Home
California CCPA and Cookies: All You Need to Know

California CCPA and Cookies: All You Need to Know

5 months ago
João Bruno Soares
12 minutes

The California Consumer Privacy Act (CCPA) is a significant privacy legislation that came into effect in January 2020. It aims to enhance privacy rights and consumer protection for residents of California. Under the CCPA, California residents have the right to know what personal data is being collected about them, to whom it is being sold, and to opt-out of the sale of their personal data. Additionally, the CCPA imposes penalties on businesses that fail to protect these data rights.

For businesses, compliance involves implementing systems and processes that allow consumers to exercise their rights easily. This includes the deployment of a cookie banner, which informs users about the types of cookies being used and obtains their consent.

A robust Consent Management Platform (CMP), like AdOpt, plays a crucial role here, ensuring compliance while maintaining user experience.

Key Differences Between CCPA and CPRA

In 2020, California voters approved the California Privacy Rights Act (CPRA), which enhances and expands the CCPA, set to take full effect in 2023.

The CPRA introduces new concepts such as "sensitive personal information," which includes details like social security numbers, precise geolocation, and race or ethnic origin, providing consumers with additional controls over this information.

One of the major differences is the introduction of a new category of "sensitive personal information," which is subject to stricter handling requirements. This includes the necessity for businesses to provide additional disclosures and to support consumer rights to restrict the use of their sensitive data.

Moreover, the CPRA mandates the creation of a new regulatory agency, the California Privacy Protection Agency (CPPA), which will have the authority to enforce privacy laws and fine companies for violations. This shift not only increases the compliance burden but also elevates the risk of non-compliance.

Rights Under the CCPA

Right to Know

What is the Right to Know?

Under the CCPA, the "Right to Know" allows California residents to request and receive detailed information about how their personal data is handled by a business.

This includes information about the categories of personal information collected, the sources from which it was collected, the purpose for collection, and the third parties with whom the information has been shared.

Implementing a transparent privacy policy and using clear cookie notices can help businesses comply with these requirements.

How to Submit a Request to Know

To submit a "Request to Know," consumers typically need to complete a form available on the business's website or contact the business directly through provided communication channels.

It's important for businesses to make this process as accessible as possible, which can be facilitated by using a user-friendly CMP that guides users on how to submit these requests directly from a link in the cookie banner.

Response Time for Requests to Know

Businesses are required to respond to a Request to Know within 45 days of receiving it. This period may be extended by an additional 45 days when reasonably necessary, provided the consumer is informed of the extension within the initial 45-day period.

All AdOpt customers have the benefit of sending an automatic Request Receipt for every citizen that requests via AdOpt links. This gives a more professional treatment and reinforces the commitment and of respect for all needs requested.

Why More Information May Be Requested

In some cases, businesses may request additional information from the consumer to verify their identity and ensure the security of the personal data being requested. This is a critical step to prevent fraud and unauthorized access to sensitive information.

Info
Especially if the business works under other parallel legislations like: Health, IRS, Immigration, etc. So, sometimes the company must make the entire compliance fit inside the request.

Denial of Requests to Know

A Request to Know may be denied if the business cannot verify the requester’s identity or if revealing the information would interfere with law enforcement investigations or compromise other security needs. It is good for businesses to explain the reasons for denial clearly and provide a path for consumers to appeal the decision.

Responses from Service Providers

Service providers that receive personal information as part of their services are also obligated under the CCPA to assist in responding to Requests to Know. They must provide necessary information to the business to ensure a complete and compliant response to the consumer’s request.

Ensure Compliance with Expert Help

Staying compliant with CCPA's Right to Know provisions requires a well-structured approach to data management and consumer interaction. Consider using AdOpt, a Google-certified CMP that helps streamline these processes.

Schedule a consultation with our expert to learn more about simplifying CCPA compliance for your business.

Right to Opt-Out of Sale or Sharing

What is the Right to Opt-Out (Do not Sell)?

The Right to Opt-Out under the CCPA gives California residents the power to say no to the sale or sharing of their personal data by businesses. This right is crucial for consumers who value their privacy and wish to control how their personal information is utilized in the digital ecosystem.

It ensures that businesses must provide a clear method, such as a "Do Not Sell My Personal Information" link on their websites, which is often part of a comprehensive cookie banner.

Submitting an Opt-Out Request

Consumers can submit an Opt-Out request through various methods provided by the business, including dedicated web forms, email, or phone calls. The process should be straightforward, typically involving clicking a link or button on the cookie notice, which should be easy to find and use.

