Imagine getting ready for CCPA compliance in a short period of time. GDPR compliance took you a lot of time and money. Now, the CCPA – California Consumer Privacy Act has gone into effect on Jan 1, 2020. And, enforcement begins on July 1, 2020. You do not have much time. You have several other priorities as well. What if you could follow a simple step-by-step process to get ready for CCPA in one week?

Or even better..   What if there is a complete guide for CCPA compliance?   … and each of these 17 steps are easy to follow and implement. Nearly all of these 17 steps cost you no additional money. You are probably eager to read and follow these steps.

 

 

This is exactly what I am going to share with you in this post. 17 practical and actionable steps that you could use for CCPA Compliance in One Week or Less.

…and once you are done, please share and comment on how long it took you to get ready for CCPA compliance using these 17 actionable steps.


1. Does CCPA compliance apply to your business?

Look, there is a lot of blogs out there that outline the law. They detail out how CCPA applies to your business. For example, you are a business in California, and have a revenue of $25 Million or more, or have information about 50,000 California consumers. This is exhaustive.

Let’s make this as simple as an easy button:

Are you a non-profit company?

If you answer is Yes, and if you parent company is also a non-profit company, then save time and skip reading this entire blog, and go watch Netflix.

Is your business in any way related to California?

If your answer is No, then what are you still doing here? Go and play a round of golf. Let me explain my usage of the word related. It means your business is registered in California. Or, you have revenue from California consumers. Or, you pay any taxes in California. Or, you own any property in California. Now, the next questions get a bit tricky….

Is your annual revenue in the next twelve months more than $25 Million?

If your answer to this is Yes, then skip this section and move to step 2. I simply ask you to start taking action. You now have one more urgent project. This question is tricky because it may not be California based revenue. Rulemaking from California AG is completed. It is fair to assume $25 Million in total revenue.

Based on your current projections if your annual revenues are likely to exceed $25 Million, then you must have CCPA compliance. My recommendation is to start taking action if your revenues are likely to exceed $20 Million.

Do you have more than 961 visitors on your website from California in the last 7 days?

This is easy to check.

  1. Login into your Google Analytics
  2. Navigate to Geo -> Location and Click on California
  3. Select last 7 days timeline for the report
  4. Check the number of users when you move your cursor to California
  5. Is this number more than 961?
does you need CCPA compliance?

Does your company need CCPA compliance? Determine that by the number of users on Google Analytics. If your answer is Yes, then skip this section and move to step 2. Start taking action. If you do not use Google Analytics, then check for this with your web marketing team.

Do you have more than 50,000 customers in California? Check your CRM.

If you have access to your CRM system, then login to your CRM system. Create a report that includes contacts, leads, for the past 12 months. Filter this report for California. Get a total count. Does this count exceed 50,000? If the answer is Yes, then skip this section and move to step 2. And, start taking action.

Or alternately check your email marketing system like MailChimp. Do you market and send your newsletter or emails? Do you send emails to 50,000 email addresses that are likely located in California? If the answer is Yes, then start taking action.

Are you are still reading this section?

Are you a software company dealing in data as the new oil? Boy-o-boy. We can send you a pdf version of this blog. Get a cup of coffee. Start taking action.

2. Deploy CCPA privacy request intake on your website

Privacy requests are new. Your business is required to provide this on your website. Either a web form, phone number, email address, or a mailing address. You could do a combination of one or two of these mechanisms. Check out our detailed blog on CCPA Privacy Request Management.

No business can estimate the number of requests. Plan for 5-10% of your users to send privacy requests. We stay optimistic and expect a much lower request intake in 2020.

Option 1: Create a web form similar to this and deploy it on your website.

Do you have a WordPress website? Simply deploy a forms plugin – WPForms or Ninja Forms.

Create a form for CCPA privacy intake and manage your requests using WordPress. Include basic email verification. Here is an example form:

CCPA Compliance Privacy Request Intake Form

CCPA Compliance Privacy Request Intake Form

Option 2: Sign up to InfoSecEnforcer.com

The app is easy to setup. It scales your workflow. InfoSecEnforcer provides 13 pre-built email templates. And, it is free to use.

Option 3: Sign up to one of several vendors

Several vendors started with GDPR. They also support CCPA. While many of them provide a free trials, as of this update, none of them provide free intake management software. InfoSecEnforcer.com delivers a free app.

Option 4: Review this blog and create your own privacy request management system

Enough said. Need more information on how to manage the intake of privacy requests? Check our blog. Time to move to the next section.

3. CCPA Compliance needs categories of data you collect

CCPA (California Consumer Privacy Act) provides the requester a right to know categories of data you collect. Reach out to your digital marketing team for any help. List all the categories of data you collect. Let’s get started.

Here is a sample list of categories that you could use:

  • Internet or network activities
  • Device-specific information
  • Commercial information (ex: orders, history, credit card data, etc.)
  • Identifying information (ex: email, phone, etc.)
  • Health information
  • Biometric information
  • Fitness information
  • Professional or employment-related information
  • Educational information
  • Geolocation information
  • Audio/Video information
  • Automotive information
  • Information users share
  • Information to process privacy requests

Now create your own list of categories. The next step is to create an email template that includes your list of personal information categories that your business collects. Create an email template with categories of information collection. Why should you create email templates? Here is a sample email template…

Email templates are important to deliver consistent responses to consumers.

Subject:  Privacy Request – Categories of Information Collected 
Message:
Hi {Name},
We received a privacy request from you regarding the categories of personal information we collect. We collect the following categories of information:
- Internet or network activities
- Device type information
- Commercial information (ex: orders, history, credit card data, etc.)
- Identifying information (ex: email, phone number), and
- Information to process the privacy requests

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

You may have to create multiple email templates for each requester type. Each of these templates may differ on categories of information collected.

4. List reasons for collecting data by category

CCPA provides the requester a right to know why your business is collecting data. A few businesses collect data to sell as data brokers. Get started. Let’s make it a simple one-time process. You may need help from your digital marketing team. Here is a simple list of all the reasons for collecting data. Get started.

Please use this list to get started with your own list.

  • To Enforce Policies, Terms, and Conditions
  • To Track and Monitor Website Usage
  • To Analyze Website Visitor Behavior
  • To Improve Website Performance
  • To Improve Visitor Engagement
  • To Service Customers
  • To Provide Sales and Support
  • To Answer Questions or Address Requests
  • To Evaluate Suitable Candidates for Jobs
  • To Create User Accounts
  • To Communicate Marketing and Sales Promotions
  • To Communicate Company Policy Information
  • To Fill and Manage Sales Orders and Support Requests
  • To Write Testimonials
  • To Deliver Advertisements
  • To Get Customer Feedback
  • To Share Data With Data Brokers
  • To Aid in Research
  • To Aid in Behavioral Analysis
  • To Process Privacy Requests

Create an email template to communicate with the requester

Here is an example. You may have to create multiple email templates.

