If GDPR didn’t give you enough headaches, get ready to reach for the painkillers. The California Consumer Privacy Act (CCPA) is here.
It’s commonly referred to as “California’s GDPR,” and while the two regulations are alike in spirit, there are some key differences.
Read on to find out what the law covers and what you need to do to get prepared for it.
What Does the CCPA Cover?
Basically, the law grants California residents these rights:
- To know which personal information is collected, used, shared or sold, in terms of categories and specific pieces of personal information.
- To delete personal information held by businesses and their service providers.
- To opt-out of the sale of their personal information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
- To non-discrimination in terms of price or service when a consumer exercises privacy right under CCPA – basically, they should receive the same service or product from your business whether they exercise these rights or not.
The law went into effect on January 1, 2020. It becomes enforceable beginning on July 1, 2020.
Who Does the CCPA Apply To?
Unlike GDPR, CCPA doesn’t apply to everyone. A business has to meet one of these criteria:
- Gross annual revenues in excess of $25 million
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of annual revenues from selling consumers’ personal information
With that being said, even small businesses should work towards compliance. Ideally, your business will grow to meet these thresholds.
There’s one more stipulation to look out for: businesses that handle the personal information of more than 4 million consumers will have additional obligations.
The regulators are still working out the kinks on that, so stay tuned.
You must provide notice before or at the point where you collect data.
You need to do two things to meet this requirement.
First, you need to use a banner or notice when users come to your site.
The banner or notice must disclose the categories of personal information you’re collecting and why you’re collecting it.
The transparency requirements also say you need to make some updates to your privacy notice. It must include the categories of personal information you collect and the users’ rights.
This information must be in an easily readable format, and you need to update it at least every 12 months.
More than likely, you already have these mechanisms, or something similar, in place.
This next part is where it gets a little bit more difficult.
Get Prepared for Users to Exercise Their Rights
You also have to create ways for your users to know what information you have about them, opt-out of having their data sold, and request for their data to be deleted.
Here’s a high-level overview of how to meet those requirements:
User’s Right to Know
When a user requests to know what data you have on them, you must respond within 45 days of their request. The response should cover the 12-month period prior to when the request was made.
Remember, this will be enforceable starting on July 1, 2020. So if a user makes a request on July 2, 2020, you need to be prepared to respond with information going back to July 2019.
The data you provide them with must be in a format that is readily usable and can be transferred to another entity.
It should contain:
- Categories of personal information you have collected.
- Specific pieces of personal information you have collected.
- Categories of sources where the information is being collected.
- Business or commercial purpose of the information collected.
- Categories of the third parties which the information is shared with.
User’s Right to Opt-Out
You must provide consumers with explicit notice and a chance to opt-out before you sell their data.
Unlike GDPR, users are opting out of having their information sold, not collected.
You need mechanisms in place to remove a user’s information from the data being sold to third parties. If that isn’t feasible, you need a way to stop collecting their information altogether.
You also need a data governance policy.
It should include all of your data collection points, a full inventory of your technology stack, map of your data flow, and a list of approved vendors and whether they’re vetted for compliance.
User’s Right to Delete Personal Information
Users can also request that you delete their information.
You must have a “Do Not Sell My Info” link somewhere on your website. This extends to third parties who may also have access to your users’ data.
You are responsible for deleting the information and getting the data deleted from third-party platforms. This will affect email marketing campaigns.
Verifying User Requests
When a user makes any of these requests, they must be verifiable, meaning you must be able to verify the identity of the person making the request.
It doesn’t matter whether their account is password protected.
The law provides you with some safeguards here so that you aren’t burdened by unreasonable requests.
What’s the Cost of Failing to Comply?
There are penalties for failure to comply.
Unintentional violators face a $2,500 fine, while intentional violators will have to cough up $7,500.
And of course, individual users can file a private action against businesses that they feel aren’t complying with the law.
What Should You Do Now?
First, make sure you can answer these questions:
- Where is data collected on your website?
- Which digital platforms are loading on your website?
- Which data is being collected?
- Is any of it considered “personal information?” If so, you need to know which categories it falls into, why you’re collecting it, and who you’re sharing it with.
- Have you met the disclosure requirements on your home page and privacy notice?
- Is the ability to opt-out easy to see and use?
Next, get ready for users to begin exercising the rights the law affords them.
Finally, stay up to date. There are still some clarifications that still need to be addressed.
Depending on the final decision, you may have to:
- Maintain records on users’ requests to delete and opt-out, as well as your response for 24 months.
- Disclose any financial incentives that you’re offered in exchange for retaining or selling personal data.
- Show how the value of that data is calculated.
- Treat user-enabled privacy settings as a validly-submitted opt-out request.
Be on the lookout for the legislators’ final ruling on these requirements. And start getting ready for them, just in case they go into effect.
Featured & In-Post Images: Created by author, January 2020