What California's CCPA and CPRA consumer privacy laws mean for your website (2023 Update)
Abstract: CPRA of 2018 and CCPA of 2020 are privacy rights laws for the state of California. CPRA goes into effect on January 1st, 2023.
These acts have some pretty wide ranging impact and a number of significant requirements for business process and technical implementation. This post provides a consolidated summary of both acts.
If you have a website in the United States, you can count on some of California’s 40 million residents visiting your site. If your business handles any private, personal information about your consumers, you need to comply with the California Consumer Privacy Act (CCPA) and the newer California Privacy Rights Act (CPRA). CPRA goes into effect on January 1, 2023.
Complying with CCPA was fun (where “fun” means “nerve wracking”) because some of the law was still ambiguous at the time. 2020’s CPRA aimed, among other things, to make things less fraught for those of us who are concerned with compliance. Notably, it directed the Attorney General to issue regulations and guidance by July 1, 2022 – so we know what the rules are before it goes into effect in January. (Whew!)
So, read on for the state of CCPA and CRPA compliance as you head into 2023.
In this post, I’ll cover:
Note: I published the first version of this blog in 2019 for Imarc. I’ve updated it in autumn of 2022 with some pretty substantial changes and additions.
What is the CCPA?
The California Consumer Privacy Act of 2018 established a number of consumer privacy rights. As legislation goes, it’s pretty readable, and only 19 pages long. If you are responsible for digital marketing or consumer affairs, you should read it, not rely on me. (If you never have, go correct that now.)
For everyone else, I’ve read the full text of the CCPA, CPRA (see below), and the Attorney General’s guidelines for you. Here’s your executive summary.
The law starts by laying out some personal rights for the digital age:
You have the right to know about and control the sale and sharing of your personal data, and to correct any errors in that data.
You can request a business delete personal information about you (with some reasonable limits).
You can tell a business not to sell or share your personal information.
A business can’t discriminate against you for exercising your rights. It also can’t make your website or app experience function worse for you because you did, charge a fee in response, or attempt to coerce an opt in by implying they’ll get a lesser experience than consumers who opt-in. (I call these the “don’t be a jerk clauses.”)
Both consumers and the Attorney General can take a business to court for failing to comply with requests, and the California Privacy Protection Agency can levy administrative fines directly.
Businesses must not collect information about children under the age of 16 without parental or guardian consent. CPRA applies increased penalties for violations of children’s privacy.
Philosophically, CPRA explicitly says that because data sharing is not very transparent or easy to understand, consumers can’t really judge the value of their personal information to businesses. This makes it difficult or impossible to negotiate. Put simply: It’s not fair and equal. CCPA and CPRA are meant to give a level playing field to consumers and businesses.
Recommended Reading:
OneTrust wrote a very readable summary of proposed CCPA regulations as part of their CCPA blog series.
Is CCPA the same as GDPR?
No. They’re similar, and they overlap, but being General Data Protection Regulation (GDPR) compliant does not ensure you are also ready for CCPA. PwC summarizes the differences in this chart:
What is the CPRA?
The California Privacy Rights Act of 2020 was a ballot proposition that expanded CCPA, closed some loopholes, and established a dedicated state agency and funding for its enforcement. It also made compliance higher stakes by removing a grace period for correcting violations without penalty, and tripled fines for violations involving children under the age of 16.
The removal of that grace period is alarming, but the Act also clarifies that the agency may decline to bring penalties if the violation was an accident, so it seems fair.
The Act’s provisions go into effect January 1, 2023, and apply to any data you may have collected on or after January 1, 2022.
CPRA also contains a provision that prevents the state Legislature from modifying the law in a way that would weaken it. (Take that, Big Tech lobbyists.)
Do I need to read CPRA, too?
If you work in digital marketing or consumer affairs in the USA, yes. Here’s the PDF. (It’s just 34 pages, you can do this!). The rest of you can take a pass – I’ve incorporated its updates into the CCPA notes in the rest of this blog post.
Who must comply with CCPA and CPRA?