Subject: Privacy Request - Collection Purpose
Message:
Hi {Name},
We received a privacy request from you regarding the purpose of collecting personal information. Our purpose of collecting your personal information is as follows:
- To Communicate Marketing and Sales Promotions
- To Communicate Company Policy Information
- To Fill and Manage Sales Orders and Support Requests
- To Write Testimonials
- To Deliver Advertisements
- To Get Customer Feedback
- To Enforce Policies, Terms, and Conditions
- To Share Data with Data Brokers

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

5. List all sources of data collection

CCPA provides the requester a right to know sources of data you collect. Reach out to your digital marketing team and list all data sources. Let’s get started.

This is a sample list to get started.

  • Laptops and Desktops
  • Websites
  • Desktop Apps
  • Web Apps
  • Mobile Apps
  • Shopping Carts
  • Phone Calls
  • Fitness Devices
  • Mobile Devices
  • Video Streaming Devices
  • Medical Devices
  • Smart Speakers
  • Smart Toys
  • Security Cameras
  • Wifi Routers
  • Automotive Sensors
  • Smart Sensors & Scanners
  • Tablets
  • Data Services
  • 3rd Party Data Brokers
  • Social Media Platforms
  • Advertising Platforms

Create an email template

Use this example email template.

Subject: Privacy Request - Soruces of information collection
Message:
Hi {Name},
We received a privacy request from you regarding the sources of collecting personal information. Our sources of collecting your personal information are as follows:
- Laptops and desktops
- Websites
- Desktop apps
- Web Apps
- Shopping cart
- Phone calls

Please do not reply to this email. If you need to send another privacy request, please visit this link.

Thank you!
{Company Signature}
CompanyABC Privacy Team
www.CompanyABC.com

6. Scan your website and list all the cookies used

Do you have cookies on your website? Nearly all those cookies collect personal information. CCPA compliance requires you to know all your cookies. Why?

  1. Provide a detailed notice of data collection
  2. Service Opt-Out, privacy request
  3. Service Delete My Personal Information, privacy request
  4. Provide personal information stored in these cookies

Note: CCPA does not require you to create an opt-in for cookie tracker similar to GDPR. COPPA and opt-in apply for children.

With the cookie list, you can start an inventory to map the data. Use one of these free tools to know your cookie data stores. Discover all your cookies your website is generating. Scanners generate reports to identify and classify cookies discovered in this process. Next step click one of these tools and get a detailed report.

You may create your own cookie scanner using this open source project.

Read more about CCPA cookie consent management here.

7. List all Cloud and internal apps that store personal information

Data mapping is a secret ingredient to achieve CCPA compliance. CCPA compliance requires:

  1. Where you store data (personal information)
  2. How you process this data
  3. Who you share this data

Step 1 kicks off your data mapping process for the purpose of CCPA compliance. From the previous sections you have the list of cookies on your website. Use this table to document where your cookie data is stored. Nearly all cookies capture personal information.

Cookie NameWhere StoredName of Admin3rd Party (Y/N)
Google AnalyticsAnalytics.Google.comJohn DoeY
Automattic Inc.WordPress.comJane DoeY
comScore Inc.ComScore.comJohn DoeY
FusioS4m.ioJane DoeY

To get all these template and the entire blog as a word document CONTACT US.

Next up, list all cloud applications your business uses. The following table helps you document all your cloud applications.

Cloud App NameName of AdminPersonal Information?
Salesforce.comJohn DoeY
WorkDay.comJane DoeY
Office365.comJohn DoeY
DropBox.comJane DoeUnsure
Slack.comJohn DoeUnsure

Your business has many internal applications. These maybe developed internally or 3rd party licensed software. These may be in your own data center or in your private cloud instance. The following table helps you document your internal applications.

Internal App NameName of AdminPersonal Information?3rd Party?
Microsoft ExchangeJohn DoeYY
QuickenJane DoeYY
KronosJohn DoeYY
WordPressJane DoeUnsureN
InventoryMSJohn DoeUnsureN
CoupaSoftwareJohn DoeYY

All done? Hooray!! For CCPA compliance listing the apps is yet another critical step, and that helps with data mapping.

  1. List all stores of personal information
  2. Data discovery
  3. Starting point to address privacy requests for data, delete data, etc.
  4. Review 3rd party vendor agreements (see below)

8. Review privacy clauses in your service provider or partner agreements

Why? CCPA holds you responsible for all the personal information you store. It does not matter where and which 3rd party touches your personal information. For CCPA compliance it is now necessary to enforce 3rd party CCPA compliance. Third party CCPA compliance implies answer to the following simple questions:

  1. List all stores of data we share with you
  2. How do you encrypt personal information or anonymize it?
  3. Do you have a process to detect and communicate data breaches?
  4. Do you have tools to identify, monitor, and delete personal information?

This may look like a lot of work with each 3rd party. Doing this will ensure protection from liability.

Can one single step solve this?

Yes. Execute an amendment to your current agreement with each of the 3rd parties. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CCPA compliance.

(a)         Covenant. Company (3rd party vendor) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CCPA California Consumer Privacy Act – AB 375), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Data breach or attempt to steal by a person(s) or machines or bot(s). This covenant shall include data breach prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report data breaches, attempts. The Company shall provide a periodic report(s), no longer than each six (6) months of the data breach incident, or an attempt to steal any or all Digital Information. The incident report of a data breach or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any data breach or attempt to steal highly confidential information shall be reported immediately.

(d)         Privacy APIs and CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but not limited to access to all personal information (a minimum of two times a year), acknowledgement to delete specific personal information, acknowledgement to stop sale (or license) of specific personal information to other 3rd parties.

Execute this amendment with each of your 3rd parties for CCPA compliance.

9. Review privacy clauses in your customer agreements

Uh!! What? Why should we amend our agreements with our customers?

This is specifically important for software vendors or (digital) marketing companies. Your customers need to be ready for CCPA compliance. And they are seeking answers to these questions:

  1. Where do you store personal information?
  2. How do you encrypt personal information or anonymize it?
  3. Do you have a process to detect and communicate data breaches?
  4. Do you have APIs to identify, and delete personal information?

Be proactive.

How? Execute an amendment to your current agreement(s) with each of your customers. Include the following clause in such your amendment. (Please consult your attorney.)

Covenant to SafeGuard Digital Information and CCPA compliance.

(a)         Covenant. Company (“Your Company”) and any affiliate of the Company each covenant to safeguard of Personal Information (as defined in CCPA California Consumer Privacy Act – AB 375), and to institute a procedure, practice, or technology that safeguards Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Data breach or attempt to steal by a person(s) or machines or bot(s). This covenant shall include data breach prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report data breaches, attempts. The Company shall provide a periodic report(s), no longer than each six (6) months of the data breach incident, or an attempt to steal any or all Digital Information. The incident report of a data breach or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any data breach or attempt to steal highly confidential information shall be reported immediately.

(d)         Privacy APIs and CCPA Compliance. The Company shall institute a procedure, practice, or technology that addresses privacy requests. These include but not limited to access to all personal information (a minimum of two times a year), acknowledgement to delete specific personal information, acknowledgement to stop sale (or license) of specific personal information to other 3rd parties.

