CCPA regulations. The fourth set of proposed modifications

Following previous modifications in October 2019, and in February and March 2020, the latest updates landed in December, delivered by the California Department of Justice.

CCPA regulations. The fourth set of proposed modifications

Each set of the previous modifications results from taking account of, and action on, the comments made to each of the developments in the earlier sets.

This latest, fourth set of modifications is primarily concerned with:

1. The right to opt-out

The proposed modifications concerning the right to opt-out are concerned with businesses selling personal information gathered in offline situations.

The new regulation dictates that companies should provide an opt-out of selling personal data in that same situation.

It delivers strong examples here—if the data is gathered during a phone call, the call must include dialogue that makes the subject aware that their data may be sold and an opportunity to opt-out from its selling. In this situation, the opt-out is verbal, as is the rest of the conversation and its arrangements and agreements.

The same must be provided then, in written arrangements, verbal methods in other situations (face-to-face, in-store, or video calling, for example), and during any other offline method.

2. The re-introduction of a company opt-out button

The use of an opt-out button looks to have been standardized by introducing a uniform logo that all companies should use when implementing the option. There are supporting instructions relevant to its use—once again, to keep the system standardized across the market.

An opt-out button was included in the first set of the CCPA regulation modifications, yet was removed due to negative feedback.

CCPA regulations. Opt-out button regulation updates

The following paragraphs were added to create a new section of the regulations, the first covers a smaller simple blue coloured tick/cross image, and the second the same image with the Do Not Sell My Personal Information wording to its right-hand side:

  1. May be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a ‘Do Not Sell My Personal Information’ link as required by; and
  2. Where a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text demonstrated below. The opt-out button shall link to the same Internet webpage or online location to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ link.
  3. The button shall be approximately the same size as any other buttons used by the business on its webpage.

3. Processing consumers requests to opt-out

The final modification includes instruction into streamlining the opt-out process as much as possible.

This subsection details that the method to opt-out should be just as simple as opting in, with no additional steps included in the process. Both options should contain the same number of steps in their process.

Comments to modifications closed on December 28th 2020.

For the full set of changes and modifications can be viewed here.

A privacy policy is a statement of how the website operator collects, stores, protects and utilizes its users’ personal data.

Much of the consumer data is gathered automatically with the delivery of cookies, yet there are other, more obvious tools, including sign-up forms, newsletter subscriptions, new account registrations, and more.

Every user has a right to their privacy and to understand how businesses will use their information. It’s also their right to retract their decisions at any point navigating your website.

A privacy policy outlines all the elements required to comply with the latest data privacy laws.

GDPR. How do I add a privacy policy to my website?

Many modern website systems feature automated placements, implementing the legal policies to your website framework, yet others will rely on you to create your pages and insert them manually.

There are plenty of templates and online generators that will show you how to make a privacy policy for your website, delivering a document specific to your operations on completion.

If you’re unsure of exactly what you need, how to create a privacy policy specific to your business, or where to host it, the following information should steer you in the right direction. If you’d like a more personal touch or specific answers to how our system can help you develop and manage your company privacy policy, we’d love to help.

GDPR. Organizing cookie and privacy policies

How to add a cookie policy to a website is a very similar process. In some cases, a single directory will contain both policies and the links to each feature in most of the same places.

Why do websites show cookie policy separate to privacy policy? Well, with websites legally having to gain consent for their site cookies before they deliver them and activate the functions they control, they have grown into a considerable area of data privacy.

There’s a lot to cover, so it makes sense for providers to create separate policies for cookie use and delivery, and that of general data processing through other means, such as contact forms and mailing lists.

How to write a company privacy policy

According to GDPR, privacy policies must be:

To collect information directly from an individual, a privacy policy must include:

The most typical elements you’ll see covered by standard privacy policies, therefore, are as follows. However, depending on the data you gather, and how you use it, there are often areas unique to specific business practices that aren’t covered below.

GDPR. Privacy policy best practices

Your users need to understand exactly what’s good and bad practice, and the wrong and right ways of delivering information.

Be direct, instructional, and informative, leaving no room for doubt. Qualifiers such as may, might, some, and often should be replaced with will, won’t, must, mustn’t, all, none, always, and never.

If you plan to use the data for research or develop new services, you must be clear when describing the type of research and what each new service is intended to provide.

You should write in clear, easy to understand English (or the native language for the website). Using legal or technical jargon is frowned upon, as your users won’t necessarily be specialists in your industry.

Always aim to write in the active tense using well-structured sentences and paragraphs.

Clear and defined headings make documents easier to navigate, while bullet lists deliver easier to digest information than large text blocks.

How to add a privacy policy to your website or app

The following suggestions outline the essential placements for links to your policy page. Ideally, you should try to provide access from every page of your website or app, as your policy needs to be easily accessible to visitors at all times. This promotes transparency and inspires trust. Not only that, more often than not, it’s a legal requirement.

In footer links: Traditionally, most privacy policy links will be found in the footer menu, appearing on every page the site. They could even sit with the legal details on the copyright line. This provides the instant access your visitors need, wherever they are within the site.

