What Is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a new law giving California residents greater control over their personal data being collected and sold.
Businesses will soon feel the heat from the CCPA. While this privacy law was signed in 2018, enforcement begins January 1, 2020.
The CCPA amends a 1972 California privacy law to include digital data. It’s the first digital privacy law of its kind and a hint at a global trend in data privacy. It’s likely this law will be replicated in more states and more areas, so getting prepared now is the way to go.
Especially important because a recent survey found that nearly half (44 percent) of businesses felt they were not prepared.
What Does the CCPA Mean for My Business?
We live in a world where anyone from anywhere can access the internet. In fact, last year was the first time that over half the world population was online.
So, while you might not:
- do business in California
- know anyone in California
… you still might need to be prepared for the CCPA to affect your business’s website as customers from California can still find your site, use it and require protection under the law.
If one of the points below describes your business, you need to comply:
- A business with customers in California and
- Meets one or more of the following:
- annual gross revenue exceeds $25 million
- annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
- derives 50 percent or more of its annual revenues from selling consumers’ personal information
For businesses that fall under these categories, there’s good news. First, consumers have to opt-out. You don’t need to wipe data collection from your site entirely.
Second, if you’ve already prepared for the EU’s General Data Protection Regulation (GDPR), you’re on your way to having a CCPA-compliant website.
What Does the CCPA Do?
According to the law’s website, the CCPA is designed to help consumers in three ways:
1. The CCPA wants to help consumers know what information businesses have collected on them.
Upon request, companies must provide California customers with the information collected on them and comply with their wishes if they no longer want that business to have their information. This means businesses will have to erase the consumer’s information entirely.
It also allows consumers to gain access to the type of personal information the business is selling, and who the business has sold it to, if anyone. (Businesses are only required to disclose this information up to twice a year.)
2. The CCPA will require businesses to not discriminate against a consumer who doesn’t want their information sold.
If a consumer opts out of their information being sold to outside parties, a business can’t charge more for services, withhold services or change the quality of services a consumer receives.
Additionally, it will require a link, displayed clearly, at the bottom of the page that allows a consumer to opt-out of their data being sold.
3. The CCPA increases fines and penalties of companies violating current laws meant to protect consumer’s privacy.
It is current California law to implement “reasonable security measures” to safeguard consumer data, but the CCPA increases fines in an effort to strengthen the current law.
Businesses will face fines up to $7,500 for each infraction.
What’s the Difference Between CCPA vs. GDPR?
The ideas behind the GDPR and CCPA are the same — protect user data and privacy. However, there are some key differences:
The businesses that need to comply:
GDPR – any business that collects or processes the data of EU residents or citizens.
CCPA – businesses that meet the requirements to be a business under the law.
These are the penalties for non-compliance:
GDPR – 20 percent of the business’s annual gross revenue, or 20 million euros
CCPA –$7,500 for each infraction, no cap
These are the rights given to consumers:
GDPR – access to data, erasure of data, restriction of processing
CCPA – access to data, knowledge of sale, objection of sale, erasure, equal treatment
This is the consent businesses need to collect of users:
GDPR – need to obtain permission to collect data
CCPA – users over age 16 have to opt-out and you need to obtain permission to sell data of anyone under 16 years-old.
CCPA Compliance for Your Website
Knowing all of this, what can you do to make your website CCPA-compliant?
“Provide a clear and conspicuous link on the business’s internet homepage, titled ‘Do Not Sell My Personal Information’ to a web page that enables a consumer or a person authorized by the consumer to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.”California Consumer Privacy Act
These two things alone should set you up for CCPA compliance success.
Additional CCPA Compliance
To make sure everyone in your organization is on-board with CCPA compliance, use the following guideline:
- Make sure everyone on your team knows about the law and the effect it will have on data collection. Everyone who handles customer data should know what to do / what not to do with it.
- When someone opts-out of having their data sold … don’t sell it. (This should be a no-brainer.)
- When a user opts-out of their data being sold, don’t ask them if you can sell it again for 12 months.
Trust Oneupweb with CCPA, GDPR and Everything In-between
While the information here shouldn’t be taken as legal advice for dealing with the CCPA, it should give you a good jumping-off point to move forward with compliance.
It’s likely more states will soon follow California and pass personal information digital privacy laws of their own. Even if you don’t think you’ll be affected specifically by CCPA, changes you make now will set you up for success down the road, avoiding future penalties and better-serving your customers. Customers who more and more will prefer to do business with sites that allow them to protect their privacy and reduce the spam they see in their inbox.