CCPA: Business Obligations
Business Obligations [§ 1798.100, 130, 135]
Rule: Businesses must provide notices, honor consumer requests, maintain contracts with service providers, and implement reasonable security.
Privacy Notice Requirements [§ 1798.100(a), 130(a)]
Must provide at or before collection:
| Required Disclosure | Description |
|---|---|
| Categories of PI | What types you collect |
| Purposes | Why you collect each category |
| Retention periods | How long you keep each category |
| Consumer rights | Description of rights and how to exercise |
| Sale/sharing | Whether you sell or share, and opt-out instructions |
| Sensitive PI | Whether you collect sensitive PI and purposes |
Privacy Policy Requirements [§ 1798.130(a)(5)]
Annual update with:
| Element | Details |
|---|---|
| Categories collected | Past 12 months |
| Sources | Categories of sources |
| Purposes | Business/commercial purposes |
| Categories sold/shared | If any, and recipients |
| Categories disclosed | To service providers/contractors |
| Rights description | How consumers can exercise rights |
| Contact info | Methods to submit requests |
Request Handling [§ 1798.130]
Must provide at least two methods for submitting requests:
| For Most Businesses | For Online-Only |
|---|---|
| Toll-free number | Not required if online-only |
| Website form/link | Website form/link |
| Email address | Email address |
Response requirements:
- Confirm receipt within 10 business days
- Respond within 45 calendar days
- Can extend 45 days with notice
- Provide information free of charge (twice per 12 months)
Data Minimization [§ 1798.100(c)]
A business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.
Cannot:
- Collect more than necessary
- Retain longer than necessary
- Use for incompatible secondary purposes (without consent)
Service Provider/Contractor Requirements [§ 1798.140(ag), (j)]
Written contracts must:
| Requirement | Service Provider | Contractor |
|---|---|---|
| Specify purposes | Yes | Yes |
| Prohibit selling | Yes | Yes |
| Prohibit sharing | Yes | Yes |
| Prohibit retention beyond purpose | Yes | Yes |
| Require deletion on instruction | Yes | Yes |
| Grant audit rights | Recommended | Yes |
| Require certification | Recommended | Yes |
Security Requirements [§ 1798.100(e)]
A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information.
No specific technical requirements, but “reasonable” typically includes:
- Encryption of sensitive data
- Access controls
- Employee training
- Incident response plans
- Vendor security assessments
”Do Not Sell or Share” Link [§ 1798.135]
Homepage must include clear and conspicuous link:
- “Do Not Sell or Share My Personal Information”
- Or “Do Not Sell My Personal Information” + “Do Not Share My Personal Information”
Alternative: May use single “Your Privacy Choices” link with opt-out icon.
Global Privacy Control [§ 1798.135(b)]
Must treat user-enabled Global Privacy Control (GPC) signals as valid opt-out requests.
- Must honor GPC browser signals
- Applies to sale AND sharing
- Cannot require user to also click website link
Training [§ 1798.130(a)(6)]
Employees handling consumer inquiries must be informed about CCPA requirements to properly direct consumers to exercise their rights.
Record-Keeping [CPPA Regulations]
Businesses processing PI of 10M+ consumers must:
- Compile metrics on requests received
- Include in privacy policy annually
- Track: requests to know, delete, correct, opt-out; response times; denials