CCPA Consent Management Requirement

Updated: 22 Nov 2019: IAB tech lab released the final version of IAB CCPA Compliance Framework (v1), UniConsent started to support this Framework.

The California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020 and may affect how your website is allowed to handle the personal information of Californians.

CCPA is a regulation similar to Europe's General Data Protection Regulation.

Accoring to Adexchanger, the California attorney general’s office recenlty published the first draft of its implementation regulations for the California Consumer Privacy Act.

Said California AG Xavier Becerra, "Our personal data is what powers today’s data-driven economy and the wealth it generates, It’s time we had control over the use of our personal data – that includes keeping it private."

The transfer of personal information to a third party always counts as a sale according to CCPA

There are difference between third party and service providers. Service providers don't have to deal with data access and deletion requests.

The main tenet of CCPA is that consumers have the right to opt out of the sale of their personal information.

Sale under CCPA means: selling, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or third party for monetary or other valuable consideration.

CCPA Terms: Household: a person or group of people; Third parties: any entities that don't collect personal information from consumers directly.

Personal information in the CCPA

• Identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names.
• Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data.
• Geolocation data such as location history via devices.
• Internet activity such as browsing history.
• Plus data regarding personal characteristics, behavior, religious or political convictions, sexual preferences and so on.

What businesses should prepare for CCPA and CCPA Consent Management requirement

1. Provide notice

Companies are required to notify consumers, either at or before the time of collection, what categories of personal data will be collected and how the data will be used.

2. Clear opt-out button

Companies that sell personal information need to include a button on any webpages collecting personal data titled "Do Not Sell My Personal Information" or "Do Not Sell My Info" that links to the notice.

3. Privacy policy update

Companies have to update their privacy policy, include clearly written information on a consumer's rights under CCPA, a list of what personal information the business has collected about consumers in the preceding 12 months and disclosures on whether that info is being sold.

4. Opt-out and deletion reqeust

Companies should provide a two-step process for online deletion requests in which consumers must separately confirm that they really do want their data deleted.

Companies can comply with deletion requests by "permanently and completely" erasing the personal information on its existing systems, by de-identifying the data or by aggregating it so that it’s no longer identifiable to an individual.

Business should setup a CCPA Consent Management system like GDPR consent manager prepare for the up coming law.