Execute this amendment with each of your customers for CCPA compliance. You will have an enhanced strategic relationship with your customers. The following sections detail out steps your business needs to do to address these. The result is CCPA compliance and avoiding both civil suits and regulatory penalties.

10. Review the privacy policy on your website

Your website or mobile app privacy policy review for CCPA must include the following:

  1. Information collect on your website
  2. Information on cookies that collect information
  3. Usage of information collected on your website
  4. Category of 3rd parties used to collection information
  5. Do you share information collected with other 3rd parties?
  6. How you store, and safeguard the data

Of course, contact your attorney. Also, several web services generate privacy policies relevant to you. Please review these services:

  1. Termly
  2. Free Privacy Policy
  3. Terms Feed
  4. Privacy Policy Generator
  5. FirebaseApp Policy Generator
  6. Iubenda

While most of the above are for GDPR, you could modify these for CCPA. The key element in reviewing your privacy policies is to ensure that you have two versions of the privacy policy

  • Legal version, and
  • Simple version in plain English

All done? The next step is to send notices with your updated privacy policy.

11. Send notices to partners with the updated privacy policy

Why? We just amended agreements with partners to include – ‘Covenant to Safe Guard Digital Information and CCPA compliance’. What is this new privacy poloicy update notice? A notice should be sent in two forms:

  1. A letter
  2. An email

Create a notification letter, and use the same content in your email as well. Ensure consistency in both the notices. Provide URL links to both the simple version and the legal version.

Step 1: Get a list of addresses (both postal addresses and email addresses)

Step 2: Send out the postal letter typically address to the legal counsel or the President of the company

Step 3: Send out an email (use mail merge)

12. Send notices to customers with the updated privacy policy

Now that you sent out notices to all your partners it is time to repeat this process with your customers. It is likely that you have more than a few thousand customers.

For a large number of customers, it is indeed expensive to send letter notification. Each letter notification is likely to cost you anywhere in the range of $2.00 to $0.50. This could get expensive fairly quickly.

We recommend that you start only with email notification for customers. Please have a way to track number of opens. Send weekly notifications only to those who have not opened the email. Repeat these weekly notification till you reach atleast 30-50% opens. This would likely take about 10-15 weeks. Ensure that you keep a record of this process.

13. Vendor risk assessment

Let’s review step 8 above. In step 8, you created CCPA compliance amendment for execution by each vendor. It is likely that you are able to get 80% of your vendors to sign this amendment. However, this is not enough. There is still a risk of penalties or class-action law suits. It is an operational risk.

The vendor has likely executed the amendment. Is there a way to check their CCPA compliance? This is the tough part. So, you need vendor risk assessment. There are two areas of vendor risk assessment for CCPA.

Area 1: Vendor security risk assessment. How vulnerable is the vendor for data breaches? Making this assessment on a vendor is a difficult operational problem.

Area 2: Vendor privacy request compliance assessment. How well does the vendor comply with the request for personal information? How well does the vendor comply with the request for deletion of data? How well does the vendor comply with the request to not sell personal information?

Several companies offer services to make a 3rd party vendor security assessment for GDPR compliance. The market is still evolving. The following resources provide vendor risk assessment for GDPR compliance. This could be easily extended to CCPA compliance.

  1. ProcessUnity
  2. OneTrust
  3. WireWheel
  4. SecurityScoreCard
  5. IAPP.org

This step is unlikely to be fully automated. Get started and you could make improvements over time.

14. Privacy APIs to access data for Privacy Requests

What are privacy APIs? Privacy APIs is an API framework to address privacy requests. Privacy APIs are new. They are often untested. Three types of privacy requests require privacy APIs. These requests require personal information of the requester:

  1. Request to access all my personal (requester’s) information
  2. Request to delete all my personal (requester’s) information
  3. Request to not sell my personal (requester’s) information

Privacy APIs enable easy and automated access to data in cloud applications. This framework could easily be extended to your business’ own data. (For more information on how to get started with Privacy APIs, please contact us.)

Now you got through 14 steps. It is time to address security

Security is not equal to privacy; and privacy or CCPA compliance does not equal security. Security is one part of privacy.

One key area of CCPA compliance is preventing data breaches. CCPA or AB 375 states

“Any consumer whose nonencrypted or nonredacted personal information … is subject to unauthorized access, theft, or disclosure … result of the business’ violation of the duty to implement and maintain adequate and reasonable security procedures and practices … may institute a civil action…. recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater…” There are several security procedures and practices. DLP, data loss prevention, is a key tool. Data Loss Prevention includes end point protection and network protection.

California Consumer Privacy Act – AB 375

15. Prevent data breaches from your endpoints

Why do you need endpoint Data Loss Prevention ? As part of CCPA compliance, you need to maintain adequate security to prevent loss or theft of personal information. End points – desktops, laptops, and mobile devices, are vulnerable for data theft or exfiltration. End point DLP provides reasonable security to prevent such data breach.

Do you deploy anti-virus protection on all your end points? End point Data Loss Prevention is similar in deployment. Here is a sample list of vendors that provide end point DLP.

Contact us to deploy end point DLP for CCPA compliance.

16. Prevent data breaches from within your network

Have you secured the endpoints? Awesome. It is time to pay attention to rest of your network. Your business needs the ability to proxy, classify, and prevent any unauthorized exfiltration. Benefits of network Data Loss Prevention include:

  • Control traffic on email, HTTP(S), (s)FTP, webmail, web apps, and more
  • Control clear as well as SSL based applications
  • Enforce policies
  • Reduce false positive
  • Prevent insider threats as well as threats from bots
  • Provide forensics where required

Here is a small list of network Data Loss Prevention solutions:

  1. InfoSecEnforcer
  2. Symantec
  3. Digital Guardian
  4. Force Point
  5. McAfee

Deploying one of these above solutions implies CCPA compliance. You will also have the ability to fend off any civil suits resulting from potential data breaches.

17. Office 365 DLP to prevents breaches from O365

Office 365 is one of the most widely used applications. Deploying end point DLP and network DLP is not sufficient to prevent exfiltration from Office 365.

Why? Because, Office 365 is a cloud application and can be accessed using uncontrolled end points. @ $2 per user per month, this is an easy deployment and can be completed in less than a week. Depending on your budget you may just deploy Office 365 DLP and phase in end point DLP and network DLP.

Read more about Office 365 DLP here.

Mobile apps such as FaceApp must address user concerns on privacy and securty. FaceApp has gone viral and is now used by nearly 150 million users. That is nearly twice the number of users impacted by Cambridge Analytica. This should be a major privacy concern for users. US presidential campaigns are likely to ban the use of FaceApp or similar apps.

So, the press is really hot about FaceApp because of the Russia connection. Like most entreprenuers the founder Yaroslav Goncharov wants the virality but not the privacy questions. He likely did not pay much attention to the privacy policy, until now. See the complete statement from him at the bottom of this article.

