The buzz about the California Consumer Privacy Act (CCPA) is on the rise, and businesses must be informed about the new law and what they need to do to prepare for it. Is it news to you? Don’t worry, you aren’t alone. It was widely believed this bill wouldn’t end up passing, but here we are. The law will go into effect on January 1, 2020. It can affect your business, even if it is not located in California.
Keep in mind that this information is for discussion purposes only. The team at Foremost Media, Inc. are not qualified to provide legal advice of any kind. They are not an authority on the interpretation of the CCPA or any other rule or regulation. To understand how the CCPA or any other law impacts your business, you should seek independent advice or qualified legal counsel.
With the disclaimer out of the way, let’s dive into the details.
What is the California Consumer Privacy Act?
CCPA is a law that applies to businesses that collect personal information or data from California residents. This law gives California consumers the right to:
- Know what personal information is collected.
- Delete personal information collected or held by a business.
- Opt-out of the sale of personal information. This gives consumers the ability to tell a business to stop selling their personal information. Children under the age of 16 must provide opt-in consent, and children under the age of 13 must have a parent or guardian opt-in for them.
- Non-discrimination of price or service when a consumer exercises a privacy right.
Is my business affected by CCPA?
Your business is subject to CCPA if you do business in California and one or more of the following applies:
- Has gross annual revenue excess of $25 million.
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
What should I do to become CCPA compliant?
Businesses subject to CCPA must:
- Alert consumers at or before data collection. Similar to the GDPR, this often entails a pop banner across the website, detailing the information.
- Create procedures for consumers to know, delete, or opt-out within a certain time. This includes providing a “Do Not Sell My Info” link on your website or mobile app.
Verify the identity of consumers that request to know and delete. This includes consumers whether they maintain a password-protected account with your business or not. However, if the business is unable to verify a request, it may deny the request. But they must comply to the greatest extent they can and treat a request to delete as a request to opt-out.
Disclose financial incentives offered in exchange for personal info and explain how they calculate the value of information. This should include an explanation of how the incentive is permitted under the CCPA.
Maintain records of requests and how they responded for 24 months to demonstrate compliance. Keep in mind businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.
Already GDPR Compliant? Here is what you should know:
While the CCPA and GDPR are similar, they are separate legal frameworks with key differences. Even though your business complies with GDRP, you may have additional obligations to be compliant with the CCPA. Beyond the scope and territorial reach differences between the two laws (EU vs. California), the regulated parties are also different, as described above.
Both laws also focus on information relating to an identifiable natural person, but the CCPA also includes information linked at the household or device level.
While both laws also must process the request for the disclosure of what information is being collected and why, the CCPA does not provide the right of rectification, the right to restrict or object to processing (other than opting-out completely).
For more information on CCPA and compliance, please contact us or visit the California Consumer Privacy Act Fact Sheet here.
*NOTE (edited 12/6/19): We have received many questions regarding the next steps to begin compliancy, please read below.
What's My Plan?
Now that you have some background about CCPA, you are probably asking yourself, “What steps do I need to take to make my website compliant?” This article was developed by the team at Foremost Media to help you move towards compliance. NOTE- we are not lawyers or qualified to provide legal advice of any kind. This article is based on our experience, consultations with lawyers for many of our clients, and our industry experience with this issue as well as GDPR compliance with our clients. In short, don’t sue us. We are here to help but can’t guarantee compliance. With that out of the way, here are our suggestions:
Determine if this law even affects you. The law was written for the state of California but if you do business in CA, your business will need to comply if:
- Your company has gross revenues in excess of $25 million dollars.
- Your company buys, receives, or sells the personal information of 50,000 or more consumers, households or devices. - This is a bit gray. We do NOT feel running Adwords or social media advertising qualifies here as you are not collecting personal information until that user converts to a lead. In other words, just by running paid ads alone you are not collecting personal information. If you are collecting leads from those ads or other sources in excess of 50,000 people from your website or other forms like app registrations etc. or buying lists with personal information for something like email marketing that contains over 50,000 people, then you will need to comply. Does your CRM or email marketing list contain over 50,000 people? If yes, this law affects you.
- Your company derives 50% or more of annual revenues from selling consumers’ personal information. This statement is pretty clear. If you are in the business of selling contact information you need to comply.
If you qualify, we suggest you:
Add a cookie notice to your website - The CCPA requires businesses to provide notice to consumers at or before data collection. The cookie disclaimer pops up and informs users of the fact that your tracking them. If you have been through GDPR compliance, your website probably already does this. The notice should contain verbiage similar to this:
- If you don’t intend to ever sell your customers personal information update your policies to state “Any personal information about our customers will never be sold to third parties”.
- If you do intend to sell personal information provide a "Do Not Sell My Personal Information" ("DNSMPI") link on your homepage and any other pages where you collect personal information, NOTE, this could include your mobile apps or any other software you have that collects personal information.
- Inform users that they have the right to know what data you have about them and refer them to the previously mentioned request form.
- Inform users that you do not discriminate against them if they exercise their right to see, delete or opt out of your data collection activities.
- Inform users they have the right to have you delete any personal information you might have about them.
Create an internal procedure on how to handle requests for data from users. This procedure should include how to respond to requests, a map or inventory of where data is stored and policies on how to remove the data from your records. This policy should also include maintaining records of request for up to 24 months after they are received to prove you are compliant. This could be as simple as an online document stored on a server and updated manually when a request is received.
Please contact us with any further questions on this matter or if you are in need of assistance making compliancy changes.