Last year, U.S. tech companies spent time making sure their policies and platforms comply with Europe’s GDPR data privacy law. Now, the California Consumer Privacy Act (CCPA) has become the first comprehensive data privacy law in this country.
Coming January 1, 2020, businesses that might service California residents — including mobile apps, software products, bloggers, or e-commerce stores, regardless of their physical location — will be required to comply with the CCPA.
The CCPA addresses the sale of consumer data and restricts how companies can monetize this data. Under the CCPA, a “sale” is defined pretty broadly and could even include a company’s digital marketing activities.
And it’s not a law to ignore: the California Attorney General can levy fines of up to $2500 for each violation per California resident affected ($7500 each for repeat offenders.)
Just to put this in perspective, a single incident that affects 1,000 California residents could incur a potential fine of up to $2.5 million dollars — even if it’s a first-time violation. To say the least, non-compliance can be quite costly.
Not based in California? You still have to read this
The CCPA applies to any business doing business in California who collects, or has collected on its behalf, personal information of California residents and who falls into one of the following categories: the business makes over $25 million annually; it receives, buys, shares or sells personal information of 50,000 or more California residents, households or devices; or at least 50 percent of its income comes from selling data of California residents.
The second criteria is the one that will most likely affect non-California small businesses with a significant online presence — for example, e-commerce operations or B2C mobile apps. Under the CCPA, the definition of “personal information” is quite broad — collecting just the IP addresses of California consumers may be enough to cause the CCPA to apply.
Basically, a business could hit the 50,000 threshold by having just 137 Californians visit their website each day for a year.
What the law really says
The fundamental purpose of the CCPA is to give California residents certain rights over their own data, especially when companies gain benefits or make money off that data. Businesses who fall under the CCPA must provide:
- Right to Know and Right of Access: Upon request and for free, a business must disclose to a California resident the categories and specific pieces of data it has collected on the individual, where the data came from, the purpose for collecting the data, and the categories of third parties with whom the business shares the consumer’s data with.
- Right of Deletion: Unless an exception applies, a business must delete a California resident’s data when requested by the individual, and instruct its vendors to do the same.
- Right to Opt-out of Data Monetization: California residents can opt out of their data being ‘sold,’ which is defined very broadly under the law and includes the transfer of personal data in any way for monetary gain or any other benefit. A business who ‘sells’ data in this way is required to disclose these practices and have a Do Not Sell My Personal Information button on its website homepage.
- Child Opt-in: Before monetizing personal data of a minor, a business with knowledge of a child’s age is required to get affirmative authorization from minors ages 13 through 16 and from the parents or guardians of those under 13.
- Right to equal service: A business cannot discriminate against or penalize consumers who exercised their CCPA rights by denying them services or goods or charging different prices. But, although it seems contradictory, a business can reward consumers who allow their personal data to be used.
- Data Security: Businesses are required to implement and maintain reasonable security practices. Notably, the law now provides California residents a right to sue businesses for data breaches caused by security failures.
So… what does a small biz owner need to do?
The short answer is: a lot. But by breaking it down into small steps and recruiting the help of a legal expert, you should have plenty of time to get everything accomplished within the next three months.
- Know your data landscape: Gain a thorough understanding of all the data you collect, store and transfer, and map the flow of that data throughout your business. Create a data map, inventory and a GDPR-like records of processing document. Also identify the data of California residents, households and devices in your possession.
- Develop a strategy: Determine what updates you need to make to processes and consider how these will affect costs and pricing. Figure out what adjustments you need to make to your digital marketing strategy or website, whether you should implement a California-only website, and whether your cookie policy is CCPA-compliant.
- Develop your processes for providing California rights: Remember, California residents now have a host of rights they can ask for any time. You’ll need to implement a toll-free number and website address for Californians to use.
- Get your documents in order: Update your Privacy Policy and Privacy Notice to reflect CCPA updates. Update vendor contracts as needed. Develop templates for company responses to consumer requests.
- Implement Technology – Put the “Do Not Sell My Information” button on website if required. Implement technology need to facilitate compliance.
- Get help before you need it: Seek out a competent data privacy lawyer to address whether the CCPA applies to your company. And then have a gap analysis done which will analyze your current state and provide recommendations on what to do moving forward.
If the CCPA applies to your company, the biggest key is to get started as soon as possible — and that may mean now.
AdoLisa Ezeagu, Esq., CIPP/US is the managing attorney of Ezeagu Law Firm LLC, a boutique data privacy and cyber risk law firm. She helps companies comply with privacy and cybersecurity laws and build legally-defensible programs.
Note: The contents of this article are for informational purposes only and are not intended to be, nor should it be, interpreted as legal advice.