We’re barely into the new year and it’s already time to start thinking about the latest in online privacy. It should come as no surprise, since online privacy issues (such as GDPR in the EU) have been growing in recent years. Here’s a quick recap of all you need to know.
What is CCPA?
It stands for California Consumer Privacy Act and is intended to improve privacy rights for residents of California and force companies to be more transparent about the personally identifiable data (PII) they collect and sell.
Is CCPA just for Californians?
The statute was passed by the California State Legislature and is intended for California residents. However, it applies to any company that does business in the state of California, if at least one of the following is true:
- The business earns more than $25 million annually.
- The business buys or sells the personal information of at least 50,000 people/households.
- More than half of their annual revenue comes from selling personal information.
Note that the business does not need to have a physical presence in California to still be considered under this act; for example, if they buy or sell the personal information of at least 50,000 Californian residents, they must comply.
It is estimated that the CCPA will only apply to about 500,000 businesses across the U.S. Considering the U.S. has more than 32 million businesses, it’s likely yours won’t be affected. But it’s still probably worth taking the time to update your privacy policy to be more transparent. Other states will certainly follow in California’s footsteps, and you would already be ahead of the curve.
What do I need to do to comply?
For all businesses, it’s a good idea to update your privacy policy to mention all the personally identifiable information you collect on your users, and which parts of that data—if any—you sell to third parties. You must also provide a way for your customers and website visitors to contact you so that they can request to see the information you have on them and any data you’ve sold to third parties. And you must be able to, upon the person’s request, delete their data and stop selling that data to third parties.
Specifically for businesses for whom the CCPA affects, there are a few additional requirements (noted in the “Responsibility and accountability” section of this article) that you’ll need to implement:
- Ask for parental or guardian consent for children under age 13
- Ask for consent of children age 13 to 16
- Have a link on your home page directing people to a page where they can opt out of having their information sold to third parties
- Have a way for people to request to see which data you have on them
- Update your privacy policy with the required information, ideally with a separate section on the rights of California residents
- Be sure you do not request opt-in consent from anyone for a period of 12 months after they opt out
What happens if I don’t comply?
You could be subject to a hefty fine ($7,500 for each intentional infraction and $2,500 for each unintentional one), though enforcement isn’t likely to start until July 2020, and even then it will be somewhat tricky to enforce.
However, as regulations like this become more prevalent, you don’t want to be the only company still being opaque about what you’re doing with your consumers’ data. Being more transparent with your customers builds trust, which is a great long-term strategy for your business.
OK, so what do you recommend I do?
If you do a lot of business with California residents, it’s worth discussing the implications of CCPA on your business with a legal expert. Otherwise, you’re probably safe to update your privacy policy and provide a way for your customers to request their data, which will put you ahead of the curve and into your customers’ good graces. After making any updates to your privacy policy and/or website for CCPA, it could be a good idea to send an email to your clients to let them know of the changes.
Just a friendly caveat the we’re not lawyers, we’re web developers! If you need help updating your website to comply with CCPA, we can lend a hand. We’re also available to talk through the potential implications of CCPA on your business. But for strictly legal advice, we recommend speaking with a lawyer, particularly one familiar with digital privacy regulations. And remember: This is a relatively new regulation that’s likely to change a few times as California irons out the details, so be sure to check back for updates.