Your company can’t afford to ignore the California Consumer Protection Act.

The California Consumer Privacy Act (CCPA) gives consumers more control over the personally identifiable information (PII) that businesses collect about them. CCPA secures new privacy rights for California consumers, including the right to know about the PII a business collects about them, the right to delete PII collected, the right to opt out of the sale of their PII, and the right to non-discrimination for exercising their CCPA rights.

The CCPA gives consumers a number of rights in regard to their PII:

• Know whether personal data is collected
• Know which personal data is being collected
• Know specific categories of data a business collects
• Know categories of third parties with whom personal data is shared
• Know categories of sources of personal data
• Know the business or commercial purpose of collecting personal information
• Move (port) personal data
• Say no to the sale (or exchange) of personal data
• Delete personal data

The CCPA and its regulations apply to entities within California, as well as those located outside of California that engage in transactions with Californians for the purpose of financial gain OR collect any information from California residents. It also applies to any business that meets one or more of the following thresholds:

• Has an annual gross revenue of over $25 million USD
• Holds data containing personally identifiable information of 50,000 or more Californian consumers, households, or devices
• Derives 50% or more of its annual revenues from selling consumers’ PII

In order to be compliant, your business should disclose your CCPA obligations front and center on your website (and wherever else you collect consumer data). Ask consumers to opt in or out of sharing some or all aspects of their personal data, including information collected by pixels, cookies, and other tracking technologies.

Additionally, you need to share all privacy information with consumers in a central place on your website. This information should include the following:

• Your latest privacy policy describing consumer rights, including any state privacy policies that apply (like CCPA)
• An opt out button
• A way for consumers to submit a Data Subject Access Request (DSAR)
• A way to capture, validate, and retain DSARs and enact Do Not Sell requests

When responding to a DSAR, you’ll typically need to access, modify, and delete data from your backend data management systems that host personal data.

You’ll need to create internal reports that demonstrate your compliance and — if you disclose personal information to third parties — show that you can send deletion requests and ensure they’re being followed. You’ll also need to maintain updated suppression lists and demonstrate they are being applied both internally and by third parties.

A Data Subject Access Request (DSAR) allows people to make their desire to access, change, and control the data businesses collect about them known. Your company will need to provide methods for people to register these requests and respond accordingly. Such disclosures include data covered 12 months before the request.

DSARs include people seeking to know what data your organization holds about them, your intentions for collecting and using that data, to correct their data preferences, to exercise their “right to be forgotten” (to have an organization erase their records), and more.

When it comes to the consumer right to opt out of the sale of personal information, businesses are required to provide two or more methods for submitting such requests. These methods should require minimal steps to allow consumers to opt out and be easy for them to execute.

The California Privacy Rights Act (CPRA) will take effect on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the GDPR. It gives consumers more control over their personal data and holds businesses more accountable for protecting the data they collect and process.

The CPRA will apply to any legal entity that

• Does business in the State of California, regardless of where the entity is located
• Collects consumers’ personal information
• Buys, sells, or shares the personal information of 100,000 or more consumers or households in a year OR derives 50% or more of its annual revenue from selling or sharing consumers’ data.

The Act also requires regulated businesses to provide CPRA training to employees dealing with consumer inquiries related to company privacy practices, as well as anyone responsible for the organization’s CPRA compliance.