Often naysayers say the following:

  • Scaremongering privacy freaks
  • Users trade some privacy for vanity features
  • It is upto Apple, Google, and Facebook to remove apps that violate their policies
  • GDPR / CCPA are over-regulation
  • Press and journalists crush innovation
  • Nearly all mobile apps have similar privacy policy

Lets get into this in detail and review the privacy policy of FaceApp. In my opinion, FaceApp privacy policy has severe security and privacy risks.

Information collected

FaceApp, like most apps, collects user information provided by the user. They usually keep this information for a extended period of time. I believe the photos collected by FaceApp are valuable data for AI and machine learning, it is likely that the company stores this information. The original uploaded picture is usually considered owned by the user. Any transformation may be considered derivative works and likely owned by FaceApp.

Images and derivative works are highly valuable for AI-based facial recognition, and training the algorithms for facial recognition or other purposes.

The history of edits, modifications, transformations, and other actions provided by FaceApp will also be stored. These are likely considered owned by the company as it is an action done as part of the app. It is very likely that each user is making several modifications to be pictures before they share the final picture with their friends or on social media. Resulting intermediate images are likely considered derivative works owned by FaceApp.

Third-party analytics such as Google Analytics, CloudFlare, and other tracking cookies are used by FaceApp. These analytics may not directly relate the web visit history to the specific user. However, with addtional cookies, device identifiers, the company can easily sell/share detailed user information to advertisers. Learn more about tracking cookies and user consent here.

Device identifier information is easy to obtain in mobile apps. It is simply a few lines of code when the app fires up. Any app could create own device identifiers when first installed. The result is detailed history of app usage, duration of time spent in the app, what done, when, and how. This information combined with the user metadata collected is a treasure for advertisers.

To all the naysayers who say – this is typical of any mobile or web app. They are correct. This information collection is similar to other mobile or web apps.

Use of information collected

The main stated purpose of information collection by FaceApp is product enhancements. This is common to other mobile and web apps. Often mobile and web apps collect information to improve the service, enhance features, add new features, highlight useful features, test new features, or fix problems while they occur.

Marketing and advertising: Unlike several popular mobile and web apps, FaceApp expressly states that “provide personalized content and information to you and others, which could include online ads or other forms of marketing”. The others could imply anyone, including nation-state actors such as Russia, China, and others.

To all the naysayers who say – why will the company share the data with Russia? See my additional commentary below in jurisdiction.

Automated updates: The information is used for automated updates. While this may look benign, just image that FaceApp is constantly connecting to its servers in the background even when it is not being used. The information shared by FaceApp in the background is not visible. This may not directly include location data, but tracking cookies can easily provide proximity data. In my opinion, mobile apps must by default ask for user permission to check for updates and to perform updates.

Sharing of information

We will not rent or sell your information to third parties outside the group of companies which FaceApp is part of, without your consent, except with whom we share it.

FaceApp privacy policy

FaceApp creates an exception with the following :

  • Affiliates of the group of companies they belong to (there is no listing of these companies or the group)
  • Affiliates have similar rights as FaceApp
  • Marketers and advertisers
  • 3rd party advertising partners
  • Ad networks
  • Service providers (usually most mobile and web apps store information with service provider and do not actively share information with service providers)
  • And, if we get acquired, the acquiring company will have all the information

This can be read in two ways. One, that says this is a responsible company and will responsibly share information. Two, if this is not a responsible company or the company gets pushed around they may sell / share / license or otherwise make money whichever way they see possible including licensing the information to nation-state actors (see jurisdiction below).

Data sovereignty and jurisdiction

Why sovereignty and jurisdiction matter? This is indeed the right question to ask. Let’s compare a viral mobile app from a company in California with this viral mobile FaceApp. Let’s assume they have similar information collection, use, and sharing terms. So, a level field.

For the mobile app in California, existing privacy laws and CCPA come into effect. A side note: current privacy laws could not do much about Cambridge Analytica scandal, and Facebook got slapped a small $5 Billion fine for lax compliance. CCPA similar to GDPR provides better control to the consumer:

  • Ask for details on how the information is used
  • Ask for details on 3rd party companies information is shared with
  • Ask to be forgotten
  • Ask to not sell information
  • Penalties on data breach or data loss
  • Penalties on non-compliance (upto $7500 per violation)

FaceApp does not have any of the above compliance requirements. Today, FaceApp does not state compliance with any of the privacy laws. To be considered a responsible company with user information, FaceApp must voluntarily incorporate these policies. It must provide an easy way for its users to exercise their privacy rights. Today, FaceApp asks the users to send them an email to exercise the right to be forgotten. This is not sufficient.

We may share informatoin in response to legal requests from jurisdictions outside the United States.

FaceApp privacy policy

Let’s assume the Russian government serves a warrant for user information. Will FaceApp founder(s) risk going to jail vs. fighting for the users privacy? For the viral mobile app in California, there is precedence that the company does fight for the privacy rights of users. The state and federal courts do provide protections.

So what’s next

Stop using FaceApp or other apps with similar terms or jurisdictional issues. Use web or mobile apps that have a clear and responsible privacy policy. One that includes a user provision for privacy requests.

Here is a full statement from FaceApp regarding their privacy policy:

We are receiving a lot of inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:

1. FaceApp performs most of the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.

2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.

3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.

4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% of users don’t log in; therefore, we don’t have access to any data that could identify a person.

5. We don’t sell or share any user data with any third parties.

6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.

Additionally, we’d like to comment on one of the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696).  We don’t do that. We upload only a photo selected for editing. You can quickly check this with any of network sniffing tools available on the internet.

Source: FaceApp

More useful links:

What is CCPA Compliance?

California Consumer Privacy Act or CCPA protects the right to privacy of California residents in accordance with the AB 375 starting Jan 1, 2020. CCPA compliance implies companies, websites, and web & mobile apps taking the following steps:

  • Respond to privacy requests of California residents
    • Provide a privacy request form similar to contact us form
    • Verify privacy requests & automate verification
    • Automate request processing workflow
    • Get approvals for specific requests
    • Provide a way to opt-out of website cookie tracking
  • Secure and safeguard personal information
  • Provide clear, readable privacy notice
  • Provide privacy APIs to (applies to b2b web & mobile apps):
    • Access personal information
    • Delete personal information
  • Modify vendor agreements to include privacy provisions
  • Modify data licensing agreements to include privacy provisions
  • Identify all sources of personal information (past 12 months)
  • Identify all parties with whom you shared personal data (past 12 months)

Does CCPA compliance apply to my business?

The underlying question is does my business have to spend the money and resources for CCPA compliance? You have to answer – yes, to one of the following questions:

  1. Do you own a website that attracts 4200+ unique California residents per month?
  2. Do you own a CRM or email list or other systems that has 50,000+ California residents combined?
  3. Do your annual gross revenues exceed $25 Million?
  4. Do at least 1/2 of annual revenues generated from licensing or selling personal data?

