CCPA (CPRA) Compliance for Startups
As a new business, it's crucial you understand which laws you must comply with to operate your startup legally. One such law is the California Consumer Privacy Act (CCPA/CPRA), which is the equivalent of privacy laws such as the EU's GDPR and Canada's PIPEDA.
To ensure you grow your business without falling short of the privacy rules, here is everything you need to know about the CCPA and what you must do to ensure compliance as you start your company.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. The California Consumer Privacy Act
- 2. Who Must Comply With the CCPA (CPRA)
- 3. Individual Rights Under the CCPA (CPRA)
- 3.1. Right to Know
- 3.2. Right to Opt Out
- 3.3. Right of Deletion
- 3.4. Right of Amendment
- 3.5. Right to Non-Discrimination
- 3.6. Right to Limit Use of Sensitive Information
- 4. CCPA (CPRA) Notification Requirements
- 4.1. Have a Privacy Policy
- 4.2. Have a "Do Not Sell My Information" Notice
- 5. How to Comply With the CCPA (CPRA) as a Startup
- 5.1. Keep Your Privacy Policy Updated
- 5.2. Avoid Discrimination
- 5.3. Use Reasonable Security Measures
- 5.4. Report Data Breaches
- 6. Penalties for Not Complying with the CCPA (CPRA)
- 7. Summary
The California Consumer Privacy Act
The CCPA (CPRA) helps California residents control what businesses do with their personal data. It also helps them limit how much personal information they share with those companies.
"Personal information" is defined in Section 1798.140, subsection (o)(1) as, essentially, any data you can use to identify a person or household, or data which can reasonably be linked to a specific person or household. Meaning, there's a huge amount of data that may be considered "personal," such as:
- Names
- Email and home addresses
- IP addresses
- Account login details
- Purchase history
- Browsing history
Depending on the nature of your startup, the type of personal information you collect varies. If you're unsure whether a piece of data may be "personal" or not, it's safest to assume that it's personal and treat it accordingly.
Who Must Comply With the CCPA (CPRA)
The businesses which must adhere to the CCPA (CPRA) are defined in Section 1798.140.
In simple terms, you're bound to comply with the CCPA (CPRA) if you are a for-profit company trading in California, you collect or process personal data belonging to California residents, and you also satisfy at least one of the following criteria:
- Have a gross annual revenue exceeding $25 million
- Buy or sell personal data belonging to 100,000 people or more
- Earn at least 50% of your annual revenue from the selling or sharing of customers' personal data
At first glance, you might think the CCPA (CPRA) won't affect you as a startup. However, this is unlikely.
Individual Rights Under the CCPA (CPRA)
The CCPA (CPRA) gives California residents a number of specific rights concerning their personal data. Specifically, there are consumer rights you must be aware of if you're a startup preparing to handle personal information.
Right to Know
At or before the point of data collection, every customer has the right to know:
- What type of personal data you collect
- Why you're collecting this data
- How you collect the data
- Who you share the data with e.g. third parties
- If you sell the information
The simplest way to set out this information for your customers is by providing a Privacy Policy, such as this one from ViacomCBS:
A Privacy Policy is simply a statement of your company's data privacy procedures. We'll cover them in more detail below.
Right to Opt Out
According to Section 1798.120, every California resident has the right to stop you selling their personal information. You're expected to tell people this when they visit your website, and you must help them exercise their rights if requested.
We'll cover the notice requirements below, but for now just note that:
- Every adult has the right to opt-out of data sales
- You can't knowingly sell data belonging to under-16s unless a parent or guardian (or the child, if they're verified as being over-13) expressly gives consent
So, adults have the right to opt out, but for children, the default position is you can't sell their data unless the child or their guardian expressly opt in.
Right of Deletion
Your customers can ask you to delete their personal data from your records unless you need it for a legitimate purpose such as:
- Completing a transaction
- Complying with legal obligations
- Investigating security incidents
You must inform people of their right to request deletion. The easiest way to do this is to include a clause in your Privacy Policy.
Here's an example from Walmart's "California Privacy Rights" policy:
Right of Amendment
Customers can ask you to fix any inaccuracies in the data you hold on them. For example, this might be updating their address details.
You must comply with this request, if made, and you should make sure people know how they can contact you to request an amendment.
Walmart's Privacy Policy, for example, sets out its procedure for updating personal data in clear, simple language:
Right to Non-Discrimination
You can't discriminate against a customer if they enforce their privacy rights under the CCPA (CPRA). For example, you can't charge customers different prices based on whether they let you sell their data.
However, you can still offer financial incentives, like discounts, in exchange for some personal data e.g. if you offer a 10% discount to a newsletter subscriber. This does not amount to discrimination under the CCPA (CPRA).
The rules are set out in Section 1798.125.
Levi's makes its non-discrimination policy very clear in its Privacy Policy:
Right to Limit Use of Sensitive Information
California residents can ask you to limit how much "sensitive information" you collect on them to what's reasonably necessary e.g. to fulfill a contract of sale.
Sensitive information is any data which reveals highly personal information such as credit card details, medical data, and racial or ethnic origin.
You should limit your collection of sensitive data to what is actually necessary to satisfy an intended purpose. For example, if you're processing a sale, you don't need someone's ethnicity, although you do need their credit card information to process payment.