The law applies to companies that interact with California residents, and where any of these three things are true:
$25 million or more in revenue per year
Buys, sells, receives, or shares personal information of 50,000 or more consumers, households, or devices
Derives 50% or more of their annual revenue from selling consumer personal information
In other words, you can get out of CCPA if you are small, and don’t process much consumer data, and don’t make money from that data.
The law covers interaction with California residents who happen to be outside the state. Yes, tourists and holiday visitors count.
But I don’t make money off private information! Do I have to comply?
Yes. If you have large enough revenue, or handle enough volume of private information, you must comply. Even if you aren’t “in the business”.
What are the exceptions to CCPA and CPRA?
There are nine cases where a business does not have to delete data:
To complete a transaction which requires that information
To detect or respond to security incidents
To debug or repair errors in a system
To exercise free speech
To comply with the California Electronic Communications Privacy Act (Part 2, Title 12, Chapter 3.6, Section 1546 of the California Penal Code)
To engage in public or peer-reviewed scientific, historical or statistical research
For “solely internal uses” that are “reasonably aligned with the expectations of the consumer”
To meet a legal obligation, including complying with law enforcement requests (certain details apply)
Other internal uses which match why the consumer gave you the data
It’s also worth noting that these acts apply to businesses. CPRA more fully defined this, and in short, it means that for-profit entities must comply, but nonprofits and political action groups appear to be exempt.
What is considered personal information?
The act is quite broad: Any piece of data that can be tied to any identity information about any person is personal information. This explicitly includes:
Real name or alias
Address
Personal identifiers
IP address, browsing history and search history
Email address
Social security number
Drivers license number
Passport number
Any unique identifier of a person or device
If a piece of data even looks similar to any of those things, it’s covered.
It also includes information about:
Personal property
Products and services purchased
Purchasing history
Browsing history
Geodata
Biometric data
Profiling
Employment
Education
Class or income
The act specifically says personal information includes information you may infer:
“Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
What must I do?
Notification Requirements
Under CCPA you must:
Notify consumers of their CCPA rights, including the right to deletion, right to know, and data portability rights.
Tell consumers how to exercise these rights.
Be ready to fulfill consumer requests.
Be ready to find and remove personal information from your data.
Be ready to mark personal data as non-portable (not to be sold or transferred).
Provide Californians with at least two ways to contact you, including a website or toll-free phone number.
Technical Requirements
CCPA is mostly about business processes, but it does have some technical requirements too.
If you have a website, you must provide a page to California residents that enables them to send you their requests. If you ever sell personal information, you’re required to have two* very specific bit of link text somewhere on the page:
“Do Not Sell or Share My Personal Information” (under CCPA, it was just “sell”, but CPRA expands that to “or share”)
This must link to a description of consumer rights under CCPA and provide a way to opt out of the sale or sharing of personal information
“Limit the Use of My Sensitive Personal Information” (new under CPRA)
This must enable the consumer to limit the use or disclosure of SPI
Or, you may have a single link which accomplishes both of these things, using your own labeling, so long as it is clear and easy to use (this too is new under CPRA)
Also, you may use a specific “opt out button” graphic to add a little visual flair to your link. (It’s optional. But if enough websites use it, it will be a useful visual affordance for California consumers.)
If you have not disclosed personal information about consumers, you must disclose that fact. In other words, you have to declare something; you cannot ignore CCPA and CPRA.
Opt-Out Signals from User Agents (Browsers)
This is new under CPRA: You must recognize and honor opt-out preference signals if sent by the consumer’s web browser.
Specifically, California’s Attorney General has recognized the new Global Privacy Control specification. The CCPA information page specifically says “Under law, it [GPC] must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”
A bit of good news: When your site does honor the GPC signal, you don’t have to display the opt-out links (at least, on browsers which send the GPC opt-out signal; users whose browsers don’t support GPC will still need those links).
(As a user, I’d encourage you to use a pro-privacy browser that supports GPC, such as DuckDuckGo, Brave, or Mozilla Firefox. Or, you can enable GPC with a browser extension like Privacy Badger or DuckDuckGo.)
