Starting January 1st, 2020, businesses transacting with California residents need to ensure their data collection practices comply with the CCPA (California Consumer Privacy Act). You may be asking, “What does the CCPA mean for my business?” And, more importantly, “How do I make sure that my communications and digital interactions with individuals in California are legal?” Cookie Script, the company behind the popular cookie privacy compliance tool, has put together this helpful guide that will answer everything you need to know about the CCPA and how it will impact your business.
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act was passed by the California State Legislature in June of 2018. But, this landmark legislation doesn’t start to come into effect until January 1st, 2020. Officially known as California Statute AB-375, this law is designed to protect the privacy rights of California residents. Beyond the penalties, many companies worry about fulfilling the various nuances of the new law. But, you do have some breathing room… at least for a short while.
Full Enforcement Begins July 1, 2020
You've most likely heard the January 1st, 2020 deadline repeated over and over. If you're racing to meet this deadline, here's some good news: this deadline only applies to the security aspects of the law, such as a data breach or unlawful transfer of consumer information.
The current deadline for enforcement on all facets of the law is slated to begin on July 1st, 2020. After this date, all commercial entities can be penalized for any privacy encroachment — not only those tied to personal damages. According to the National Law Review, this gap between the law’s implementation and the date of its enforcement is to give California’s Attorney General time to work out all the regulatory nuances found within the CCPA. In effect, all sides are scrambling to ensure they are compliant.
Keep reading to see if your business is affected by the passage of this legislation.
CCPA Applies to Your Business in These Instances
The CCPA is designed to shield consumers from the most aggressive forms of data mining operations. Even if your business does not fall under the descriptions listed below, all businesses should be aware of this law’s implications.
Do any of these descriptions fit your business?
• Sales of consumer data account for 50% (or more) of annual revenue. If the sale of personal consumer data accounts for 50-percent or more of your business’ annual revenue, then the CCPA applies to your business — regardless of total revenue.
• Your business has total revenues of over $25 million. If your business has an annual revenue of $25 million or greater, then your business practices will fall under the scope of CCPA rules — even if the sale, receipt, or purchasing of personal information is only a small percentage of your business’ total revenues or business activities.
• Your organization sells, rents, receives, or purchases consumer information on 50,000 (or more) individuals. If you buy, sell, or receive the personal consumer details of more than 50,000 or more individuals, devices, or households within a given calendar year (365 days), then the CCPA applies to you.
If you do any kind of business with residents of California, the CCPA will have a significant effect on how you collect, use, and store consumer data. To learn more about the CCPA and how it applies to your business transactions, read the full text of the California Consumer Privacy Act on the California Legislative Information website.
What does the law mean by "collecting data?”
The law gives a broad definition of what it means to collect information. "Collecting" can mean information that is freely received, rented, accessed, obtained, gathered, purchased, or derived in any manner.
Why does it mean by "commercial purposes?” This is an area of the law that is broadly defined. But, in a general sense, "commercial purposes" can mean any type of activity with a commercial component, such as the purchase, rental, lease, sale, or exchange of any type of good or service.
What are the penalties for non-compliance?
Security incidents where a California resident's personal data is intentionally (or unintentionally) sold, purchased, or transferred without their consent can lead to damages ranging from $100 to $750 per incident. To put that into perspective, revealing the personal consumer information of 15,000 California residents may lead to a minimum fine of $1.5 million, but damages can far exceed this amount.
Informing Consumers of their Rights Under CCPA
Part of business’ compliance requirements involves informing consumers of their rights under the CCPA. This means disclosing the following pieces of information to online and offline consumers:
What information is collected? CCPA rules mandate that businesses must disclose what personal information is collected.
Whether information is sold. If your business sells personal information on consumers, you must disclose this fact and state to whom you are selling their personal details.
How to opt-out. California residents have the option to opt-out of having their information sold to third parties. Clear directions must be provided on how consumers can go about this. On your business website's Home page, you must provide a conspicuous and clear link that reads "Do Not Sell My Personal Information." This link should bring a person to a page that allows them to opt-out from having their personal information sold. According to the law, registration on the website cannot be used as a prerequisite for opting out.
Be mindful of consumers' age. The CCPA offers extended protection for consumers under the age of 16. If a business knowingly collects information regarding a consumer’s age, the commercial entity is prohibited from selling that person's information without express consent from the individual or the individual’s parent or legal guardian.
Right to Equal Prices and Service Quality
One little-discussed aspect of the CCPA is that businesses are barred from offering products or services at a different rate as a condition of opting in (or opting out) of consumer privacy agreements. Similarly, businesses are barred from incentivizing the act of opting into consumer privacy agreements.
Respecting a Consumer's Right to Opt-Out
If a consumer decides to opt-out from having their personal information sold, commercial entities must wait 12 months before asking the consumer to consider opting into having the information sold or given to a third party.
How to Ensure Your Business is Compliant
Enacting sweeping changes in any organization is difficult. The best way to ensure your company is CCPA-compliant (in the little time available) is to split compliance initiatives into smaller parts. This can include any of the following:
• Create a data inventory. Start off by creating an inventory of what personal information you have collected on consumers. Examine the last year of your business' data activities, and especially how you use the data you collect. After conducting an inventory of consumer data held by your organizations (and those you share with third parties and vendors), a system should be implemented that allows certain data sets to be immediately and securely purged. This system should allow for timely batch deletions and deletion requests deriving from consumers at the individual level.
During this inventory taking, companies should note how and why the personal information was collected and in which way this data was used, and to whom this data was shared or sold. This also means taking stock of so-called "offline" data, which might include personal details collected in-person.
• Train your employees. Take time to train employees and incentivize compliance.
• Consider blanket protections. Depending on your type of business, it may be easier to implement CCPA-like protections for all consumers handled by your business or organization, regardless of their residency status. This may also help your staff avoid confusion and better prepare them for the inevitability of other states enacting similar consumer protection laws.
Responding to Consumer Requests
As outlined in the CCPA, California residents have the right to request a detailed account of what information companies have collected on them over the span of the last 12 months. This means, starting January 1st, 2020, your organization should be prepared to fulfill these types of requests.
Don’t Miss these oft-overlooked Parts of the Act
Seemingly mundane pieces of information — such as geolocation data (an individual's address), personal property records, etc. — are subject to the rules contained in the CCPA. A few examples of consumer data that companies collect without giving a second thought include:
• Purchases of services and/or products
• Biometric information
• Personal property records
• …and others
What counts as biometric information? While this section doesn't apply to most businesses, the CCPA also provides protections for individuals' biometric information. Biometric information can include data derived from fingerprints, retina scanners, voice recordings (voiceprint), or any biometric data that is unique from person to person.
Need Helping Staying CCPA-Compliant?
Cookie Script is a website tool that automatically categorizes and adds descriptions to all of your website’s cookies. This tool allows you to track the full history of user consents and grant consent withdrawals at any time, making it compliant with CCPA and GDPR rules. You can also choose to use those cookies which are absolutely necessary for your website to function properly.