California Consumer Privacy Act (CCPA), has created data protection and privacy framework for companies to adhere to when conducting business in California. The main focus of the Act is to protect the data of consumers in California, rather than protecting the overall privacy across the US.

The CCPA sets out various rights and obligations in regards to the collection, and use of the data. Some of those are similar to that of the General Data Protection Regulation; however, in some areas, it is a much lighter touch. Though this might be subject to change dependent on the Attorney General’s recommendations and regulations that add to the rules of using such data, it is advisable however to still update privacy policies in the US, in order to ensure compliance and put into place the procedures and mechanisms to respond to any requests.

Under the CCPA, there is no obligation to appoint someone to advise and assist with the compliance process. However, this doesn’t mean that such an appointment should be ignored, having someone who is in charge of ensuring that the laws are complied with and ensuring that the business is aware of their obligations under the law. And someone to handle and manage the processes in relation to responding to requests from data subjects.

Under the CCPA, there are three key rights that are established for consumers. The first is the right to be informed, which covers being told what data is being collected on them, the purposes that it is being used for, along with informing them of their other rights.

They will also have the right to request that the business disclose what information they hold and the purposes they are using it for and whether they are selling it to third parties.

Consumers also have the right to at any time, opt-out of the sale of their personal information to third parties, which requires the organisation to provide them with a mechanism in order to exercise this right, which is elaborated later in the questions below.

Under the CCPA, there are provisions that set out a right to opt-out for consumers. Under Section 1798.120 of the CCPA sets out that consumers have the right to opt-out of the sale of their personal data.

There is also an additional duty covered later in the CCPA, which relates to the data of consumers who are under age, in which they need to be given the option to opt-in. Which raises a level of complexity when this is being done online, and there are not necessarily accurate ways of verifying a users age, so it arguably is best to provide the opt-out/in the form at the earliest possible opportunity.

Under Section 1798.135, it states that for compliance with the earlier section, they need to provide a clear link on their website titled “Do not sell my personal information” which takes them to a page that enables them to opt-out.

However, the issues outlined regarding ensuring compliance with the various requirements such as having those under a certain age opt-in makes having the option behind a link that isn’t immediately available less compliant. The best practice for these purposes would be to make that opt-out available at first instance, in a similar way, consent is to be collected for the use of Cookies in Europe.

Yes, the concept of the sale of data under the CCPA, is defined fairly broadly. They are covering the disclosure, transfer, and communication of personal information to a third party for monetary or other valuable consideration. To simplify this language and make the situation clearer, if the data is transferred in return for services.

In terms of communication, this can be done electronically, by the provision of physical copies or oral disclosure. Thus if there are cookies that are collecting personal information and sending it to third parties, it could be considered to fall under the sale of data. As marketing, analytics and social media cookies, all provide integration with third-party services that will be making use of the data drawn down for a variety of purposes. It is reasonable to conclude that it S1798.120 of the CCPA does cover third party cookies.

For failing to comply with the CCPA, there are penalties set out under Section 1798.150, in regards to the damages that would be paid out. The amount can vary between $100 and $750, per customer and per incident. This enables the penalty to stack, based on the severity of any breach. Therefore ensuring that the basics are in place, such as policies and understanding the obligations is crucial to avoid this.