- On July 24, 2019
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. Here’s what you need to know.
On the surface the CCPA is similar to the EU’s General Data Protection Regulation (a.k.a. GDPR). The CCPA is legislation created and enforced by the State of California. Its focus is to provide protections for California residents but its reach goes well beyond the state’s borders.
The CCPA was introduced on January 3rd, 2018 and signed into law on June 28th of that year. The impetus for the bill was a string of high profile tech scandals involving the sale and/or mismanagement of user data – most notably the Cambridge Analytica incident. The goal of the bill is to provide California residents with more transparency regarding what personal data businesses are collecting and how those data are being used.
Under the CCPA, California residents will have the power to:
- Know if their personal information is being collected and/or sold
- Access their data and know who it is being sold to
- Opt-out of having their personal information sold
- Sue companies after a data breach involving their data.
DOES THE CCPA APPLY TO MY BUSINESS WEBSITE?
As a state law the CCPA’s benefits are only afforded to California residents. However, the restrictions of the law apply to any entity conducting business online in California.
- A business must be compliant with the CCPA if they collect personal information about California residents and have any one of the following traits:
- Exceed $25,000,000 in Annual Gross Revenue
- Obtain the personal information of 50,000 or more Californians per year
- Make at least 50% of Annual Revenue from selling Californians’ personal information.
If a business does not satisfy at least one of these three traits then they are not required to be CCPA compliant, even if they are collecting data on California Consumers.
THREE POSSIBLE CCPA SCENARIOS
Here are three scenarios that demonstrate different use cases:
- A California resident accesses an online store while traveling abroad.
- As long as the consumer is a legal resident domiciled in California, the CCPA applies – even if they’re physically out of the state.
- A California resident signs up for a newsletter generated by a news group headquartered in New Hampshire.
- Even though the group is based in a different state they are still serving a California resident (and collecting their email address).
- A California resident logs into a medical provider’s online portal to update her health statistics.
- One of the exceptions to CCPA compliance is medical data for groups which are already HIPAA compliant.
HOW TO COMPLY WITH THE CCPA
Here are our top suggestions for complying with the CCPA.
“Do Not Sell” Link
Facilitate User Requests
Establish A System To Meet Requests
Consumer requests pertaining to data usage need to be honored. Put these systems and protocols in place at your company. Note that getting companies to put these procedures in place is the true purpose of CCPA and that setup will likely be where you spend the most time.
For example, you will need to consider and be able to answer questions like:
- When a consumer uses your toll-free number to opt-out of having their data sold, how do you ensure that these requests are processed and followed through at your organization?
- How do you maintain records of where you have sold data collected through your website?
- Where is your data stored and how will you be notified of a data breach, should one occur?
Critical to satisfying consumer data requests is also having a protocol for verifying a consumer’s identity. If the personal information you’ve collected is an email address, the user could send a message from the address in question as one option for verification.
If an account was created by the user for your site it is possible that the use of their account password on the site may also count as verification. Further examples and specifics are said to be forthcoming from the California Attorney General before the legislation goes into effect.
Allow Users To Opt-Out
While the EU’s GDPR legislation is centered around the principle that users must opt-in to the collection and sale of their personal information the CCPA operates from an opt-out of sale perspective for most consumer demographics.
This means that users only need to be given the clear choice to opt-out of the sale of data before or at the time of sale. Data collection and selling of most consumers’ personal information can be done without the prior affirmative consent which GDPR requires.
The CCPA does, however, require the affirmative consent of two specific age groups:
- Consumers aged 13 years, or younger, must provide affirmative consent via their parent/guardian before your business shares their data.
- Consumers aged 13 – 16 years old must also provide affirmative consent prior to selling their data but, unlike the younger group, they can do so on their own behalf.
FINAL THOUGHTS AND ADVICE
If your business falls under the CCPA, the time to work on complying is now. Meeting the CCPA requirements will take some time as you revise and adapt your existing data management, storage, and sharing practices.
Even if your business is not subject to the CCPA requirements, we strongly recommend taking the requirements to heart and taking some steps toward compliance. The CCPA is part of a broad trend in the direction of stronger consumer data protection. Taking a more proactive approach now could save you time and effort later on. Your current customers will also appreciate the measures you take, as they become more aware of consumer data best-practices.
If you’re curious about how the CCPA relates to your business website and how you can begin working towards compliance reach out to your Tenrec account manager or firstname.lastname@example.org / (888) 983-6732.
We’ll help you better understand what data and processes you already have in place, or need, so that your team can move forward better informed about the road ahead.