Response Time for Opt-Out Requests

Businesses are required to act on an Opt-Out request as soon as feasibly possible, but no later than 15 days from the date the request is received. This prompt response ensures that consumers' preferences are respected without unnecessary delay.

Reasons for Denial of Opt-Out Requests

Opt-Out requests may be denied if the business cannot verify the identity of the requester or if the data is not being sold or shared in a manner that falls under the scope of the CCPA. Businesses must provide a detailed explanation of the reasons for any denial and inform consumers of their rights to dispute the decision.

Service Providers and Opt-Out Requests

Service providers play a key role in helping businesses comply with Opt-Out requests. They must process such requests according to the instructions received from the businesses they serve and ensure that no data is sold or shared contrary to the consumer's wishes.

This relationship emphasizes the importance of businesses choosing reliable service providers that understand and adhere to CCPA requirements.

Need Help Managing Opt-Out Requests?

Effectively managing Opt-Out requests can be challenging without the right tools. AdOpt offers a robust Consent Management Platform (CMP) that makes it easier to comply with CCPA regulations and handle consumer requests efficiently.

Book a demo to see how AdOpt can streamline your privacy management practices.

Right to Delete

What is the Right to Delete?

The Right to Delete under the CCPA empowers California residents to request the deletion of their personal data that a business has collected. This right is a cornerstone of the CCPA, reflecting the broader principle of "the right to be forgotten," which allows consumers to have a say in the lifespan of their data in corporate databases.

Submitting a Deletion Request

Consumers can submit a deletion request through the business's website, typically via a form specifically designed for this purpose. It is crucial that businesses make this process accessible and straightforward, often through their privacy policy page or a dedicated section within their CMP.

Response Time for Deletion Requests

Businesses are required to respond to a deletion request within 45 days. This period may be extended by another 45 days if reasonably necessary, provided the consumer is notified of the extension during the initial period.

Why More Information May Be Requested

Businesses may request additional information to verify the identity of the requester. This step is crucial to prevent fraudulent requests and ensure that the request is legitimate, thereby protecting the consumer's data from unauthorized deletions.

Denial of Deletion Requests

A deletion request may be denied if retaining the data is necessary for the business or legal reasons, such as completing a transaction for which the personal information was collected, fulfilling warranty terms, conducting repairs, protecting against malicious or fraudulent activity, or complying with legal obligations.

Responses from Service Providers

Service providers must also comply with deletion requests if they handle consumer data on behalf of a business. They are required to delete the data unless it is necessary for them to retain it for legal reasons or to complete the service they provide.

Deletion and Debt Collectors

Deletion requests extend to data held by debt collectors if it pertains to consumer information collected by businesses. Debt collectors must delete information when requested unless retaining the data is necessary for the performance of their collection services as per contractual or legal obligations.

Deletion and Credit Reporting Agencies

Similarly, credit reporting agencies must comply with deletion requests for any consumer data they have acquired. However, they may retain data if required by law or if it is necessary for them to fulfill their role in credit evaluation or reporting.

Right to Correct

What is the Right to Correct?

The Right to Correct under the CCPA allows California residents to request the correction of inaccurate personal information held by a business. This right ensures that consumers can maintain the accuracy of their data, reflecting changes or rectifying errors, which is essential for fairness and the integrity of data processing.

Submitting a Correction Request

Consumers can submit a correction request through a business's digital platforms, typically via a straightforward form linked within the privacy policy section or accessible through a Consent Management Platform (CMP).

The process should be user-friendly, allowing consumers to specify the exact nature of the inaccuracies and the proposed corrections.

Response Time for Correction Requests

Businesses must address correction requests within 45 days of receipt. This timeframe can be extended by an additional 45 days if necessary, provided the consumer is informed of the extension and the reasons for the delay during the initial response period.

Why More Information May Be Requested

To ensure the security and accuracy of the correction process, businesses may require additional information from the requester to verify their identity and the legitimacy of the correction request. This step helps protect against fraudulent requests and maintains the integrity of the data management system.

Denial of Correction Requests

Correction requests may be denied if the business determines that the data is accurate as it stands, if the identity of the requester cannot be verified, or if the requested changes fall outside the scope of CCPA requirements. In such cases, businesses are obliged to provide a clear explanation of the reasons for denial and inform the requester about any further actions they may take to contest the decision.

Right to Limit Use of Sensitive Personal Information

What is the Right to Limit?

The Right to Limit under the CCPA gives consumers the power to restrict how businesses use their sensitive personal information.

This category of data includes details like:

social security numbers, 
precise geolocation, 
racial or ethnic origin, 
sexual orientation, 
health information. 

Consumers can request that such information be used solely for the essential purposes necessary to perform the services or provide the goods requested by them, rather than for broader advertising or marketing purposes.