If your answer to any of the above questions is yes, then your business needs CCPA compliance. There is no specific, one approach to for CCPA compliance. Like any law, you need to do the minimum required to ensure that you reduce the risk of penalties and lawsuits. There are exceptions. Despite exceptions, we recommend CCPA compliance because these exceptions have not been tested. For example, a health care provider is likely to exempt from CCPA compliance because of HIPAA rules. However, website visitors are not covered under HIPAA (not personally identifiable) but covered under CCPA. Disclaimer: We are not attorneys and we strongly recommend that you consult your attorney for specific nuances in the law and its compliance.

What are the risks under CCPA?

Lack of CCPA compliance has two drawbacks or risks. One of the risks is from the California Attorney General (AG). Calfornia AG may impose a fine of upto $7,500 per violation. Is it likely that your business attracts these fines? Starting July 2020, the AG is expected to initiate action. CA legislature has not provided any additional funds to the AG for action. These fines are pooled into a privacy fund, to initiate future actions by authorized prosecutors across California.

The second risk is the private right of action by California consumers. In plain English, class action lawsuits. These are highly likely to be triggered because of a data breach. Data breaches are up 54% in the first half of 2019. When your company experiences a data breach, you have to notify your state. It is now publicly available information. The likelihood of a subsequent class action in a California court is very high.

It is a good business practice to protect your business from a data breach. This should be a part of your IT and security budget today. The additional budget you need is for privacy request management. It is clear that automating privacy request processing is the right approach. The first and most inexpensive step is to put up a privacy request form on your website, likely cost you less than a few hundred dollars a month. Your business will have nearly 100 days to respond to any advanced privacy requests.

In this guide, you understand the details of privacy request processing, and workflow. Additionally, you 1) Find a list of CCPA privacy request management vendors; 2) Evaluate the pros and cons of building own or using a vendor; 3) Find tips and recommendations for workflow automation; and 4) Calculate your risk vs. budget for processing privacy requests. After reading this guide, you will be ready to start implementing CCPA compliance.

  • What is CCPA compliance?
  • Do you need to implement CCPA compliance?
  • How to budget for CCPA compliance?
  • How do choose the vendor?
  • Should you outsource CCPA compliance processing?
  • How much does it cost?
  • Should you extend your security resources for CCPA?
  • Who takes ownership of CCPA compliance – marketing, legal, or IT?
  • What are the steps beyond privacy requests to be fully CCPA compliant?
  • And, learn some tips on data breach prevention…

First a few simple definitions. A privacy request is a request to execute the right to privacy as defined in the CCPA. Another term being used is DSAR – data subject access request. Privacy request is a better term because the request is about privacy including a request for access to data. DSAR is more specific to request for access to personal information. Under CCPA, a requestor is a person who is a California resident. Types of privacy requests and types of requestors are defined in sections below.

CCPA compliance - Privacy requests
CCPA Privacy Request Processing

Step 1: Deploy a Privacy Request Form on Your Website

The first step to addressing privacy requests is to create a privacy request form on your website. This form must have the following fields:

  • Name (required field)
  • Email (required field)
  • Phone number (optional)
  • Type of privacy request (select one from list)
    • Collection purpose (default)
    • Data categories
    • Data sources
    • Access to data
    • Data sold/shared
    • Do not sell
    • Delete data
    • Notice of action
  • Type of requestors (select one from list)
    • Website visitor (default)
    • Customer
    • Partner
    • Job candidate
    • Employee (likely not required, look out for an amendment from CA Legislature)
    • Other
  • Comment (optional)
  • Captcha (to ensure that no bot is sending requests)

We recommend including the request types such as collection purpose, data categories, and data sources. Some companies may provide this information on their web content as default for all visitors. The reason we make this recommendation would be to better understand your website visitors. Your Chief Marketing Office will be able to understand better the trust levels if they understand if the requests are for information only or something more. It is likely that most of your requesters are seeking for assurance of the use of their personal information. A more advanced privacy program could call these requesters and engage them to improve brand value and trust in your brand. We also recommend including the notice of action request. However, you must consult with your legal team and understand the consequences of this inclusion.

Webform design and deployment is simple. Check this resource to help you create your privacy request form own design.

Step 2: Privacy Request Verification Mechanism

The second step of processing a privacy request is verification. The requestor and the request need to be verified. There are several ways to verify a requestor and the request. In the request form when you use a captcha or recaptcha, this will ensure that no bots are used to provide the privacy request.

The first method of verification is email verification. This is one of the most widely used and automated process. Email verification is about ensuring that the email address is valid. This improves the odds that the email address belong to a real person. The intent of using email verification is to ensure that a real person receives the email sent as part of the privacy request processing.

As part of email verification process, the privacy request processing system sends a verification email. Another option is to use an email verification service to check on the authenticity of the email address. This ensures that is the email is sent and there are no issues to send the email. Also, this means that there are no spelling mistakes by the requestor at the time of request. Additionally, the domain name is verified. Next up, the requestor reads the verification email, and is prompted to click on the link to verify the validity of the email address of the request.

The email verification does not specifically verify the authenticity of the name, phone number or the message of the requestor. But, it is the first and an essential step of the process of verifying the privacy request.

The second step of verification is to use SMS verification. This requires that your privacy request form asks for the user’s mobile phone number. The phone number can easily be verified by sending a text message with a verification code. The privacy request system will then ask for the verification code there-in ensuring that the mobile phone number used by the requestor to present the privacy request is accurate. The SMS verification is a widely used process. However, your requestor may not provide their mobile number for the same privacy reasons.

A third step of verification is location verification. Your website visitor’s IP address is easily avaiable in your website analytics tool. You may find ways to identify the IP address. There are several tools or API services that could be used to find the geo location based on IP address. A more accurate approach would be to include a request for one-time location tracking when the user submits the privacy request. This may be an inaccurate method of location verification. But, this is one way to eliminate requests from outside of California. Your company may have a policy to address all requests without regard to location.

Other verification mechanism could include one or more of these methods:

  • Ask for a credit card number (do a quick $1 balance authorization on the card and revert it)
  • Piggyback off of a social network site’s verification process
  • Ask the user for their social security number and do auto verification of the number
  • Call the user on the phone number provided by the user and check if they provided the request
  • Ask the user for a copy of their utility bill (with their address)

Your verification system may employ one or many of these methods. It is highly recommend to start simple – email verification. You may follow up with a phone call to the user in case of delete data, access data, or notice of action requests. Ensure that you have the following rules for request verification:

  1. CCPA privacy request once received cannot be modified
  2. Any privacy request received (data & time) must be verified for requestor identity prior to processing
  3. Email verification is MUST; SMS phone number verification ; verification by phone call; geolocation verification are good to have
  4. ONE verification confirmation is sufficient, while the system or user may request several verifications
  5. Requestor verification status and process applies to all types of requests and all types of requestors
  6. You may assign a request to a request processor before or after request verification
  7. Request processor may start work on a request only after request verification is completed
  8. Do not send any email notification until the email verification is received

Step 3: Email Notification Templates

Email notification templates are required for privacy request management. This makes your process consistent, and scale your reqeust processing. The following table provide a detailed list of templates you require for CCPA compliance privacy request processing.

