CCPA / CPRA for merch programs touching California residents

Что требуется

• Notice at collection: explicit categories and purposes
• Right-to-know, right-to-delete, right-to-correct, right-to-opt-out responses within 45 days
• Do Not Sell or Share My Personal Information link in footer
• Limit-Use-of-Sensitive-Personal-Information mechanism for sensitive categories
• Service Provider / Contractor agreement with every supplier processing PI
• Data Protection Assessment for high-risk processing under CPRA
• Annual cybersecurity audit for businesses meeting threshold
• Children-under-16 opt-in (parent consent for under-13)

Как это влияет на мерч-программы

• Welcome kits and event merch sign-ups now treated as PI processing
• Suppliers must be Service Providers (or Contractors) by signed agreement
• Cross-context behavioural ad use of merch-recipient data triggers sale-or-share opt-out
• Sensitive PI (precise geolocation, race, religion) needs limit-use mechanism
• Data-subject deletion requests must propagate to all merch sub-processors
• Recipient list shared with shipping carrier needs Service Provider agreement

Документальный пакет — what suppliers must provide

1. Service Provider Agreement (CCPA / CPRA-compliant)
2. Notice at collection language (recipient-form copy)
3. Privacy policy with required disclosures per Cal. Civ. Code 1798.130
4. Data inventory map per processing purpose
5. DPA addendum identifying CCPA roles
6. Cybersecurity audit report (if threshold met)
7. DPIA / risk assessment for sensitive PI processing
8. Verified data-subject request workflow log

Дерево решений — when does this framework apply?

• Annual gross revenue > USD 25M, or 100 000+ CA residents PI, or 50%+ revenue from selling PI? CCPA applies
• Are you a business under CCPA? Drives obligations
• Is data shared for cross-context ads? Opt-out + Do Not Sell or Share link
• Is sensitive PI processed for non-essential purposes? Limit-use needed

Штрафы за нарушения

• USD 2 500 per unintentional violation, USD 7 500 per intentional / minors data
• Private right of action for breaches (USD 100-750 per consumer per incident)
• California Privacy Protection Agency (CPPA) enforcement actions
• Cease-and-desist + injunctive relief

Чем мы помогаем

• CCPA / CPRA-compliant Service Provider Agreement pre-signed
• Recipient deletion workflow with 45-day SLA + cascade to sub-processors
• Privacy-policy language aligned to merch-data processing
• California-resident segregation in our processing systems
• Sensitive-PI minimisation in standard recipient forms
• Annual cybersecurity audit shared if you meet the threshold

Связанные рамки

• Gdpr Merch
• Iso 9001 14001 27001
• Fcpa Uk Bribery

Связанные ресурсы

• Glossary of compliance terms
• Material catalogue
• Sustainability report 2026
• Data Processing Addendum
• Whitepapers and reports

Часто задаваемые вопросы

Are we a business under CCPA?

If you meet revenue, volume, or sale-of-PI thresholds and process CA-resident PI, yes.

Do recipient lists count as PI?

Yes: name + address + email + employer = PI under CCPA Cal. Civ. Code 1798.140(v).

Service Provider vs Contractor?

Service Provider receives PI for a business purpose; Contractor is a similar role under CPRA: both require contract terms in 1798.140.

Do we need a Do Not Sell or Share link?

If you sell or share PI for cross-context behavioural ads: yes; otherwise the link still recommended.

Children under 16?

Opt-in required for sale/share for under-16; parental consent required under-13.