On January 1, 2020, the California Consumer Privacy Act (CCPA) will go into effect to provide California residents with more control over their personal data. Additional U.S. state or federal privacy laws are almost sure to follow.
The law impacts how data is collected on your website. It also requires that business practices are put in place to allow consumers to request data you are keeping on them, and transmit that data to them in a secure and timely fashion upon request.
This is similar to GDPR legislation enacted in the EU last year. However, if you’re GDPR compliant, it does not mean you’re also CCPA compliant.
Who the law impacts (today):
- All for-profit businesses that collect personal information from California residents.
And at least one of these:
- Annual gross revenue in excess of $25 million.
- Buy or receive for commercial purposes, sell or share for commercial purposes the personal information of 50,000 or more California residents, households, or devices each year.
- Make 50 percent or greater annual revenue from selling California residents’ personal information.
What the law requires:
The California Law states that consumers have several rights when it comes to their personal data.
1. Right to Know
- What information is collected about them (for example: newsletter or targeting).
- The purpose for the information collected or sold.
- Who the information was sold to (if applicable).
Consumers should be able to request this information by both a toll-free phone number and website, the business has to verify the requestor's identity, and then deliver 12 months worth of data collected within 45 days of the request for free. If this is not possible, the business must explain to the consumer why they cannot comply and explain that the consumer may appeal the decision.
2. Right to Delete
Consumers can request the deletion of their personal information. A business must verify the requestor's identity then comply within 45 days. There are certain exceptions listed for the retention of the data.
3. Right to Opt-Out of Sale
Consumers can opt-out of their personal information being sold. Sold is defined broadly.
4. Right to Non-Discrimination
A consumer cannot be discriminated against because they have exercised any of their rights under the CCPA.
- Point of collection. A business must inform consumers at or before the point of collection of data. This includes disclosing the categories of data collected and how it is used.
- Training. All individuals responsible for handling consumer requests must be informed of the CCPA and how to direct customers to exercise their rights in the CCPA.
What can you do to comply with the new law?
Gray Loon can help you meet compliance by partnering with you to conduct an evaluation of your website. We also recommend talking to your legal counsel. Once gaps in compliance are identified, we can help implement the updates needed on your site.
In general, these changes – though they may seem to only apply to websites who do business in California – will seemingly have a larger impact on the rest of the U.S. and other parts of the world, just as they did for companies doing business in the EU. As good stewards of consumer privacy, we recommend considering how to update your data management processes in light of this new legislation.