Gathering users’ personal data is what enables companies to customize their strategies and increase sales. However, consumer rights and privacy regulations such as the GDPR and regular data privacy laws restrict the unlawful collection of personal information.
In the same vein as GDPR, the CCPA regulations protect consumers’ privacy rights, specifically designated to help Californian citizens govern how businesses collect and share their information.
Even if your business is not physically located in California, USA, CCPA could still apply to how you use your Divi website to collect personal data. In this article, we’ll share seven CCPA compliance tips to help you become and stay compliant with the regulation. Let’s get started!
Disclaimer: We are by no means attorneys or legal CCPA advisors. The following advice comes strictly from our experience and educated work. From a legal perspective, for implementing CCPA regulations to their full extent, please consult with a legal solicitor before starting your online business with a Divi website.
1.Get Familiar with CCPA and its Implications
The CCPA mandates that California citizens have a right to know how businesses collect and share their data and how they plan to use it afterward. Additionally, users must have the option to opt out of their data being sold and receive a copy of their information.
If citizens become data breach victims, these residents can press charges against the businesses inflicting the damage.
So, who must comply with CCPA? Any for-profit business entity that meets the following criteria:
- Collects users’ personal data.
- Conducts business in California.
Additionally, CCPA also covers businesses that meet at least the following yearly criteria:
- $25 million of annual gross revenue.
- Collects personal data of 50,000+ consumers or households.
- Gets half of its annual revenue from selling user data.
It should be noted that the CCPA applies to for-profit businesses only, and companies that collect and sell personal information to third parties. The law protects only California citizens.
So, what can consumers do under CCPA? Well, apart from data breaches, consumers can submit the following requests:
- Request to know the categories or pieces of personal data that have been collected, the sources from where the data is collected, and the purpose for which the data is collected.
- Request to delete the collected personal information.
- Request to opt-out from having their personal data sold.
2. Create a Personal Data Map
When you confirm that CCPA applies to your business and your Divi website, you must outline the personal data that you collect from the users. Gather your team and answer the following questions:
- What type of personal information do we currently collect?
- Which data collection methods do we use?
- Where do we shore the data that we collect?
- To whom do we share the data that we collect?
- Do we sell the personal data we collect or use it for other purposes?
Californian users can request how you collect and use the data that you collect through your Divi website. Thus, you must be capable to respond to each of the questions above as soon as you meet up with the team.
Section 1798.140 of the California Civil Code lists the following examples of personal data that is protected under CCPA:
- Personal Identity: It is defined as “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services.” This includes customer numbers, IP addresses, as well as pseudonyms, and online aliases.
- Biometrics: Health data collected by smartphones or wearables, and personal health information that can be gathered offline, such as DNA or psychological records.
- Geo-Data: Precise locations obtained via GPS or similar devices, such as restaurant check-in that can be traced to a specific customer.
The CCPA is designed to prevent the sales of the following personal information, when applicable:
- Public Information: Information obtainable through government records isn’t considered “personal information” under CCPA, and thus, it’s not protected.
- Personal Health: Medical data covered with the Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is regulated separately.
- Financial Information: Any data defined by the California Financial Information Privacy Act is not protected under CCPA.
3. Review Third-Party Collaborations
Nowadays, there isn’t any business in the world that doesn’t rely on third-party services for conducting various online operations. However, some of the biggest personal data breaches occurred because of bad third-party collaborations.
The risk of data breaches requires a strong third-party risk management program that improves collaborations and resolves data breach situations promptly.
To make sure that you’re CCPA compliant, you must meticulously evaluate each process with your third-party vendors and review the contracts to make sure that you have clarity about who is responsible when a given data breach arises.
4. Examine and Readjust Your Privacy Statements
Your privacy notices and statements exist to notify users how their data is gathered and used, as well as inform them about the choices regarding their personal data on your Divi website.
When the GDPR came into force, businesses immediately included a detailed privacy disclosure on their respective websites, letting users know about the data collection methods.
CCPA requires a corresponding action. If CCPA is applicable to your business, you must provide a data collection disclosure prior to the moment of data collection. Within your disclosure, you can mention things like:
- The categories of personal data that you collect
- The specific pieces of information that you collect
- Where you collect the personal data from
- The third parties that you share personal information with
- The purpose for using consumers’ personal data
Make sure that your disclosure is posted visibly on your Divi website. Devote to regular CCPA disclosure updates throughout the year and be prepared to provide more details to users upon request.
5. Allow User to Withdraw from Selling Their Data
In most cases, this is done by placing a “Do Not Sell My Data” link or button on your home page.
With that, users can click on the link and enter the page to request to be exempt from the process. Bottom line, exercising consumer rights must be readily available for users on your Divi website.
6. Determine How You’ll Address User Requests
As a business, you must have a process for responding to various user inquiries, including requests about how you use their data. According to CCPA, you must provide an answer to any user request within 45 days,
The CCPA states you need to provide your answers within 45 days, at no expense. In principle, you need to work on establishing the following for the consumers:
- Provide them with copies of their personal data.
- Delete their personal data upon request.
- Explain the type of personal data that you sell.
- Obtain parental consent for selling data of under 13 years old users.
Make sure that you understand each CCPA guideline and fulfil your legal obligations under each of the points above.
7. Educate Your Team
To make sure that your Divi website is entirely CCPA compliant, develop policies and methods to support customer demands, and make sure that your team knows how to respond to data privacy demands as soon as they arise. Hold training sessions that educated them on the following CCPA key points:
- What CCPA entails and how it applies to your business.
- How the CCPA defines consumers (California citizens).
- How to identify users’ personal information.
- How to process customer data inquiries.
- How to handle a potential personal data breach.
Ensure your team understands the legislative purpose behind CCPA and how it affects your website’s data inventory processes.
CCPA compliance can be challenging, but it’s not impossible. Nevertheless, if you follow the steps above, you can cover almost every CCPA aspect. Keep in mind that you must do your due diligence before every step to make sure that your Divi website is fully CCPA compliant.