Right to Non-Discrimination

Ensuring Non-Discrimination

The CCPA's Right to Non-Discrimination ensures that businesses cannot discriminate against consumers who exercise their privacy rights.

This means a business must not deny goods or services, charge different prices, provide a different level or quality of goods or services, or suggest that a consumer will receive a different price or rate for goods or services if they exercise their rights under the CCPA.

Businesses must explicitly inform consumers of this right, often within their privacy policy or through a clear message in their cookie banner.

Protect Your Privacy with AdOpt

Understanding and exercising your CCPA rights, including the right to limit the use of your sensitive personal information and the right to non-discrimination, is essential.

AdOpt provides an intuitive Consent Management Platform (CMP) that helps consumers manage their privacy preferences efficiently and ensures businesses comply with these important regulations.

Schedule a demo to discover how AdOpt can assist you in navigating these rights effectively.

Required Banners Under CCPA

Notice at Collection

Definition and Importance of Banners at Collection

The "Notice at Collection" under the CCPA is a critical requirement for all businesses that collect personal information from California residents. This banner, or notice, must clearly inform consumers at or before the point of collection about the categories of personal information being collected and the purposes for which it will be used. It serves as a foundational element of transparency and trust between businesses and consumers, ensuring that individuals understand how their data is being handled right from the beginning.

Locating a Business's Banners at Collection

Businesses are required to display their Notice at Collection prominently on their website, typically at the footer of the homepage or as a pop-up when a user first visits the site. This ensures that the notice is easily accessible and visible to all consumers before any personal information is collected. For businesses using a cookie banner, this is often integrated into the initial user interaction.

Privacy Policy

What is a Privacy Policy?

A Privacy Policy is a document that outlines how a business collects, uses, stores, and protects the personal information of its customers. Under the CCPA, having an up-to-date and comprehensive privacy policy is not just a best practice but a legal requirement. This policy must detail the types of data collected, the purpose for the collection, the rights of consumers regarding their personal information, and how they can exercise these rights.

Locating a Business's Privacy Policy

A business's Privacy Policy should be easily accessible on its website, typically linked from the footer of every page or included in the website's main menu. It is also commonly linked within the Notice at Collection and any CMP interfaces that manage consumer data preferences.

Streamline Your Compliance with AdOpt

Navigating the requirements of the CCPA can be complex, especially when it comes to effectively implementing required notices and maintaining an accurate privacy policy. AdOpt simplifies this with its Privacy Policy Generator that integrates seamlessly into your digital infrastructure, ensuring compliance while enhancing user trust.

Book a consultation to learn more about how AdOpt can help.

Compliance with CCPA

Businesses Subject to CCPA

The CCPA applies to for-profit businesses that operate in California and meet any of the following criteria:

Have a gross annual revenue of over $25 million; 
Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or 
Derive 50% or more of their annual revenue from selling California residents' personal information. 

These criteria make the CCPA applicable to a wide range of businesses from small startups to large enterprises, emphasizing the importance of robust data protection practices.

Nonprofit and Government Agencies

Nonprofit organizations and government agencies are generally exempt from the CCPA.

This exemption stems from the CCPA's focus on commercial enterprises and the buying and selling of consumer data for profit.

However, nonprofit organizations that engage in activities that resemble for-profit behaviors might still need to comply with certain aspects of the law, especially if they handle large amounts of personal information.

CPRA Amendments to CCPA

The California Privacy Rights Act (CPRA) amends and expands the CCPA, introducing new requirements and strengthening consumer privacy rights.

Set to take full effect in 2023, the CPRA introduces concepts such as risk assessments, regular audits, and enhanced rights around sensitive personal information.

These amendments aim to tighten privacy protections and increase transparency in data processing activities.

Data Breaches and Legal Actions

The CCPA provides consumers with the right to take legal action against businesses that violate their privacy rights due to a data breach.

If a business fails to implement reasonable security procedures and a breach occurs that compromises personal information, it can be held liable for damages.

This aspect underscores the need for businesses to maintain high standards of cybersecurity to protect consumer data.

Statutory Exemptions for Employee Data

The CCPA includes temporary exemptions for personal information collected from job applicants, employees, and contractors. These exemptions were extended by the CPRA until January 1, 2023, after which businesses must fully comply with the act regarding employee data, treating it with the same level of protection as consumer data.

Use of Authorized Agents

Under the CCPA, consumers can designate an authorized agent to act on their behalf to exercise their rights under the law. This includes submitting requests to know, delete, or opt-out of the sale of personal information.

