- Information about the CCPA consumer rights.
- A link to your “Do Not Sell My Personal Information” page (if you sell the info).
- A list of the categories, sources and purposes of personal information collected and/or sold over the past 12 months.
- Your contact information.
Below, I will elaborate on what businesses and types of information are covered, what exemptions are available and how to comply.
Which businesses must comply?
- has annual gross revenues in excess of $25 million, adjusted for inflation;
- annually buys, receives for a commercial purpose, sells or shares the personal information of 50,000 or more consumers, households or devices; or
- derives 50 percent or more of its annual revenues from selling consumers’ personal information.
What personal information is covered?
The CCPA defines “personal information” broader than the GDPR. “Personal information” under the CCPA means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The following list is not exhaustive and, if you collect even one item from that list, then you’re dealing with the personal information as far as the CCPA is concerned:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information.
What information is exempt?
Certain types of information are not considered personal:
- Publicly available information.
- Deidentified. Information that cannot reasonably identify, relate to, describe, be capable of being associated with or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information (i) has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, (ii) has implemented business processes that specifically prohibit reidentification of the information, (iii) has implemented business processes to prevent inadvertent release of deidentified information, and (iv) makes no attempt to reidentify the information.
- Aggregate consumer information. It is data that relates to a group or category of consumers, from which individual consumer identities have been removed, and that is not linked or reasonably linkable to any consumer or household.
How to comply?
- request disclosure of information collected and sold. A business must provide the requested information, its sources and purposes of use, in a portable and easily accessible format within 45 days of the request.
- nondiscrimination relating to users who exercise CCPA rights. You must inform the consumers they have the right not to be discriminated against for having exercised their rights under the CCPA. Meaning you can’t deny goods or services, charge different prices, or provide different quality of goods/services to consumers who invoke the CCPA.