The California Consumer Privacy Act
A look at how the CCPA will affect the legality of your online business.
The California Consumer Privacy Act (CCPA) is a new privacy law in the state of California that works to protect Californian consumers and their privacy, enacted on January 1, 2020. With growing concerns about consumers’ personal data being sold as a commodity—without their knowledgeable consent—the law comes at a fitting time. Since this law is the first of its kind, it means business owners must pay special attention to the rules and regulations associated with the CCPA, so that their businesses can keep selling to Californians, legally.
What are the details of the CCPA?
In short, there are five main rights that the law grants to Californian consumers:
The right to know if personal data is collected or sold, and to who.
What consumer data is collected.
The right to say no to the collection of personal data.
Access by the consumer to the collected data.
The right to demand the business entity delete all personal data.
No discrimination, through prices differences or service quality, on the basis of a consumer using their rights.
What constitutes personal information?
CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
What steps do I need to implement for compliance?
Update privacy notices and policies.
Before or at the point of data collection, businesses must reveal what types of personal information are collected from the consumer, and where that personal information will end up.
There must be a prominent “Do not sell my information” opt-out button on the business’s homepage.
The different categories of private information that are collected must be clearly disclosed to consumers.
Update all privacy policies to include the rights afforded to Californians under the CCPA. See the five rights listed above.
Ensure that data inventory systems are aligned with the CCPA protocol.
This includes defining the selling company’s record systems and ensuring the system’s security.
Offer a toll-free number or website email address where customers can voice their concerns and request more information about their personal data collection.
The business must make available to consumers at least two designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number and if the business has a Website, a Website address. Businesses must respond to all requests within 45 days.
Businesses must also document all requests for information and train employees who handle this information with updated safety and privacy protocol.
Who must comply with the CCPA?
Any business that collects personal data on its consumers, does business in California, and that corresponds with at least one of the following qualifications:
Has annual gross revenues in excess of $25 million;
Buys or sells the personal information of 50,000 or more consumers or households; or
Earns more than half of its annual revenue from selling consumers' personal information
Though the CCPA may not specifically apply to your business yet, some businesses are offering all U.S. consumers the same data access request, deletion, and opt-out rights because it is easier to implement widespread change to all consumers. By implementing these changes in 2020, you are setting your current business up for future success.