The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. After a six-month enforcement delay, the state of California can officially enforce the law for any non-compliant websites as of July 1st. Civil penalties up to $2,500 for each violation or $7,500 per each intentional violation are possible. As a site owner, you are responsible for ensuring compliance with the key requirements of the CCPA.
To help you learn more about CCPA compliance, we’ve put together this overview article. Please do not confuse us with actual lawyers or treat this as legal advice. We offer this information only to raise your awareness of CCPA compliance. If you have any questions, please contact us.
What is the CCPA?
The California Consumer Privacy Act of 2018 gives California consumers more control over the personal information that businesses collect about them.
The CCPA applies to businesses above certain revenue thresholds and/or those that collect personal information.
Businesses that fall under its purview need to provide consumers specific notices explaining their privacy practices. They must also take certain actions, at the consumer’s request.
You may think of these as GDPR-like rights for consumers in California.
With over 39 million residents, Californians do a lot of business with companies all over the world. Any company that meets the thresholds of enforcement should take action to ensure CCPA compliance before they run afoul of this sweeping new law.
Should You Be Concerned About CCPA Compliance?
The CCPA applies to for-profit businesses around the world that do business with California consumers that meet any of the following criteria:
- have annual gross revenues of $25 million
- buy, sell, receive, or share the personal information of 50,000 or more consumers, households, or devices for commercial purposes
- derive 50% or more of annual revenues from selling consumers’ personal information
Parent companies and subsidiaries sharing the same branding must also comply. It does not matter if they themselves don’t exceed the thresholds.
According to the American Bar Association, the courts may decide exactly how the thresholds trigger, though:
At this point, there are some ambiguities as to how the thresholds can be met. For example, a common question is whether the $25 million limit for annual gross revenues is met with California revenue alone or if it is met with global revenue. The answer to this question is unclear and may or may not be resolved before the law goes into effect, meaning that, ultimately, the courts may be the ones to resolve this issue
CCPA Compliance Is About the Right to Know and the Right to Say No
According to the law, California consumers have the right to:
- know about the personal information a business collects about them and how it is used and shared
- delete personal information collected from them (with some exceptions)
- opt-out of the sale of their personal information
- exercise their CCPA rights without discrimination
The CCPA defines personal information as pertaining to a particular consumer or household that can:
- identify them
- relate to them
- describe them
- reasonably associate with them
- reasonably link, directly or indirectly to the consumer or household
The CCPA protects these rights for California resident consumers, with some exceptions. For example, exceptions exist for personal information collected about a business’s personnel and B2B representatives. These CCPA compliance exceptions are context-dependent.
What Kind of Personal Information?
The CCPA’s list of categories of personal information include (but are not limited to):
- Name, alias, postal or email address
- online identifier, account name
- Social Security number, driver’s license number, passport number, etc
- State ID card number, insurance policy number, education, bank account number, credit card number, debit card number, and other financial information
- medical information, and health insurance information
- Unique personal identifiers (e.g., IP address; cookies, customer number, user alias; telephone numbers, etc.
- Commercial information (purchase history and “tendencies”)
- Biometric information;
- Browsing and search history
- Geolocation data
- Professional or employment-related information
- Education information
How to Respect the Key Rights of Consumers under the CCPA
Although CCPA compliance may feel burdensome at first, put yourself in the shoes of your customers. They just want to know that you’re treating all personal data you collect with the utmost care. When you can prove to them that you are doing just that, they can trust you and recommend you.
Assuming you are a regulated businesses that collects, uses, discloses, and/or sells personal information, you must be able to tell your consumers:
- what personal information you collect
- from whom and for what purposes
- who you share it with
California consumers can request a copy of the specific pieces of personal information you collect. Be prepared to produce this in a readily useable format.
You must delete data collected from a consumer upon request.
CCPA compliance also means you must provide consumers the right to opt out of the sale of their personal data.
Finally, the law prohibits you from discriminating against consumers who opt out. You cannot deny goods or service or treat someone differently as a result of exercising their rights under the CCPA.
Why CCPA Compliance Matters For Everybody
Even if your business does not meet the threshold criteria in order to be held legally responsible for CCPA compliance, you should act as if it does.
We recommend knowing the California laws and preparing to meet their standards proactively, in the following manner:
- determine if your business meets any of the enforcement thresholds
- bring up to compliance any data collection systems covered by provisions of the CCPA
- update all privacy policies to address CCPA compliance
- reach out to your third-party vendors to ensure they are CCPA compliant, too
- review internal systems to verify you’re following all best practices for data collection
- monitor the safety of all data you collect, and review all security protocols
- consider hiring a consultant to audit how much information your company actually needs to collect, and pare down where possible
Entermedia’s own Ben Marshall published a detailed, step-by-step guide to CCPA website compliance. He also tells you how to deal with CCPA compliance specifically for WordPress and Google Analytics.
We’ll say it again. If you collect user data in any form, you would be wise to follow the CCPA and GDPR standards no matter what. It’s not hard to foresee similar laws showing up in other states and countries in the near future. There’s no harm in getting ahead of the curve.
When you can demonstrate transparency and high standards of professional conduct, you can us that as a competitive advantage in your content marketing.
Creating peace of mind for you customers—as well as yourself—by using the CCPA compliance guidelines as a blueprint for your business’ data collection policy makes smart business sense.