The California Consumer Privacy Act (CCPA), effective January 1, 2020, enhances the privacy rights of California residents and impacts website owners, particularly those collecting data of 50,000 or more Californians or with revenues over $25 million. Websites must allow users to opt-out of data sales and comply with requests regarding personal data access and deletion. Failure to comply can result in data breach liabilities, with potential damages ranging from $100 to $750 per affected individual.

1. The California Consumer Privacy Act
(CCPA) is in Effect Starting on
January 1, 2020
1

2. Called the California Consumer Privacy Act
or CCPA, it is meant to provide the
residents of California with more control
over the way their personal data is stored
and processed.
Who will this new legislation impact?
What are the main things to know about
CCPA? What can you do to make sure, as
a website owner, that you comply with it?
2

3. The new law is bound to impact most
website owners and operators, as it
previously happened with the European
GDPR. Yet, in many ways, the CCPA is not
as strict as GDPR and is more explicitly
aimed at companies who are selling
consumers' personal data.
3

4. Which websites will CCPA impact?
First of all, the effects of the law are limited to California residents.
However, this does not mean that businesses outside of California will not have to comply
with the law, if they deal with customers from this state.
Since residents of California can access any website, regardless of where it is being operated
from, it basically means that all website owners, in the US and abroad, should take steps
towards CCPA compliance.
4

5. Which websites will CCPA impact?
We have seen this before with the GDPR law in Europe, that was aimed at all companies
handling the personal information of EU citizens.
At the time the GDPR went into effect, website owners in the US and elsewhere either
complied to GDPR for all of their customers, or decided to simply block access to their
websites if the visit was being performed from an IP in the European Union.
5

6. Which websites will CCPA impact?
If you run a website in any of the other American states, you might be facing a similar choice
here. If you can afford to leave out your customers living in California, there is the option of
blocking visits from Californian IPs.
However, data privacy laws are likely to be on the agenda of legislators in the future, too. It is
not unforeseeable that more, if not all states, will pass similar legislation in the future. So,
instead of progressively blocking out potential customers, it may be wiser to comply now,
regardless of where your business is located.
6

7. Which websites will CCPA impact?
Secondly, unlike GDPR, the effects of the law are somwhat limited. CCPA will concern only the
following companies:
● those with gross revenues of at least $25 million
● those who have personal information on at least 50,000 California residents /
households / devices per year
● at least 50% of their annual revenue is generated from selling the personal data of
Californians
7

8. Which websites will CCPA impact?
If your website collects personal information, but does not fall under one of the above
categories, then you are free to do business as usual.
These caveats are a clear sign that the law was not designed with small business owners in
mind, but rather that it targets corporations who are profiting from selling large sets of
personal information. However, make sure to check the number of unique visitors from
California you have on your website. If that number exceeds 50,000 in a year, then you will
have to consider CCPA compliance.
8

9. What is considered
personal data under CCPA?
There is not a big difference from what we
already discussed in GDPR related topics
previously, as the personal data involved is pretty
much the same: names, email addresses,
location, biometric data etc.
The law defines this as any information that
"identifies, relates to, describes, is capable of
being associated with, or could reasonably be
linked, directly or indirectly, with a particular
consumer or household". Please note that
publicly available information, as well as
deidentified or aggregate consumer
information is not considered personal
information under CCPA.
9

10. What do I need to do in order to be CCPA
compliant?
You can still collect and even sell personal information, but you
need to make it easy for users to opt-out of this process.
The law explicitly says that, if a business sells the personal information
of the users, it has to provide a clear link on their homepage, titled "Do
Not Sell My Personal Information".
Also, it is illegal to offer different services or features based on the
choice to opt-in or opt-out. All customers have to still benefit from the
same services.
10

11. What do I need to do in order to be CCPA
compliant?
Similar to GDPR, you have to grant customers the right to data access,
to delete their personal data, and to request disclosure of all
categories of personal data being collected and sold (if that is the
case).
This will be done on a yearly basis.
On request, you have to provide the personal data from the previous 12
months preceding the request. Also, the customer may only file such
claims a maximum of twice per year.
11

12. What do I need to do in order to be CCPA
compliant?
Also, please make sure to include the following in your privacy policy:
● all categories of information you collect and process
● what these categories of information are used for
● how the information is being collected
● what is the procedure to request access to, change, move or
delete ones' personal data
● how the identity of the person who submits a request is verified
● if personal data is being sold, then this has to be described here
● how to opt-out of the selling of their data
12

13. 13
Does GDPR compliance
automatically mean you
are also CCPA compliant?
Not necessarily, but chances are
that if you have taken steps to
comply to GDPR, you are also
CCPA compliant. All of the
conditions above are found in
GDPR as well, with the exception
of explicit rules for the selling of
personal data.

14. What are the risks of failing to comply to CCPA?
The main risk website owners face is that of a data breach. Under the law, the company is
responsible for preventing unauthorized access and theft of consumers' data. If this should
happen, any user whose data is leaked has the right to file for recovering damages in an
amount between $100 and $750. A large data breach, where the data of thousands of users
is stolen, could potentially lead a company to bankruptcy. Multiply 1000 x $750 and you get
an estimate of the impact.
However, before there is any civil action, companies are allowed 30 days to "cure the
noticed violation", if that is possible.
14

15. Analytics Tools CCPA compliance
As deidentified data, as well as aggregate data, does not fall under the rules of CCPA, most
analytics tools are likely compliant by default.
However, you should make sure to read the data processing agreement and privacy policies of
any such third parties, to make sure you have all the information about the use of personal
data. As part of the effort to comply with GDPR, Visitor Analytics has become CCPA compliant
as well. Our company does not engage in the selling or sharing of data with others. The data
we gather cannot be connected to the identity of any individual or household, or device.
15

16. If you need more detail about the new privacy law, you can read the full
text of the 1.81.5. California Consumer Privacy Act here. If you would
like to know more about how Visitor Analytics complies to privacy laws,
please read our Privacy Policy and Data Processing Agreement.
16