#Type of email notificationWhen to use the notificationOne or many
1Email verification notificationUpon receipt of privacy requestOne
2Privacy Request acknowledgementUpon completion of verificcationOne
3Privacy request legal review completed/rejected…Send to the request processor upon this statusOne (internal)
4Privacy request processing extensionSent to the requestor by the request processorOne
5Purpose of collecting personal informationSent to the requestor by the request processorOne
6Categories of personal data collectedSent to the requestor by the request processorMany (atleast one)
7Sources of personal data collectedSent to the requestor by the request processorMany (at least one)
8Personal data access requestSent to the requestor by the request processor (Attach the data file)Many (at least one)
9Request access to data sold/sharedSent to the requestor by the request processor (Attach the data file)Many (at least one)
10Request – Do Not Sell My Personal InfoSent to the requestor by the request processorMany (at least one)
11Request – Delete My personal infoSent to the requestor by the request processorMany (at least one)
12Privacy request is rejectedSent to the requestor by the request processorMany (at least one)

Step 4: Privacy Request Work Flow Status

A part of processing the CCPA privacy requests, you need to discuss and decide on the work flow and maintaining the status of the workflow. This is a simple process setup. Let’s make a simple assumption. Your company may receive less than 500 privacy requests a month. This could imply you need 1-3 person team to process these requests. We recommend the following states for your privacy requests workflow:

  1. Under verification – Implies the request was received and pending verification of the requester
  2. To be assigned – Implies the privacy reqeust process manager is yet to assign the request for processing
  3. Under review – default state once request is verified and assigned
  4. Under legal review – implies that request is sent to legal approver for review with data or files attached (required only for a few requests)
  5. Legal rejected – implies that legal has not approved based on the request and data attached
  6. Legal more information – implies that legal does not have sufficient data to approve the request
  7. Legal approved – implies that request is received from legal as approved
  8. Completed – implies that the requester received an email completing the processing of the request
  9. Rejected – implies that the requester received an email with explanation of rejection of the request

You must esnure that your privacy and legal teams clearly understood and accepted these statuses. It is recommened that you review the entire request processing with your privacy and legal team in detail. This ensure that your privacy request pipeline is processed smoothly and in a timely manner.

Step 5: Establish Process for Each Type of Request

As part of this step, it is important to establish a few common elements of processing any of the CCPA privacy requests. A few common process elements include:

  1. Extend the time needed for processing
  2. Send email notification to requester (based on templates)
  3. Preparation of data – collect and collate the personal information of requester

Disclaimer: Please consult your legal team for specific implementation details.

Extension Processing: CCPA requires that a request received must be processed within 30 days. Let’s consider the clock starts upon email verification. (Please consult your legal team on the start of the clock.) This guide helps you process most of the privacy requests within 5 days of receiving a request. CCPA provides you a way to extend your request processing by an additional 70 days. You need to send the process extension notification to the requester before the expiration of the 30 days of initial processing. We receommend you send this process extension email using a standard email template. CCPA allows for one extension only. We recommend to use the process extension for 4 requests. These include reqeusts for access to personal data, access to data sold or shared, do not sell, and delete data. Depending on your data and your ability to rapidly query this data, you may need to seek extension to process these 4 specific privacy requests.

Sending Emails: The final objective of CCPA privacy request processing sending one or more messages to the requester. Sending emails is the easiest. The key part of request processing is requester verification. The requester email must be verified using an email verification process. Additionally, sending email is inherent to the work flow process. Sending personal data to the wrong person will be considered a data breach. Such data breach is subject to a action by the requester.

Data Preparation: Nearly all CCPA privacy requests require personal data of the requester to be available. It is important to ensure that you have the ability to query, collect, and collate all the data associated with the requester. We shall cover data collection and collation in another guide. For setting up CCPA privacy request processing, you need the data file for the requester. You may use email address, phone number, name, or other search criteria for querying.

Processing Privacy Requests for Collection Purpose, Data Categories, & Data Sources

These three privacy requests are similar in processing. Each of these three CCPA privacy requests can be completed in a few steps or actions:

  1. Requester verification is completed
  2. Send email acknowledgement to the requester – request received
  3. Call the requestor (optional) to confirm the request received
  4. Get requester data for the past 12 months and attach it to the request
  5. Review requester data for collection purpose/data categories/data sources (action)
  6. Email requester the appropriate email template for collection purpose/data categories/data sources (action)
  7. Close the request as completed

Your company may have several email templates depending on the type of requestor or type of data sources/data categories/data sources. Or, you may also have one generic email template for each of the privacy request type. It is better for the company to have different templates for different types of requesters (purpose/categories/sources may change for each type of requester). Another alternative is to provide generic collection purpose / data sources / data categories information on your website. We strongly recommend specific request processing. This approach provides a way to engage your request stakeholders.

Processing Privacy Request for Access to Data

The CCPA privacy request for access to personal information can be completed in several steps and actions:

  1. Requester verification is completed
  2. Send email acknowledgement to the requester – request received
  3. Call the requestor (optional) to confirm the request received
  4. Check if this is a valid request
  5. Check if a similar request was received from the same requester in the past 12 months
    • You are required to process a request every 6 months. This could imply that you could process 2 requests each year. We recommend that your company keep track of number of requests received from a specific requester. And it is recommended to track several requests including request for access to data, request to delete data, request to access data shared/sold, or request not to sell data.
    • If a delete data request was received in the past 12 months, the company may send a notification to the requester that delete data request was processed in the past 12 months.
    • If number of requests are in order, then continue with the next steps.
  6. Get requester data for the past 12 months and attach it to the request
  7. Review requester data and note any abnormal patterns (action)
  8. Send the request including the data and the notes for legal review (action)
  9. Get an approval from the legal reviewer
  10. Email requester the appropriate email template for access to personal data and attach the data approved by legal reviewer
  11. Close the request as completed

Your company may have several email templates depending on the type of requestor for personal information access. Or, you may also have one generic email template for each of the privacy request type. It is better for the company to have different templates for different types of requesters. You should have the ability to collate and collect the personal information of the requester.

Personal information access is a very tricky area. CCPA has expanded the definition beyond personally identifiable informatoin. For example, if a visitor to your company website requests data, then it is imperative that you collate all the website statistics for this specific visitor. Web site statistics collected by most companies do not have any personally identifiable information. However, under CCPA it is personal information associated with a cookie id of the visitor.

Processing Privacy Request for Data Sold/Shared

The CCPA privacy request for access to personal information that is sold or shared is simlar to the privacy request for personal information access discussed in the section above. The only difference is in the collation of data from multiple data stores of the company. Your company must have a way to quickly identify if this data is licensed to a third party. CCPA does not require you to share who the data is licensed/sold/shared with. It is unclear if data hosted with a third party service provider is considered to be part of data shared/licensed. We recommend that hosting data with third party service provider need not be considered as part of this privacy request. Disclaimer: we are not your legal team, please seek appropriate legal advice.

