacy rights. 

What needs to be included in the privacy policy?

Privacy Policy

Any brand or business conducting business with residents of California must include CCPA-compliant references explaining its policies regarding user privacy and security. 

The privacy policy is a written statement providing a broad picture of the company’s online and offline practices for the collection, use, sharing, and sale of consumers’ personal information. It must include information on consumers’ privacy rights and how to exercise the Right to Know, Right to Delete, Right to Opt-Out of Sale, and the Right to Non-Discrimination. 

What is considered personal information under the CCPA?

The definition of personal information is actually far broader than it might seem because it is more defined by what it does than by what it is. 

According to the CCPA: “Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.”

• Direct identifiers could include a user’s real name, alias, postal address, social security number, driver’s license number, passport information, and signature.
• Indirect identifiers could include cookies, beacons, pixel tags, telephone numbers, IP addresses, and account information.
• Biometric data might include scans of the face and retina, fingerprints, DNA, voice recordings, and health data.
• Geolocation data could include visitors’ location history pulled from their devices.
• Internet activity may include browsing history, search history, and data on interactions with a web page, application, product, or advertisement.
• Sensitive information could include personal characteristics, behavior, religious and/or political convictions, sexual preferences, employment and education data, and financial and medical information.

Under the CCPA, there is no limit to what is considered personal information by a particular format or medium, which means that even pictures or sounds can be constituted as personal information if they fall within the definition in the law.

What is not considered personal information under the CCPA?

The CCPA does not consider personal information to include publicly available information from federal, state, or local government records, such as professional licenses and public real estate or property records.

CCPA Regulations and Enforcement

Now that we’ve broken down what the CCPA is, what it covers, who it refers to, and what personal information it includes, let’s dive into how to avoid violating the CCPA and what happens – in the unfortunate event – that you do. 

What is considered a CCPA violation?

In simple terms, violating the CCPA is violating any or all of the user rights detailed in the passages above. Not providing consumers with the proper information and access to utilize those rights will most certainly guarantee an inquiry of noncompliance from the CCPA. 

Reviewing CCPA regulations with employees is an easy way to avoid violating CCPA and risking non-compliance. Those penalties, if imposed, can be hefty. More on that a little later. 

First and foremost, in preparation for CCPA requests, a business must provide easy communication methods – for example, a toll-free number and website address – where consumers are free to make disclosure requests. 

Additionally, businesses cannot discriminate against consumers who exercise their rights and/or opt-out of data submission. For example, brands cannot penalize customers with higher prices for refusing to fill out information; however, doing so might mean the user misses out on access to exclusive discount codes. 

In order for consumers to initiate litigation, certain conditions must be met. According to the CCPA’s website, the type of stolen personal information must be stolen in non-encrypted and non-redacted form and must include a first name (or initial) and last name in combination with any of the following:  

• A social security number
• Driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person’s identity
• Financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
• Medical or health insurance information
• Fingerprint, retina or iris image, or other unique biometric data used to identify a person’s identity (but not including photographs unless used or stored for facial recognition purposes)

How is CCPA different than GDPR?

Predating the CCPA and dealing with a far broader scope, the GDPR has shifted the way data can be collected and business can be conducted for companies dealing online with users in the EU. 

CCPA vs. GDPR

While the California Consumer Privacy Act (CCPA) was inspired by EU regulations, they are not one and the same. The GDPR has broken ground in setting the precedent for the new data privacy standards and the CCPA has carried modern data protection rules into the United States. For companies that perform business online, they are most likely subject to comply with one — if not both — of these laws.

As stated above, the GDPR applies to any business collecting or processing data of citizens or residents of the EU; this includes businesses that physically operate outside of the EU. 

The CCPA applies to any company that conducts business with California citizens and generates an annual revenue of $25 million or more; collects, shares, buys, or sells the data of more than 50K consumers in California; and earns 50% or more of its revenue from the sale of Californian consumer data.

Despite the differences, they both share common goals and requirements. At its core, each of these regulatory acts is set up to make sure that individual users are protected and informed of their rights. Both require consumer consent for the collection of information where clear permission and disclosure of all data usage are both required.

Both require that businesses, upon request, provide users with access to the following:

• The information that is collected about them
• The information that is shared or sold
• Who the information may be shared with or sold to

What are the penalties for GDPR non-compliance? Who is liable?

Failing to meet these regulations can be incredibly costly. For GDPR violations, businesses can face fines up to 4% of the company’s annual gross revenue or 20 million Euros. These fees can add up quickly. 