On sign-up forms: Another good practice is including the link to your privacy policy in the small print at the bottom of sign-up forms. This assures new subscribers that you’re acting according to appropriate laws and practices.

Checkout pages: Given the additional personal data collected from a consumer during a sale, many vendors will include their privacy policy at some point in the process. A privacy policy link will often appear alongside terms of service, cancellation, refund, and shipping policies.

Cookie consent banners: Cookie consent banners and pop-ups are now standard components on all websites, allowing the website operators to deliver the functionality they intend for their visitors and deliver the information they legally need.

Sign-in pages: Signing in or signing up to new services requires your personal data. Including a privacy policy link on these pages is another a healthy reminder of your users’ rights.

About menus: Where a website has a dropdown menu containing all of the company history and legislation information, this is another appropriate location for your privacy policy link.

How often should a privacy policy be updated?

The way we do business during the modern climate changes from one day to the next, and the way we expect our websites to keep up has become part of everyday life. If any of the systems we add, develop, instigate or amend, affect the way we gather or use our customer or subscriber data, then it must be reflected in the company policy.

Reviewing a privacy policy should be a regular practice, and wherever change is required, you must update your policy immediately. If you fail to keep it up to date, you could be in danger of breaking the terms you’re legally required to uphold.

Updating users and subscribers

You may be legally required to notify your users of updates. Even where that does not apply to your business, it’s still good practice and should be part of your process.

The primary overseers of data protection and privacy all require updates and notifications, each of which will leave organizations open to penalties if they fail to follow legislation.

It’s also an opportunity to engage with customers, clients, and subscribers with any additional messages you may want to share with them.

Email notifications, pop-ups, and site banner delivery

You can notify users and subscribers in a few different ways. Your website’s cookie consent generally operates as a banner or pop-up message, so another inclusion asking your visitors to review your policy could be the simplest way of highlighting them to it. In other schools of thought, it’s just one more task for your visitors to wade through before they can finally access the content they want to read.

Alternatively, you could fire out an email to all subscribers and customers, or add a blog or news page with the latest news. A link featured prominently on your homepage is enough to promote updates—that way it won’t interfere with your visitor’s ability to navigate freely through to the required content.

Wrapping things up…

With regulations for data protection and compliance playing such a vital role in today’s websites, isn’t it time that you handed over the hard work to a system that’s quick and easy to deploy and simple to use?

PrivacyRun delivers the efficient and cost-effective solution every business needs to manage its website users’ personal data.

Our solutions are compliant with CCPA and GDPR, helping users worldwide to stay within the limits of the law, avoiding penalties and hefty fines.

If you’d like to know more about how PrivacyRun works and the vital benefits it can deliver to your business, we’d love a chance to tell you all about it. Why not give one of our team a call today, or drop us an email and we’ll get back to you at an appropriate break in your schedule.

Personal data protection has managed to push itself to the forefront of how we do business, deliver information, and collect useful particulars of the people we do—and would like to do—business with.

With the rise of the Internet and its fast-paced growth, our information is more accessible than ever. Handing over names, addresses, and bank details are all definite candidates for protection. Yet, recently the CCPA and GDPR legislation has been compacted to protect us against any personal data breach, whether we’re visiting websites or physical businesses.

We’re here to look into what that personal data is, the difference between GDPR vs CCPA collections, the deadlines for data provision and removal, and of course, how our PrivacyRun tool will help keep you ahead of the curve at all times.

First, though, for anyone not in the know, what is GDPR and CCPA? Well, they’re the legislative acts that define how consumer data is monitored and regulated. The acronyms stand for General Data Protection Regulation and California Consumer Privacy Act.

GDPR is European legislation, and one of the most in-depth measures to control data throughout the world. It’s become the standard for the rest of the world to follow.

What about the CCPA? Why only California consumers?

In the absence of an overall US law or regulation to contain data use, selling, and privacy in the States, the CCPA is the best they’ve got.

What are the GDPR and CCPA data rights?

Both organizations provide the data subject with similar rights, yet we’d be remiss if we didn’t outline the CCPA and GDPR differences.

The basic CCPA vs GDPR data rights are shown below.

So, how is CCPA different than GDPR when it comes to each of these rights? We’ll look at each one in a little detail to expand on what they mean.

Right to erasure

A consumer or data subject has the right to deletion unless in very specific circumstances. From the CCPA, the data needs to have been collected from the consumer to apply.

Exceptions from both legislations include freedom of speech, processing of personal data for research purposes, legal claims, and when complying with a legal obligation.

Right to be informed

The consumer or data subject also has the right to be informed at the point where their data is collected and processed. The information must include the categories of data, the purpose of its processing and the rights of the consumer. The CCPA demands that the ‘Do
Not Sell My Personal Information Page’ link is included on any inclusion where the business intends to sell or transmit the data to a third party.

Right to object

All consumers and data subjects have the right to opt-out of such data processing or selling. The CCPA, again, demands the inclusion of the ‘Do Not Sell My Personal Information’ link.
The GDPR stipulates that there should be several ways to opt-out of processing, by withdrawing consent or exercising their right to object.

