Since the introduction of the General Data Protection Regulation (GDPR) legislation in Europe last year, the spotlight has remained firmly focused on personal information and privacy online. A growing number of states are actively trying to pass bills through their legislative branches to help protect consumer data, with California being the latest state to release its own law pertaining to the security of personal information that’s collected online.
What Exactly Is the CCPA?
The California Consumer Privacy Act (CCPA) was initially passed on June 28, 2018 and went into effect on January 1, 2020. The main purpose of this privacy law is to protect personal data that’s collected by businesses from California residents.
CCPA legislation secures new privacy rights for California consumers and provides residents of California the right to:
- Know what personal information is collected, used, shared or sold, and to whom
- Opt-out of the sale of their personal information
- Delete any personal information held by businesses and, by association, third parties
- Non-discrimination in terms of service and price, when their privacy rights are exercised under CCPA
Unlike GDPR, however, the CCPA does not require the consent of the consumer to collect personal information—unless they’re under the age of 16, in which case they must provide opt-in consent. For children under 13, a parent or guardian must provide consent.
Will Your Business Be Affected By the CCPA?
If your business collects and processes the data of California residents and it exceeds one or more of the following thresholds, then the CCPA will apply to you:
- Your gross annual revenues are $25 million or more
- You collect the personal information of at least 50,000 California residents, households, and/or devices
- You accrue 50% or more annual revenue from the sales of California residents’ personal information
You might be thinking that those numbers will only be reached by large companies so the CCPA won’t be an issue for you. Well, if you act as a vendor to one of those larger companies, then you could also be required to comply under the terms of your vendor contract.
What Could Happen If You Fail to Comply with the CCPA?
If you’re found to be non-compliant with the CCPA, the California Attorney General could assess penalties of up to $7,500 per violation, if your violations are deemed intentional via civil action. For example, if you had ten website visitors from California and hadn’t addressed any of the requirements necessary to comply with the CCPA, you could be fined $75,000. Additionally, even unintentional violations can be assessed at $2,500 per violation.
How Do You Make Your Website CCPA Compliant?
The CCPA has clear requirements businesses have to meet if the law applies to them. Requirements include:
- Updating Your Privacy Policy: You’ll need to include information on why, how, and what kind of data you will collect and process. Compile a list of the types of personal information you’re collecting, why you’re collecting it, and what methods you’re using to collect it.
- Providing a Privacy Notice: This means adding a notice for consumers at or before the point of data collection. Inform the consumer that their personal information is going to be collected using a short, concise description of the personal data that will be collected.
- Providing a “Do Not Sell My Info” Link: Ensure there’s a visible link on your website or mobile app to a page titled “Do Not Sell My Info” that allows consumers to prevent you from selling their personal information. This link should also be included in the privacy notice.
- Detailing Your Third-Party Sharing: In your privacy policy, you should include information about sharing personal information with third parties. If you share or sell information with vendors or third parties, you have to disclose this to consumers and include the link for consumers to opt-out if they do not wish to have their personal information sold.
- Allowing User Access to Data: You’ll need to update your privacy policy with information on how users can request access to, change, or remove their personal data within a specific timeframe. This includes employing a method of verifying the identity of consumers who make such requests.
- Obtaining Consent from Minors: Collect prior consent from minors 13 to 16 years old before selling their personal data. For minors younger than 13, you have to obtain prior consent from their parents or guardians.
- Maintaining Records of Requests & Responses for 24 Months: Businesses that collect, buy, or sell personal information of 4 million or more California consumers are subject to additional record-keeping and training obligations.
The key to complying with CCPA legislation is knowing exactly what types of personal information you collect, how you collect it, and what you do with it once it has been collected. Once you’ve discovered all of that information, the emphasis then shifts to informing the consumer. The final part of the puzzle is to then allow the consumer to access and control their personal information.
Even though the CCPA took effect on January 1, 2020, however, the California Attorney General cannot enforce any action under the law until July 1, 2020. This gives a you few months to get your website and business practices in compliance with this new legislation.
Looking for more detailed information about the CCPA? Head to California’s Office of the Attorney General website.
Disclaimer: This article is intended for information purposes only as an introduction to the new CCPA legislation. It is not legal advice.