CCPA (CPRA) Notification Requirements
The CCPA (CPRA) requires you to do two things:
- Draft a Privacy Policy and place it somewhere obvious on your website, and
- Include a clear, clickable link to your opt-out procedure as described above if you sell data
Have a Privacy Policy
A valid CCPA/CPRA-Compliant Privacy Policy must include clauses outlining:
- What data you collect and why
- Who you share the data with, if applicable
- What rights customers have
- How they can exercise these rights
- How they can contact you
Never drafted a Privacy Policy before? Here are some tips for startups:
- Use short, succinct paragraphs
- Include a clickable table of contents so people can jump to relevant sections
- Make sure the font is easily readable
- Include links to other policies including your Do Not Sell Notice, Terms of Use, and Cookie Policy (if applicable)
Check out our CCPA (CPRA) Privacy Policy Checklist for more guidance.
Here are some examples from ViacomCBS's Privacy Policy. To start, there's a clear table of contents:
The Privacy Policy includes a breakdown of the types of data the company collects, and why:
There's also an explanation of how the company uses personal data:
A separate clause lets users know who the company may share data with, and why that may happen:
Crucially, there's a clear explanation of consumers' rights and how they may exercise these privacy rights. The use of bold text brings further attention to the specific rights:
There's also a specific section detailing California consumers' rights, and again, how these CCPA (CPRA) rights are exercised:
In this same clause, ViacomCBS includes a link to its Do Not Sell page. In an additional clause, readers are informed of their right to opt out of the sale of personal data:
Finally, there's a section of the Policy which includes the company's contact details so customers can contact them with any queries or concerns:
If you're a startup, this is a great Privacy Policy to read in full for inspiration when creating . It's clear and concise, containing enough information to satisfy privacy laws without overwhelming the reader.
Have a "Do Not Sell My Information" Notice
If you sell personal data, your "Do Not Sell" notice must include the following:
- An overview of the customer's privacy rights
- How customers can opt out of data sale
- A procedure for opting out
You can either include your Do Not Sell notice in your Privacy Policy or draft it separately. Just make sure to provide one.
Walmart, for example, has a link in its website footer that you can click to opt out of the sale of data:
The Do Not Sell notice is also included in Walmart's CA Privacy Rights policy:
You should also tell people you plan on collecting their data before doing so by way of, for example, a pop-up notice when a customer first lands on your website. Be sure to include a link to your Privacy Policy and Do Not Sell notice, if applicable.
Always get legal advice if you're unsure how to draft a compliant Privacy Policy. Your startup's reputation could depend on it.
How to Comply With the CCPA (CPRA) as a Startup
Aside from providing a Privacy Policy and opt-out procedure, every company bound by the CCPA (CPRA) must do four other things to stay compliant.
Keep Your Privacy Policy Updated
Your Privacy Policy must be accurate and have up-to-date information at all times. Ideally, you should review your Policy at least once every 6-12 months, and always include a "last updated" section to draw customers' attention to potential changes.
Avoid Discrimination
Remember, you can't charge customers different prices just because they won't let you collect certain pieces of data or sell it to third parties. It's fine, however, to offer discounts or rewards as an incentive for doing things like signing up for a newsletter.
The Body Shop, for example, sends customers gift vouchers on their birthday if they sign up for the "Love Your Body Club." This means the customer gives you information you wouldn't normally need to process a beauty transaction - their date of birth - in exchange for future rewards:
Under the CCPA (CPRA), reward schemes are okay. What you can't do, on the other hand, is refuse to allow someone to make a purchase because they won't give you their date of birth.
Use Reasonable Security Measures
Even as a startup, you must invest in sufficient cybersecurity mechanisms to protect any data entrusted to you. What's reasonable varies depending on the type of data you process e.g. healthcare data requires stronger protection than, say, email addresses.
Examples of mitigations you might use include:
- Multi-factor authentication
- File encryption
- Anonymization of data
- Office CCTV
- Network protection and antivirus software
Report Data Breaches
You must notify people if you believe their personal data has been compromised in any way by way of a "Notice of Data Breach." The notice must set out:
- What happened (in general terms)
- What data has been affected
- When the breach occurred
- How people can safeguard their personal data
Additionally, you must tell the Attorney General if the breach affects more than 500 people.
Penalties for Not Complying with the CCPA (CPRA)
For a new business, reputation matters. If you don't comply with the CCPA (CPRA), then you will lose customers' trust and struggle to attract new business. Aside from reputation damage, however, you could be fined:
- Up to $2,500 for every accidental violation
- Up to $7,500 for every deliberate breach
So, for example, even if you commit a handful of accidental violations, you're depleting your startup budget which makes it harder to grow your company in the long-term.
If you're worried about CCPA (CPRA) compliance as a new business, it's worth getting legal advice at the outset to minimize the risk of exposing your company to CCPA (CPRA) fines.
Summary
Any for-profit business processing, collecting, or handling data belonging to California residents should comply with the CCPA (CPRA). To comply with the CCPA (CPRA), you must inform people of their right to:
- Know you process personal data, and your reasons for doing so
- Object to you selling their personal information
- Request you delete their personal data
- Be treated fairly, even if they object to you selling their data or ask you to delete it
You can comply with the CCPA (CPRA) by:
- Drafting a Privacy Policy
- Notifying people that you collect or process personal data
- Providing a "Do Not Sell My Information" opt-out option
- Using sufficient cybersecurity measures to protect data in your keeping
- Reporting any data breaches as required
Any company, even a startup, which fails to comply with its obligations faces fines of up to $7,500 per violation, depending on whether it's an accidental or deliberate breach.
