CCPA and GDPR. Two distinct regulatory acts with one common mission: to protect user data. They’ve both already gone into effect, they both have penalties for not complying, and both acronyms can send a chill down your spine if you’re in charge of managing a website for a company who’s impacted by them.
These two acts are similar in structure and purpose, but have a few key differences. Much like the way GDPR impacts anyone doing business with a member of the European Union (whether that business is located inside or outside the EU), the CCPA specifically impacts for-profit companies who conduct business in California.
The CCPA (California Consumer Privacy Act) gives consumers in California explicit privacy rights, like:
- The right to know what personal information is collected, used, shared, or sold;
- The right to delete personal information collected by businesses;
- The right to opt-out of their personal information being sold; and
- The right to non-discrimination of price or service when a customers exercises privacy right under CCPA.
Similarly, the GDPR (General Data Protection Regulation) enforces data protection for citizens of the EU, and protects the following privacy rights:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure (right to be forgotten);
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- The right not to be subject to automated decision-making including profiling
Other key differences to know:
CCPA requirements to note
There are some major takeaways from CCPA to keep track of, like:
Notifications: Consumers must be notified their data is being collected either before or during data collection.
Notices: Businesses required to comply with CCPA must provide notice to consumers if intending to sell their data:
- “Selling” means: selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
- Your homepage should have a clear link titled “Do Not Sell My Personal Information,” which points to an opt-out page.
- You should note that it’s completely legal to create a separate, California-specific homepage (so you can keep the “Personal Information” text off your US-focused homepage) as long as you take reasonable steps to ensure California Consumers are directed to the homepage with the CCPA text.
Timing: Businesses must respond to requests from consumers to know, delete, and opt-out within specific (and yet-to-be announced) timeframes.
Identity verification: Business must verify the identity of consumers who make requests to know or delete their information.
Age restrictions: Business must receive consent to sell data of users under age 16, and parental opt-in to sell data of children who are under 16 years old; meaning business will need to ask consumers who reside in California to verify whether they are 16 years of age or older before they can begin selling any data obtained from a minor.
Financial incentives: According to the OAG, “Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information.”
Record maintenance: Businesses must maintain records of requests and how they responded for 24 months to demonstrate compliance.
- Request disclosure of information collected (GDPR).
- Request disclosure of information sold.
- Nondiscrimination relating to Consumers who exercise CCPA rights; and
- opt out, along with a separate link to the “Do Not Sell My Personal Information” opt-out page.
Source: CCPA Fact Sheet
Checklist for becoming CCPA compliant
If your business meets the requirements for CCPA, you’ll want to ensure that:
- You have a cookie notification opt-in for those who come to your site.
- Your outbound communication has a clear opt-out option on all communications.
- You’ve updated your homepage with a message that states,”Do not sell my personal information,” which links to an opt out form.
- You’ve received explicit consent to sell personal information from anyone under 16.
- You create a process for responding to opt-outs in a timely manner.
- You’re disclosing any financial incentives and how the value was calculated.
- You create a system for maintaining accurate records of requests and responses.
Feeling overwhelmed, perplexed, or even downright scared of these recent laws?
You’re definitely not alone. Many businesses across the board are still confused on what they need to accomplish to be compliant, especially with CCPA. To get the latest information on CCPA and how it will impact your website needs, subscribe to our emails.
Contact FFW if you need a website update made ASAP.
Sometimes things fall through and you need a website change made right away. If you find that’s your case with CCPA, give FFW a call.
We were able to help this higher education institution in record time, and we’d love to do it for you too.