Processing Privacy Request for Do Not Sell

The CCPA privacy request for do not sell my personal information is simlar to the privacy request for personal information access discussed in the section above. There are several major differences:

  1. Do not attach the data collated as part of the response to the requester.
  2. Identify a way to mark the data for the specific requester and the date of the request.
  3. What if the data was already sold?
    • There is no need for the company to retroactively inform the licensors
    • The request is for any future sale/sharing of the data of this specific requester
  4. At the end of 12 months from the date of this type of request you may sell/share this data. CCPA does not specify any limitations. Disclaimer: Please consult your legal team.

Processing Privacy Request for Delete Data

The CCPA privacy request for delete my personal information is simlar to the privacy request for personal information access discussed in the section above. There are several major differences:

  1. Controversial: Delete data does not imply not new data collection. We are of the view that a request to delete data does not imply that your company needs to stop data collection. You may continue data collection from various sources. CCPA has specific provision about opt-out of data collection. This is a topic for cookie management. As part of cookie management and cookie opt-out, you may still do some essential data collection.
  2. You may not delete data that is necessary to service any future requester requests. For example, if the requester is a customer, invoice or payment information may not be deleted. You may need that customer information for returns processing, or as part of other compliance.
  3. Do not attach the data collated as part of the response to the requester.
  4. Identify a way to mark the request for data deletion.
  5. We are of the view that data collated as part of request processing may be retained. This is required for audit and compliance purposes.
  6. What if the data was already sold?
    • There is no need for the company to retroactively inform the licensors about data deletion
    • The request is for any data with the company
  7. Starting immediately after processing the request, you may collect new data for this requester. Disclaimer: Please consult your legal team.

Processing Privacy Request for Notice of Action

The CCPA privacy request for notice of action is not a necessary type of request under CCPA. We recommend this request type. This is useful because this is a way for you and your legal team to be prepared for any inconsistencies in request processing or potential future compliance actions. Processing this request is quite simple:

  1. Requester verification is completed
    • We do not perceive email verification of the requester is an acknowledgement of the request
    • Please ensure that your email verification notification to requester does not indicate acknowledgement of any requests
  2. Do NOT send email acknowledgement to the requester
  3. Collate all the data of the specific requester
  4. Collate all requests received from the specific requester
  5. Consolidate all this information and the request and send it to your legal reviewer
  6. If you receive legal approval, you may then send an acknowledgement to the requester
    • Your company may have legal policies on notice acknowledgements

List of Vendors that Provide Privacy Request Processing

Here is a list of vendors that provide software and systems for CCPA privacy request management:

  1. InfoSecEnforcer.com
  2. OneTrust.com
  3. TrustArc.com
  4. Clarip.com
  5. Privaci.ai
  6. Truyo.com
  7. Wirewheel.io
  8. Sourcepoint.com

Cost to Build Your Own Privacy Request Processing

It is expensive to build your own privacy request processing tool. It may be inexpensive to build it once. However, we expect CCPA to change over the next several years. This would imply that you need to have your team make these changes constantly. These continued long-term changes will prove to be expensive.

Most of the above listed vendors provide low-cost tools. We recommend InfoSecEnforer a free tool for privacy request processing.

A common and mis-understood aspect of CCPA is about website cookies. CCPA requires you to ensure that you manage the data collected using website cookies. This data is to be considered as personal information. As such your company must be able to identify this data with the visitor and respond to privacy requests from the consumer. Nearly all such requests need access to the data, and your 3rd party cookie vendor should include that ability. Engage your vendor for CCPA compliance.

Cookies and consumers

Companies and websites use cookies. Cookies are placed on the website to recognize your browser and remember information specific to the your browsing habits. Cookies are specific to the website. When you visit that website again the cookie will track your browsing habits and the company is aware of your history of visits on their website(s). A company could use their own created cookie also called first-party cookie, or alternately a company could use a third-party cookie service.

Technically there are only two types of cookies. First is a session cookie. Session cookies live a short life and die when you close the browser. When a website uses a session cookie each visit is treated as a new visit. Second is a persistent cookie. Persistent cookies are stored on your computer and their life is set by the website. Websites use persistent cookies for different purposes:

  1. Essential cookies – these type of cookies are used for basic features to work on the website. Example of basic features include signin, signup, loading images, enabling selection of preferences, and so.
  2. Functional cookies – these type of cookies are used so the website can do analysis of website usage. Example of functional use include performance improvements, better user experience, optimizing image load or video performance, and so.
  3. Advertising cookies – these types of cookies are mainly used for advertising purpose. This enables the website to display ads that are relevant to the specific visitor. Example of advertising functions include data sharing with advertisers, social sharing, return visit tracking, and so.

In this article:

Personal information tracked with cookies

Cookies are simply identifiers with a expiration date. A cookie do not contain any personal information when created. It does not have any personally identifiable data. It does not scan your computer, browser data, or browser history. Most websites collect personal information only when you provide them on a form. Any information a cookie stores is usually encrypted. The website server is aware of the information coded in the cookie. The server is aware of any information you provide. As a result of the how the internet works, the server is also aware of your potential location, time of visit, your IP address, your service provider, length of your visit, web pages you visited, clicks, frequency of clicks, your search terms, and so. All this information may not be considered personally identifiable information. This is personal information under CCPA (California Consumer Privacy Act).

Web server can use third party tools to profile you. Marketers could collate data from multiple websites and create your unique profile. This is often called web profiling. This helps marketers target specific ads. For example, when you search for running shoes on a website and moments later you visit an ecommerce site, it is likely that you will be served an advertisement for running shoes. Another example would be when you visit a website called xyz.com, and you start browser other sites, you may be served ads for xyz.com.

Profiling with cookies and consumer privacy

Profiling using cookies is an essential tool for marketers. It is powerful and helps them spend advertising dollars effectively. Marketers can specifically target users based on the products they are likey to purchase. However, profiling can be malicious, could be used by trolls. Cookies can help in many other ways.

As a consumer you cannot prevent profiling. You could take precautions to protect your privacy. For example, you may use free browser extensions or 3rd party applications such as Ghostery to identify companies using cookies. And, you may also install CCleaner that helps in session and cookie cleaning. A simpler approach is to configure your browser to prevent cookies from untrusted sites. Chrome browser provides several advanced privacy settings. We recommend that you explore these settings.

Chrome has several options that you could explore in site settings. This option allows you to set permissions for specific site without changing default settings. You may use this to browse trusted sites and untrusted sites in a different way.

You may explore cookie settings options in your Chrome or other browsers. This may help you prevent profiling. Additionally most browsers also provide a list of cookies by website and the estimated amount of data stored in relation to that cookie.

State of cookies prior to CCPA

A study by advertising firms in 2018 examied 5 billion page impressions. This study states that users on web browsers block over 60% of cookies. And, users on mobile devices reject over 70% of cookies. They use tools and buil-in browser settings to actively block cookies. Consumer awareness of the privacy risks of cookie tracking is at an all time high. A substantial improvement over the past 2 decades.