Requirements for Children Under the Age of 16
If a business “exclusively targets” between the ages of 13 and 16, and doesn’t sell or share their personal information without consumer permission, then it doesn’t have to provide an opt-out notice. Otherwise, yes, you must offer an opt-out notice. (And since children can’t engage in a legal contract, you need their guardian or parent’s affirmative authorization.)
Rules for children under 13 rules are unchanged; see COPPA rules.
Recommended Reading:
Seyfarth-Shaw has provided a great, detailed CCPA requirements explainer on business process requirements.
Does this affect external services like Google Analytics, Hubspot, and Marketo? How about services like Optimizely, CrazyEgg and HotJar?
Yes. They’re considered service providers to your company. Most of these have already updated their processes and legal statements to reflect CCPA.
The law shields you from liability for service providers, so long as you send them any opt-outs you get from consumers. But if you fail to pass that deletion request, you may be on the hook. Make sure that every service your website uses is CCPA compliant.
CPRA has added some explicit language for service providers. In general, it makes life a bit easier for providers, without making life worse for consumers. For example, a consumer can’t go directly to a provider and demand opt-out; consumers must go to the primary business which collected the information.
How do I prepare my business for CCPA and CPRA?
For this, let’s turn to an excellent roadmap provided by law firm Fisher Phillips: 7 Steps to Comply with the CCPA. Please see their blog for details, but here’s the summary:
Inventory and map all consumer data, including employee and job applicant data.
Take appropriate steps to secure all consumer and employment-related data
Prepare and provide a “notice at collection” to all consumers (including employees and job applicants) at or before collecting any consumer data.
Prepare and post a comprehensive privacy policy on your website.
Deploy a process to receive and respond to consumer requests from all consumers
Implement data minimization rules.
Train all managers and employees on all CCPA/CPRA requirements in which they play any role.
What are the penalties for violating CCPA?
Penalties are in the form of “administrative fines”, of up to $2,500 per accidental violation and up to $7,500 per intentional violation. (A higher $7,500 fine applies to even accidental violations if they affect children under the age of 16.)
Consumers can bring a direct civil action for damages of $100 to $750 per incident, or actual damages if that is greater. They also can ask for injunctive relief, or “any other relief the court deems proper”. (Don’t make the judge angry. Good advice in general, really.)
The good news is that CPRA made it clear that if your violation is an accident, the California Privacy Protection Agency can choose not to levy a fine. There are a number of other clarifications in CPRA which, in essence, recognize good faith efforts.
The Attorney General has posted examples of enforcement which generally indicate they’re focusing on remediation, not punishment. That said, neither is the AG’s office afraid to wield the stick: in August, they announced a $1.2 million settlement with Sephora for selling customer information and not honoring opt-outs.
Other Requirements for CCPA & CPRA compliance
Most of this post has been FAQ-style. But there are a few more things you should know about:
Don’t retain information for longer than is actually needed.
If you use a third party service provider or contractor, the law still applies. “Someone else has that data” is not an excuse if you are the reason they have that data. Whoever first “touches” the consumer data is responsible for it.
Consumers have the right to correct inaccurate information.
Do not use dark patterns to trick users into giving consent. (Yes, the law actually references this. That’s a huge win for ethical user experience professionals!)
You must respond to consumer requests within 45 days. (You can get another 45 days to respond if you need, but you have to notify them of the delay.)
In responding to consumer data requests, you have to give it to them in a format that is “easily understandable to the average consumer”.
Don’t build shadow profiles of users who have opted out of your data collection.
Information about employees and job applicants is included.
Consent must be freely given, specific, informed, and unambiguous. (I’m sad that this had to be spelled out.)
Recommended Reading
Husch Blackwell has a good summary of the early 2021 updates from CPRA
Disclaimer
I’m a UX and marketing person, not an attorney. This post is not legal advice. Please talk to your legal department or counsel about CCPA. Have them review and approve your policies and procedures. Collect as little data as you possibly can, and be transparent. The best way to stay out of trouble is to not do anything wrong.
I originally wrote and published this blog for Imarc in 2019. I’ve updated it for the latest CCPA amendments and clarifications in 2022.