What the New California Privacy Law Means for Your Small Business

If you have put off updating your website privacy policy, delay no more. Beginning January 1, 2020, California’s new privacy law named the California Consumer Privacy Act (or CCPA) went into effect. It applies to more than Facebook and businesses located in California. If your business has a website, you may need to comply - even if you aren’t based in California.

Does the CCPA apply to me?

The CCPA applies to for profit companies that collect or use personal information of consumers and do business in California. Collecting personal information is very broad and includes basic information collected through website analytics such as name, IP address, device information, payment data, etc. If your website can be viewed by anyone, anywhere, then you are “doing business” in California.

Your business must also meet any one of the following for the law to apply:

• Have at least $25 million in annual revenue;

• Annually possess the personal data of at least 50,000 consumers, households, or devices; or

• Earn at least 50% of its annual revenue from selling consumer’s personal data.

While your revenues may not be that large and you don’t sell data, possessing the personal data of 50,000 consumers, households, or devices may happen before you know it. If you collect the IP addresses of every device that visits your website, then you would meet this threshold simply by having 137 new visitors every day, regardless of whether you did any business with these visitors.

And even if you don’t meet those thresholds now, hopefully, your business will grow to meet them soon.

How do I comply with the CCPA?

From a 10,000-feet level, CCPA compliance means you need to (1) clearly disclose the what, how, and why of the personal information you obtain, and (2) implement methods to accommodate consumer requests.

1. Personal Information Disclosures in Privacy Policy

In your privacy policy, you will need to list all categories of personal information collected from any source. Personal information is broadly defined and includes, but is not limited to, names, financial accounts, race, gender, user names, passwords, government IDs, geolocation, employment, IP addresses, and cookies.

You’ll then need to describe how that information is collected. For example, the user may submit the information to you themselves in a form. Or, it may be obtained through the use of cookies.

You will also need to explain the purpose for collecting the information. Purposes include performing business services, detecting security incidents, marketing, internal research, and quality assurance. If a category of personal information is sold, that must be disclosed, accompanied by the category of the third party that purchased the info. While it may sound daunting, reports suggest a whole new industry will develop to help companies deal with the CCPA.

2. Implement Consumer Rights Requests

Under the CCPA, consumers have the rights to disclosure, deletion and, if you sell personal information, the right to opt-out of the sale. These rights, and the right to not be discriminated against for pursuing those rights, must be communicated to consumers in your privacy policy

To adequately respond to requests, you may first need to update your data infrastructure. If the personal information you store is unlinked and located in several places, you will have a hard time locating everything. You should also keep track of any personal information that is stored by a third party service provider at your direction. Your goal should include the ability to single out one customer and easily retrieve all the information you have about them.

You must have two methods for consumers to make requests. One of the two must be a toll-free phone number unless you are solely an online business which means you can rely exclusively on email.

Only California residents have rights under the CCPA. When you receive a request, you will need to verify their identity and residency. You may do this by matching information you have collected about the requester. However, a consumer must not be required to create an account in order to verify their identity.

Responding to Disclosure Requests

You have 45 days to respond to a disclosure request. The written disclosure should identify the categories of information collected, the sources of that information, what that information is used for, the category of third parties the information is disclosed to, and any specific information collected about the requesting consumer. If your company sells consumer information, the disclosure should also indicate which categories of personal information are sold to third parties. The information contained in the disclosure only has to cover the preceding 12 months.

If the requester has an account with you, the disclosure should be uploaded to their account. If they do not, you may send them this information via mail or email.

Responding to Deletion Requests

After verifying the identity and residency of a requester, you must immediately take steps to delete their personal information from your system and direct third parties that store personal information on your business’s behalf to do the same. There are exceptions to this right; for instance, if the personal information you have collected is necessary to complete an ongoing transaction between you and the consumer, you do not have to delete the information until the transaction is complete.

Responding to Opt-Out Requests

If your business sells consumer information, you will also need to provide a link in the privacy policy and at the footer of your website to a “do not sell my personal information” webpage. This page must contain instructions about opting-out of such sales.

Any consumer that opts-out must be exempted from any information sale for 12 months. This will require some a way to keep track of which consumers have opted out of the sale.

After the 12 month period, you may send the opted-out consumer a request to opt-in to the sale of information. Unless they opt-in, you can not start collecting their information to sell. The CCPA also imposes an opt-in requirement for the sale of personal information of minors under 16 years old, regardless of whether they requested the opt-out or not.

What happens if you’re not in compliance with the CCPA?

You will be notified of any violation and given thirty days to resolve the issue. Failure to resolve the issue may result in a fine of up to $7,500 per violation. If a consumer believes you’ve violated their rights, you have 30 days after notice to resolve it before they may initiate a class action lawsuit.

Although CCPA compliance seems daunting, breaking it down into smaller tasks will make the process go smoother. Figure out what personal information your business collects and update your privacy policy accordingly. Inform California consumers about their CCPA rights. Designate channels for consumers to make requests. And last but not least, implement methods to follow through with those requests.