The General Data Protection Regulation (GDPR) came into effect in 2018. This meant that websites have to change their privacy policies, cookie management policies, and more. GDPR and EU ePrivacy directive require that your website visitors must provide consent before the website deploys tracking cookies. Additionally, this consent must be saved. As a result, many website deployed cookie consent managemet on their sites. Today, a website visitor seeks a familiar cookie consent banner. GDPR regulation of cookies implies:

  • Transpareny of cookie policy – A visitor to the website must be given a clear view of the use of cookies in a clean and understandable language. Implies, websites cannot hide behind a legal privacy policy statment, which the visitors or users often overlook.
  • Personally identifiable information – A visitor may or may not provide directly identifiable information. However, an individual may be singled out by a combination of data collected for the regulation to apply
  • Accountability for cookies on the site – A website is accountable to all the data collected. The company is accountable for the safety, processing, and storage of collected data. This is more difficult to manage. Websites often apply 3rd party cookies and data processing by 3rd parties should be more carefully managed.
  • Opt-in cookie consent – A visitor must be provided a clear choice to opt-in or reject tracking using cookies. This choice must be obtained before any cookies can start collecting data.
  • Manage consent – A visitor must have the ability to change (reject or accept) their consent. Additionally, a website must ask the visitor to update consent every 12 months. And, each such consent must be recorded for future reference.

GDPR set the stage on how cookies should be managed on websites. Several large companies that operate in EU have taken steps to apply these cookie management settings globally. This GDPR did not apply to millions of California websites. EU barely has resources to regulate within its own juridiction. Awareness had built-up for change in California. Result – CCPA (California Consumer Privacy Act).

Right to privacy in Califonia

California state Constitution give each citizen a right to pursue and obtain privacy – Article 1, Section 1. Several other state and federal laws protect the privacy of individuals. You may review a list of privacy laws that apply in California here.

Why the CCPA – California Consumer Privacy Act?

Officially AB-375 the California Consumer Privacy Act is intended to hold companies accountable for the use of consumer data. Beyond privacy, consumers have the right to control their data and its use. CCPA (California Consumer Privacy Act) is intended to provide the consumer the right to control what happens to their personal information. Consumer are now expected to have certain enforceable rights about their personal information:

  • Right to know what information is collected
  • Right to know if their data is sold or shared
  • Right to know 3rd parties that have access to their data
  • Right to say no to the sale of their data
  • Right to be forgotten
  • Right to have access to data
  • No discrimination upon exercise of rights
  • and more…

State of cookies after CCPA

California Consumer Privacy Act (CCPA) introduces stricter provisions for companies processing personal information of individuals. For example, any data collected by cookies can be seen as personal information and therefore fall under the CCPA (California Consumer Privacy Act). For those already compliant with the GDPR this may be an easy change to adapt. The European regulation requires similar changes for the cookie policy.

  • Clear disclosure of cookie policy – A visitor to the website must be given a clear view of the use of cookies in a clean and understandable language. Under CCPA (California Consumer Privacy Act), websites cannot hide behind a legal statment, which visitors often overlook.
  • Personal information – A visitor may not provide directly identifiable information. However, any information collected using cookies shall be considered personal information under CCPA (California Consumer Privacy Act).
  • Cookies on the site – A website is accountable to all the data collected. The company is accountable for the safety, management, and storage of collected data. Websites that use 3rd party cookies must be able to manage the data collected.
  • Know your 3rd party vendors: Cookies on website are mostly from 3rd party vendors. It is critical to ensure that your vendor agreement clearly have data protection and CCPA compliance clauses.
  • Opt-out of sale of personal information – A visitor must be provided a clear choice to opt-out of sale of personal information. The opt-out choice should be clear and easy to find. This opt out of sale refer to all data.
  • Manage opt-out and opt-in of sale of personal information – A visitor must have the ability to change (reject or accept) their consent. And, each such consent must be recorded for reference.

Cookie policy changes

As part of CCPA (California Consumer Privacy Act), websites and companies need to be transparent in their use of cookies. They must have a clear disclosure of the use of cookies. Such disclosure may include data collected as part of the cookies. CCPA does not require prior consent for the use of cookies. However, there is a requirement of clear disclosure. Additionally, there is a requirement to provide the visitor an ability to opt-out of cookie usage. Websites and companies need to modify their cookie policy to reflect these changes.

Under CCPA (California Consumer Privacy Act) different types of cookies have separate treatment. Essential cookies are requied for the proper operation of the website. Websites are not required to provide the ability to opt-out of essential cookies. It is advisable to disclose their use, but not required to allow visitors or users to disable essential cookies.

Functional cookies are used for multiple functions and potentially for web tracking. Some of these cookies may be required for the performance of the website. While other functional cookies may be optional. Under CCPA (California Consumer Privacy Act), websites are required to provide the visitor an ability to opt-out of some functional cookies. Websites should place a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function. These cookies may be first party or 3rd party cookies. While the letter of the CCPA act is not specific, the provisions of the act imply clear disclosure. Disclosure must include how cookies collect, and use data, and the ability to opt-out of non-essential cookies.

Clearly advertising cookies are under the preview of non-essential cookies. These may be first party or 3rd party cookies. Under CCPA, data collected must be protected and you must be able to provide access to this data to consumers upon request.

Consent management (A good practice and not necessary under CCPA)

Website must start to implement clear consent management. We recommend consent management for all websites. Such consent management should have the ability to opt-out. Opt-out consent management does not adversely impact the way websites do business today. Typically most companies that use email marketing have already incorporated consent management. Websites need to extend this to their website visitors.

Companies now need to manage consent across all functions. Website need to track visitor cookie preferences. CCPA is clear about opt-out consent for adults. It is also clear about opt-in consent for children and young adults. However, it is still unclear on how to implement both types of consent for different types of visitors. We expect to provide an update when this clarity emerges. Finally, websites need an integrated consent management system that also includes the ability to share consent with 3rd party partners.

Consent management system must also have another additional capability. They should be able to recognize the visitor across multiple devices that the visitor uses and be able to track consent across devices. This implies deploying advanced cookie tracking capabilities across multiple devices including mobile, tablets, and computers.

Cookie banner

CCPA does not have a requirement on cookie banners and their usage. However, it does have a clear requirement of ‘Do not sell my personal information’ link on the home page. There is a need to provide clear consent management. We recommend that website do not use a cookie banner. We also recommend that website place a clear link on their home pages to manage cookie preferences. This differs from how GDPR compliance uses cookie banner. For technical reasons or reasons of consistency, you may use a cookie banner for both. 

In conclusion, CCPA has several requirements about cookies and consent management:

  • Clear and easy to understand cookie policy
  • Detail of each cookie used and its purpose
  • Collect, manage, store, and secure personal information collected using cookies
  • Manage 3rd party vendors for CCPA compliance and data protection
  • Track consent across multiple devices (see household requirement under CCPA)
  • No requirement for cookie banner
  • Recommend placing a link on home page for consent management (a good practice, not a CCPA requirement)

Some useful links