Bear in mind that if illegal data is used for any kind of ad targeting, then all involved parties can be held liable. This includes the publisher who shares the personal data, the exchange that accepts it, the platform that sells it, and the advertiser that uses it.

What are the penalties for violating CCPA?

If a business fails to maintain reasonable security provisions and practices to ensure user privacy, then users can sue for the number of monetary damages suffered from the breach or statutory damages of up to $750 per incident. 

Those suing for statutory damages must provide the business with written notice of the CCPA sections violated. The business then has 30 days to return a written statement showing it has resolved the violations in the notice and is preventing future violations. 

If the company can show proof of curing the violations, then an individual will not be able to sue for statutory damages unless the business continues to violate the CCPA. 

If after 30 days, the issue is not resolved and the company has failed to comply with the law once regulators notify them of a violation, there’s a fine with a cap of up to $2,500 for unintentional violations and $7,500 for intentional violations per record.

Under other circumstances, only the Attorney General can file an action against businesses, when identifying patterns of misconduct. 

CCPA Compliance Checklist

In order to ensure that your company has all the necessary pieces to comply with all CCPA – and ideally GDPR – standards and regulations, we’ve included a brief checklist with steps to keep your business CCPA-compliant. 

1. Designate a team member or individual – chief privacy officer, data privacy officer, or chief data officer – responsible for data privacy and security.
   
2. Conduct a thorough data inventory with careful, auditable records of your data flows. This includes analyzing all collected data, understanding the layers and classifications of data, and exploring where that data is located and stored.
   
3. Conduct a risk assessment to determine where data practices fit within the legal framework for CCPA. There are many helpful tools that can automate and simplify this task, sorting the information in a clear, manageable way. Understanding the scope, location, and use of personal data is a necessary step in brands gaining a true understanding of the changes needed to comply with CCPA.
   
4. Are there adjustments that need to be made based on the data audit? Fixing the issues does not always mean simple deletion. Depending on the types of sensitive data your organization has acquired, action steps might include options like cleaning, organizing, or migrating data for its intended purpose while adhering to compliance regulations. This might include masking personally identifiable information to render it de-identified and removing it from the classification of personal information under CCPA or GDPR.
   
5. Does your business work with third-party organizations or external vendors? Ensure that these vendors protect their data and follow CCPA requirements as well. There are specific phrases that need to be included in a vendor contract to establish their liability for any failures to comply with CCPA.
   
6. Train your staff to be familiar with CCPA terminology and inclusions. Document everything and keep track of each process in the CCPA compliance review. This auditable record can be used as a benchmark for comparing to future years. 

7. Make sure all notices, consent forms, pop-ups, and informational pieces are in place. Verify that your privacy policy includes all required information as per the CCPA. 

Enter ALFI, the Future of AdTech Without Cookies.

The AdTech game has changed. Those days are no more. Vague, old-school measures of success are now anchored in real-time data analytics. ALFI is transforming the future of digital out-of-home (DOOH) advertising. 

While other AdTech platforms blur the line when it comes to user privacy, ALFI is crafting tools that empower media buyers to reach their exact target market, at the right time, for a fraction of the cost in a respectful and ethical manner. 

Using powerful machine learning models and recommendation engines, ALFI’s data capture creates a roadmap for constant improvement of targeted advertising, delivering relevant content to the right person at the right moment in time.

With ALFI, advertisers can not only use detailed targeting options for their digital out-of-home campaigns but also pay for impressions and receive detailed analytics to optimize their campaigns. 

Brand owners receive thorough data capture reports and metrics to support the actual impression and real-time responses. ALFI’s advanced, actionable data can be used to inform better decision-making, yield more effective targeting, and transform the scope and reach of OOH advertising. 

Who needs cookies anyway? ALFI’s smart technology can detect behavior without using cookies or storing personal data, facial images, or information. It sets new standards by providing precise targeting information to advertisers by collecting information in non-intrusive ways that are compliant with GDPR, CCPA, and HIPAA. 

With DOOH campaigns, ads can be dynamic, providing impressions and data in real-time, allowing companies to adapt and shift strategy mid-campaign. Ad A not performing well? Take it down early. Ad B showing huge success? Invest more and double your conversions. 

The days of speculating about advertising campaigns are over; ALFI is changing the way marketing is done with real data from real people that yields real results. 

The platform pairs powerful computer vision with AI and machine learning models to display clients’ ads only to their target customers when they’re most susceptible to making buying decisions. 

With ALFI, it’s possible – and even easy – to target users, master AdTech, and generate revenue ethically, all while respecting passengers’ and users’ right to privacy. 

Want to know more? Drop us a line and our team will get in touch with you!