This information is one in a series of topics to help Adobe Commerce and Magento Open Source merchants and developers understand the implications of the California Consumer Privacy Act. The information is based on the text of the statute. To confirm if CCPA applies to your business, consult with your attorney.
The California Consumer Privacy Act (CCPA) expands the rights of consumers in California for determining how their personal information is collected, stored, and used, with an emphasis on protecting consumers from the unauthorized sale or exchange or their personal information. The CCPA was enacted in 2018 and went into effect January 1, 2020.
The CCPA grants the following new rights to consumers:
For CCPA purposes, personal information in this context is defined as:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Section 1798.140)
In this regard, it covers certain data elements that may not be considered personal data in the context of other laws or regulations. Merchants should keep this in mind when determining whether and how they should comply with the law.
The CCPA also requires businesses to provide “reasonable security”, and includes expanded data protection provisions for consumers, including the right to pursue legal action in the event of a data breach.
Consult with your legal counsel to determine whether and how you should comply with any CCPA requirements that may be applicable to you and your business, including the new notice, opt-out, and record-keeping requirements that businesses must implement in accordance with the law.
The CCPA applies to the following businesses–regardless of where the business is registered–that do business in California and collect, share, or sell California consumers’ personal data:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
This section provides a high-level outline of the steps required for merchants to comply with privacy regulations such as the California Consumer Privacy Act (CCPA).
If your business is required to comply with both the General Data Protection Regulation (GDPR) and the CCPA, you can use some of the work from your GDPR compliance program for the CCPA. Although the regulations have some similarities, a few differences include:
Businesses that comply with GDPR might have additional obligations under the CCPA. To learn more, see the CCPA Fact Sheet.
A coordinated effort is required to develop and implement a plan to address compliance. Use this roadmap as a guide to mobilize resources and prioritize tasks so you can move ahead on multiple fronts. The process is essentially the same for all Commerce installations, with the following exception:
Adobe Commerce on cloud infrastructure: Merchants with stores hosted on Adobe cloud infrastructure can ask their Adobe Commerce Technical Account Manager or Customer Support for help with responding to consumer requests.
On-Premise: Merchants with on-premise installations of Adobe Commerce or Magento Open Source must develop their own processes and tools to respond to and manage consumer requests related to privacy regulations.
Assemble a team that represents the following functional roles in your business, and schedule a training session to bring them up to speed on the legislation. Then, assign required tasks to stakeholders by role.
From a business perspective, you must determine if your company extends these privacy-protection measures only to consumers in California, or make them available to all consumers, regardless of location.
Stakeholders: Information Technology, Legal, Administrative Support
Take inventory of your digital properties, including all integrations and who has access to your consumer data.
Determine what public and private personal information is collected through your websites and mobile applications. For example, a standard Commerce database stores the following types of public and private personal information:
Public: Wish Lists, Product Reviews
Private: Customer Information, Order Information, Reward Points, Gift Registry, Address Book, Store Credit, Payment Methods, Billing Agreements, Newsletter Subscriptions, Invitations.
If your Commerce installation has been customized, additional personal information might be collected. Personal information might also reside in cookies, tags, and other technologies that collect information.
Identify the parties with whom you share data. The list should include service providers and third parties such as advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers who do not directly collect personal information from your consumers.
Service Providers: Entities who have access to your consumer data for a business purpose, and provide services on your behalf. For example, Adobe is service provider, as are some developers of customizations, extensions, and services.
Check the default settings of Google Universal Analytics, Google Tag Manager — and any other data services you use — and make any changes necessary to comply with the regulation. To learn more, see Google Privacy Settings.
Other Third Parties: Entities with whom you share or sell consumer data. For example, you might share consumer data with an advertising network in exchange for advertising.
Stakeholders: User Experience, Information Technology, Administrative Support
Identify each point in the [customer journey] where personal information is collected, and the type of information that is collected at each step.