Businesses must treat requests from authorized agents as if they came directly from the consumer, provided the consumer has given the agent written permission to act on their behalf.

Ensuring Full Compliance with AdOpt

Ensuring compliance with the CCPA and its amendments through the CPRA can be daunting. AdOpt provides a comprehensive Consent Management Platform that helps businesses navigate these complex regulations effortlessly.

Schedule a demo today to see how AdOpt can streamline your compliance processes and safeguard consumer privacy.

Data Brokers and CCPA

Definition of Data Brokers

Under the CCPA, data brokers are defined as businesses that collect and sell personal information about consumers with whom they do not have a direct relationship.

These entities play a significant role in the digital advertising ecosystem, compiling data from various sources to create detailed consumer profiles that are then sold to advertisers, marketers, or other third parties.

Identifying Data Brokers

Identifying data brokers involves looking for companies that primarily deal in consumer data without directly interacting with the individuals whose data they process.

These companies often operate behind the scenes, making them less visible to the average consumer. Consumers can refer to the state's official data broker registry, where data brokers are required to register under the CCPA, providing transparency about their operations.

Stopping Data Brokers from Selling Personal Information

Consumers have the right under the CCPA to opt out of the sale of their personal information by data brokers. To exercise this right, consumers can submit a formal request to opt out directly to the data broker.

Additionally, utilizing a Consent Management Platform (CMP) can simplify the process of managing and revoking consent across multiple platforms, including those operated by data brokers.

Navigating the complexities of data privacy and managing interactions with data brokers can be challenging. AdOpt offers a robust CMP that helps consumers control their personal information and ensures businesses comply with the CCPA.

Book a consultation with our experts to learn more about protecting your data and maintaining compliance with privacy regulations.

FAQs regarding CCPA and Cookies.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a data privacy law that grants California consumers enhanced privacy rights, including the ability to access, delete, and opt out of the sale of their personal information.

What do GDPR and CCPA stand for?

GDPR stands for General Data Protection Regulation, a comprehensive data protection law that took effect in the EU in May 2018. CCPA stands for California Consumer Privacy Act, a significant privacy legislation that became effective in California in 2018.

What is the remediation period allowed for businesses after a CCPA violation?

Businesses have 30 days to address and rectify any CCPA violations after receiving notice from the enforcement authorities before penalties are applied.

What are the differences between GDPR and LGPD?

The GDPR is distinct from LGPD in that it specifies examples of personal data and categorizes certain data as "special categories," which include information on political opinions, personal health, racial or ethnic origin, biometric data, and genetic data.

When does GDPR apply to U.S. companies?

The GDPR applies to any U.S. company that processes personal data of EU residents, regardless of where the company is based. Therefore, U.S. businesses that handle, store, or process information from individuals within the EU must adhere to GDPR regulations.

When does GDPR apply in Brazil?

The GDPR applies to any business processing personal data of EU residents, regardless of the business's location. Thus, Brazilian companies interacting with EU citizens' data must comply with GDPR.

What does CPRA mean?

The California Privacy Rights Act (CPRA) is an extension and enhancement of the CCPA, offering greater consumer privacy protections.

How can businesses comply with the CCPA's requirement for a Notice at Collection?

Businesses must clearly display a Notice at Collection at the point of data capture, informing consumers of the categories of personal data being collected and its intended use.

What are the CCPA's penalties for non-compliance?

CCPA non-compliance can result in fines up to $7,500 per violation for intentional breaches and $2,500 per violation for unintentional breaches, with additional penalties for mishandling minors' data.

How does CCPA affect data brokers?

Data brokers under the CCPA must register with the state and provide consumers with the option to opt out of the sale of their personal information.

What is required for a valid CCPA consumer request response?

Businesses must respond to consumer requests under CCPA within 45 days, providing detailed information about personal data handling, with a possible 45-day extension if necessary.

What is the difference between selling and sharing personal information under CCPA?

"Selling" refers to exchanging personal data for monetary or other valuable consideration, while "sharing" is typically for advertising or marketing purposes without direct compensation.

What rights do employees have under CCPA?

As of January 1, 2023, employees in California have the same rights to access, delete, and correct their personal data as other consumers under the CCPA.

How do businesses verify consumer identities for CCPA requests?

Businesses must implement reasonable security measures to verify the identities of requestors to ensure that they are the rightful owners of the data or authorized agents.

What exemptions exist under the CCPA?

The CCPA provides exemptions for certain types of information and business activities, including medical information governed by other privacy laws and certain financial information.

How can businesses facilitate CCPA compliance regarding consumer rights?

Businesses can facilitate compliance by employing a robust Consent Management Platform (CMP) like AdOpt, which helps manage consumer requests and ensures transparency and accountability in data processing.