Right of access

Another stipulation is the access and full visibility of the data that’s collected about each individual. Where access is granted, the information must be available to be transmitted back to the individual electronically, in a portable and useable format.

This pocket of information includes:

The CCPA also specifies consumers have the right to the categories of third parties their data has been shared with.

Right not to be subject to discrimination for the exercise of rights

This is a hard and fast rule of the CCPA, whereas, with the GDPR, it’s not exclusive. Yes, you can find provisions in several areas of GDPR that amount to a similar thing, more along the lines of discriminatory consequences derived from the processing of their data.

The CCPA, with its definite scope, protects the use of consumer data to prevent being denied goods or services. It also prevents consumers from being charged different prices or rates for goods and services, provided a different level of quality for the same, or even to have it suggested that they’d receive different prices and rates.

Right to data portability

Both laws offer fairly consistent rules and values about portability. The CCPA sees it as a right to access, while the GDPR considers it a separate and distinctive right.

What they do agree on is that data subjects and consumers have a right to a structured, easily transmitted, and machine-readable format of their data.

Applications require replies in specific timeframes, of which we’re about to detail.

Compare GDPR and CCPA notice periods and active timescales

Right to erasure, right to data portability—notice periods and timescales

Both legislations allow the deletion of individuals’ data apart from where specific exceptions apply. The deletion applies to any data collected from the consumer. The rights are very similar, only the timescales and a few other specifics differ.

GDPR versus CCPA timeframes:

GDPR – Requests for removal must be replied to within 1 month of the data subject’s request. This deadline can be extended a further 2 months in complex cases with large numbers of requests. However, the deadline must be outlined in the initial reply.

CCPA – Requests for removal must be replied to within 45 days of the consumer’s request. This deadline can be extended a further 45 days when reasonably necessary. Again, the extension must be outlined in the initial reply.

Interested in our solution?

Let's talk

How PrivacyRun manages GDPR and CCPA compliance to keep you within the boundaries of legislation

PrivacyRun is the perfect solution to these CCPA GDPR problems. It’s fully compliant and built to make sure your business avoids missing deadlines—then becoming subject to the hefty penalties and fines.

It’s a personal data administrator’s optimum tool to monitor deadlines, responses, requests, and more.

The system dashboard delivers everything you’ll need in an easy to understand and digest presentation. It’s not just numbers and lists—it’s a clean and clear depiction of your process, including when and how your consumer requests are getting processed.

You’ll find neatly delivered graphs, sectioned and detailed with everything you need. PrivacyRun ecompasses consent management, data subject rights automation, personal data inventory and data mapping, all incidents of personal data breaches, and DPIA risk analysis. It covers both EU and US issues, and everywhere around the world where your data may arrive from or end up.

If you run several companies, we’ve got that covered too. Our compliance solution tool manages each organization independently, making sure you monitor and maintain your best practices, avoiding any failures in your data protection government.

Given the penalties of failing to adhere to regulations, can you afford not to have such a system in place?

And that brings us on to the CCPA GDPR differences in enforcement.

Enforcement of broken GDPR CCPA legislation

When it comes to enforcement, it’s not an area to be taken lightly. Those who fail to comply with the laws are at the hands of the US Attorney General and the National Data Protection Authorities.

Both authorities have different investigatory and enforcement powers, yet the fines are considerable, and avoidable with suitable best practices in place.

The difference between GDPR and CCPA fines are as follows:

The GDPR penalties for non-compliance can be up to 2% of the business annual turnover or €10 million, whichever is higher—or 4% of the global annual turnover or €20 million, whichever is higher.

The different fine rates depend on the violation under investigation.

The CCPA delivers civil penalties issued by a court, and, again, depending on the violation, you may be fined $2,500 for each accidental violation or $7,500 for each intentional violation.

There is no maximum amount set by the CCPA for the imposition of several penalties for each violation.

Interested in our solution?

Let's talk

Damages for individuals pursuing privacy violations

As if the penalties outlined above weren’t trouble enough, both bodies provide data subjects and consumers with the right to seek damages.

How is CCPA different from GDPR when it comes to costing violations? The GDPR allows action to be taken against any violation of the law, where the CCPA only provides cause for failure of security measures in context of data breaches.

The GDPR doesn’t outline potential figures for damages, that will be left to the adjudicating bodies.

The CCPA ruling only permits that non-encrypted and non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of security obligations.

The damages in such circumstances are to be no less than $100 or greater that $750 per consumer per incident, or a cost covered by actual damages—whichever is greater.

Conclusion

Looking into how GDPR vs CCPA chart their differences across their legislation, it’s easy to see plenty of similarities—but the overriding fact is that if you break the rules, you’ll pay for it.

Whether that’s missing deadlines for communication, selling data you shouldn’t, or failing to implement the correct information on your data collection points—they all add up to the same thing—costly penalties that you could have avoided.

PrivacyRun can help prevent all of that. It’s there to make sure you’ve got the systems to manage every piece of data and information within the remits of the law and the structures that govern them. If you don’t want to be caught short, then we suggest you speak to one of our team as soon as possible.

We put our all into everything we do. Because of that, we guarantee that our solutions are built to protect you—now, and far into the future.