Visitors to your site must be notified in advance, or at the point of data collection. For example, a store without custom integrations collects personal information when a customer account is created and during checkout. If your store has custom integrations, there might be additional data items and attributes to identify.
See the following topics for applicable data flow diagrams and database entity mappings for each version:
Stakeholders: Customer Service, Information Technology, User Experience, Administrative Support
From a data management perspective, each request for personal information involves the following parties:
Data Subjects (Consumers): Under CCPA, any person in California who provides personal information to make a purchase and/or to maintain a customer account might submit a request to access or delete their personal data.
Entities acting as Businesses within the scope of CCPA (Brands): Commerce merchants collect and store personal information from their customers and guests who make purchases in their stores.
Data Processor (Technology Vendors): Adobe Commerce and Magento Open Source act as processors of the personal data that is stored as part the services provided to merchants. As a processor, Adobe processes personal data in accordance with the merchant’s permission and instructions, according to the license agreement.
Merchants are responsible to do the following:
Identify the parties involved in the Data Subject Access Request (DSAR), and verify the identity of any person who requests to know, opt out, or delete, regardless of whether the person has a password-protected customer account, or shops in your store as a guest.
Disclose and deliver information to a consumer in response to their rights request within 45 days of receiving a verifiable consumer request from the consumer, unless it is not possible. (The law contains certain other requirements for a business to maintain compliance for delays of up to an additional 45 days).
Merchants must respond to each DSAR within 45 days, beginning from the day the request is received. If necessary, merchants can take up to an additional 45 days to respond, for a maximum total of 90 days from the day the request is received, if the merchant notifies the customer to explain the reason for the delay.
Develop a mechanism for presenting the required notifications in your store and collecting consumer response.
Establish response procedures and document each of the following requests:
Requests to Opt Out: The CCPA requires businesses to provide a Do Not Sell My Info link at each point where personal data is collected, if it will be sold or transferred to third parties in exchange for valuable consideration. Additional user-enabled input controls, such as checkboxes and buttons, can be used in email communications, website preference settings, or in website forms at the point of data collection for individuals to submit a valid opt-out request.
Requests to Delete
Stakeholders: Legal, Customer Service, User Experience, Information Technology, Administrative Support
In partnership with your legal counsel, determine the types of notices that should be added to your website to meet CCPA obligations.
Notice of Collection: A notice given at or before the time personal information is collected from the consumer. The notice should be written in plain language, and be easy for the average person to understand. The notice should be conspicuous and provided in one or more same languages as your website content.
Notice of Right to Opt Out: A notice that informs consumers of their right to opt out of the sale of their personal information.
Notice of Financial Incentive: A notice that explains each financial incentive, price, or service difference that your company receives in exchange for personal information.
How to Submit a Request for Personal Information Collection and Use: Instructions for individuals to submit a request that you disclose the personal information that you have collected about the individual, including:
Send the content to the team, and if possible, your legal counsel for review.
Determine where the notices appear, how they function (for each visit, at authentication or on click-through), and their position and format in relation to other content.
Pass the approved content to your development team.
Stakeholders: Legal, Administrative Support
Review and if necessary, update all service provider contracts to reflect CCPA requirements.
Stakeholders: Legal, Administrative Support
Use of Personal Information: You must disclose what personal information is collected, and any financial incentives you receive in exchange from the sale of personal information. You must explain how the incentive is allowed under CCPA, and how the value of the personal information is calculated.
Age of Consent: If you collect or use personal information about minors, you may be subject to the following requirements:
Minors < 13: Parental authorization is required for minors under the age of 13 to opt in to the sale of their personal information.
Merchants are prohibited from storing the personal data of children on Commerce platform or systems. If there is reason to believe that collected data belongs to a minor, it must be removed from a Commerce platform immediately to avoid breach of Adobe license terms.
Stakeholders: Customer Service, Administrative Support
For 24 months after each individual rights request is received, maintain a record of the request and your company’s response.