For more detailed explanations or to see how AdOpt can help your business comply with CCPA, book a call.

Tags

Cookie Banner
CMP
Cookies
Optout
CCPA

Related posts

AdOpt post

Why are cookie banners everywhere?

Want to understand why there are cookie banners on every website you visit today? This article is for you!

AdOpt post

How to choose a Cookie Banner for your website

What are the criteria for this choice, and what are the strengths and weaknesses of each option? Well, we're here to help you because this decision needs to be well thought out!

AdOpt post

How long can we ignore LGPD?

LGPD is in effect. Despite that, there are still many companies ignoring it, but is that possible? How long can we ignore LGPD?

AdOpt post

The Impact of Cookie Banners on Your E-commerce - LGPD

Having a cookie banner on your brand's website has become indispensable for many. However, for e-commerce websites, it has practically become an obligation to have one. This is because this type of website has a technological composition in which cookies are a structural part. Login flow, items in the shopping cart, recommendation showcases, remarketing... Most of them rely on cookies.

AdOpt post

How does a cookie banner operate?

Here is a step-by-step explanation of how consent registration works in AdOpt.

AdOpt post

We've created a cookie banner plugin.

The WordPress platform powers nearly 450 million websites globally, and it's estimated that 50% of Brazilian websites are on this platform. We are ready to help you, WP lovers!

AdOpt post

How to Choose a CMP (Consent Management Platform)?

Using a CMP (Consent Management Platform) is a great way to make efforts to adapt to new privacy regulations like GDPR, LGPD, DPDPA, CCPA and more...

AdOpt post

5 Signs Your Website Needs an Cookie Consent Strategy

How does your website handle LGPD? What strategies does it use to comply with the General Data Protection Law? Have you thought about using a cookie notice but don't know if your site has cookies or if it's enough? If you can't answer these questions, be cautious! Your page may be exposed to fines and other sanctions.

AdOpt post

Why Give Consent on Every Website I Visit?

Have you ever noticed that every time you sign up for a service to access information or register on a website for purchases, you need to give consent? If you're wondering why you have to give consent on every website you visit, you'll find the answer here.

AdOpt post

GDPR and Cookies all you need to know

Understanding the General Data Protection Regulation (GDPR) and its impact on cookies is essential. So, let's break it down, step by step.

AdOpt post

Best practices in tag categorization

It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.

AdOpt post

What is a CMP (Consent Management Platform)?

A CMP is a tool/platform used to manage the consent of up to millions of users so that a company can use the data of these users for its previously stated purposes.

AdOpt post

Google Consent Mode: Beginner to Advanced Guide.

Google Consent Mode (GCM) is nothing more than a way for you to integrate the consent you collect from your visitors into Google technologies. In this way, upon receiving this consent information, collection can only occur with authorization, thus complying with the legislation and having direct evidence of compliance as defense for both you and Google.

AdOpt post

Google Consent Mode: Guida per Principianti ed Esperti.

Con le leggi sulla privacy che fioriscono in tutto il mondo, Google (Alphabet) si è finalmente trovata obbligata ad adattare i suoi strumenti per essere conformi alle nuove normative come GDPR, LGPD, CCPA, PIPEDA, DPDPA, ecc.

AdOpt post

Google Consent Mode: Guía de principiante a avanzado.

Con la proliferación de leyes de privacidad en todo el mundo, Google (Alphabet) finalmente se ha visto obligado a ajustar sus herramientas para cumplir con nuevas legislaciones como el GDPR, LGPD, CCPA, PIPEDA, DPDPA, entre otras.

AdOpt post

LGPD and Cookies all do you need to know?

In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.

AdOpt post

What is the difference between cookies, local storage, and session storage?

Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!

AdOpt post

LGPD: An Opportunity for Digital Marketing Agencies!

Have you ever thought that your marketing agency could find a great business opportunity in LGPD? Well, unlike what many think, it brings changes that can accelerate the demand for the services of these companies.

AdOpt post

How to delete cookies and cache in Chrome and other browsers?

Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular website? Want to delete all cookies from a specific service or site?

AdOpt post

Tips on how to notify users after a change on the Terms of Use.

Terms of Use are quite literally the contract established between you and the company offering that product or service in a digital manner. Therefore, not only their development but also any eventual changes require careful consideration.

Logo
Address: 7345 W Sand Lake Road, Ste 210 Office 5898 Orlando, FL 32819
EIN: 86-3965064
Phone: +1 (407) 768-3792

AdOpt

Resources

Legal Terms

© GO ADOPT, LLC since 2020 • Made by people who love

🍪