What the New California Privacy Law Means for Your Small Business

If you have put off updating your website privacy policy, delay no more. Beginning January 1, 2020, California’s new privacy law named the California Consumer Privacy Act (or CCPA) went into effect. It applies to more than Facebook and businesses located in California. If your business has a website, you may need to comply - even if you aren’t based in California.

Does the CCPA apply to me?

The CCPA applies to for profit companies that collect or use personal information of consumers and do business in California. Collecting personal information is very broad and includes basic information collected through website analytics such as name, IP address, device information, payment data, etc. If your website can be viewed by anyone, anywhere, then you are “doing business” in California.

Your business must also meet any one of the following for the law to apply:

  • Have at least $25 million in annual revenue;

  • Annually possess the personal data of at least 50,000 consumers, households, or devices; or

  • Earn at least 50% of its annual revenue from selling consumer’s personal data.

While your revenues may not be that large and you don’t sell data, possessing the personal data of 50,000 consumers, households, or devices may happen before you know it. If you collect the IP addresses of every device that visits your website, then you would meet this threshold simply by having 137 new visitors every day, regardless of whether you did any business with these visitors.

And even if you don’t meet those thresholds now, hopefully, your business will grow to meet them soon.

How do I comply with the CCPA?

From a 10,000-feet level, CCPA compliance means you need to (1) clearly disclose the what, how, and why of the personal information you obtain, and (2) implement methods to accommodate consumer requests.

  1. Personal Information Disclosures in Privacy Policy

In your privacy policy, you will need to list all categories of personal information collected from any source. Personal information is broadly defined and includes, but is not limited to, names, financial accounts, race, gender, user names, passwords, government IDs, geolocation, employment, IP addresses, and cookies.

You’ll then need to describe how that information is collected. For example, the user may submit the information to you themselves in a form. Or, it may be obtained through the use of cookies.

You will also need to explain the purpose for collecting the information. Purposes include performing business services, detecting security incidents, marketing, internal research, and quality assurance. If a category of personal information is sold, that must be disclosed, accompanied by the category of the third party that purchased the info. While it may sound daunting, reports suggest a whole new industry will develop to help companies deal with the CCPA.

2. Implement Consumer Rights Requests

Under the CCPA, consumers have the rights to disclosure, deletion and, if you sell personal information, the right to opt-out of the sale. These rights, and the right to not be discriminated against for pursuing those rights, must be communicated to consumers in your privacy policy

To adequately respond to requests, you may first need to update your data infrastructure. If the personal information you store is unlinked and located in several places, you will have a hard time locating everything. You should also keep track of any personal information that is stored by a third party service provider at your direction. Your goal should include the ability to single out one customer and easily retrieve all the information you have about them.

You must have two methods for consumers to make requests. One of the two must be a toll-free phone number unless you are solely an online business which means you can rely exclusively on email.

Only California residents have rights under the CCPA. When you receive a request, you will need to verify their identity and residency. You may do this by matching information you have collected about the requester. However, a consumer must not be required to create an account in order to verify their identity.

Responding to Disclosure Requests

You have 45 days to respond to a disclosure request. The written disclosure should identify the categories of information collected, the sources of that information, what that information is used for, the category of third parties the information is disclosed to, and any specific information collected about the requesting consumer. If your company sells consumer information, the disclosure should also indicate which categories of personal information are sold to third parties. The information contained in the disclosure only has to cover the preceding 12 months.

If the requester has an account with you, the disclosure should be uploaded to their account. If they do not, you may send them this information via mail or email.

Responding to Deletion Requests

After verifying the identity and residency of a requester, you must immediately take steps to delete their personal information from your system and direct third parties that store personal information on your business’s behalf to do the same. There are exceptions to this right; for instance, if the personal information you have collected is necessary to complete an ongoing transaction between you and the consumer, you do not have to delete the information until the transaction is complete.

Responding to Opt-Out Requests

If your business sells consumer information, you will also need to provide a link in the privacy policy and at the footer of your website to a “do not sell my personal information” webpage. This page must contain instructions about opting-out of such sales.

Any consumer that opts-out must be exempted from any information sale for 12 months. This will require some a way to keep track of which consumers have opted out of the sale.

After the 12 month period, you may send the opted-out consumer a request to opt-in to the sale of information. Unless they opt-in, you can not start collecting their information to sell. The CCPA also imposes an opt-in requirement for the sale of personal information of minors under 16 years old, regardless of whether they requested the opt-out or not.

What happens if you’re not in compliance with the CCPA?

You will be notified of any violation and given thirty days to resolve the issue. Failure to resolve the issue may result in a fine of up to $7,500 per violation. If a consumer believes you’ve violated their rights, you have 30 days after notice to resolve it before they may initiate a class action lawsuit.

Although CCPA compliance seems daunting, breaking it down into smaller tasks will make the process go smoother. Figure out what personal information your business collects and update your privacy policy accordingly. Inform California consumers about their CCPA rights. Designate channels for consumers to make requests. And last but not least, implement methods to follow through with those requests.

Originally published on October 26, 2022, and last edited on November 18, 2022.

Frequently Asked Questions

Looking for answers? You came to the right place. To learn more about our company mission and culture, click the link below.

Life at Swyft
How much does it cost to form a corporation or LLC?

You can form a corporation or LLC with our help for as little as $0, plus state filing fees for incorporation. Filing fees vary depending on the state you incorporate in. For more information on specific states, check out our state guides on the Swyft Resource Center. You can also email us with specific questions or contact us at 877-777-0450.

What payment methods do you accept?

Swyft Filings accepts payment through Visa, MasterCard, American Express, PayPal, checks, and money orders. You can send any questions about payment to our email address or contact us at 877-777-0450.

Will I have to pay additional fees to Swyft Filings after completing my order?

It depends on what you ordered. If all you did was file your corporation or LLC, the price you paid when ordering is all you pay. You will have no further fees after that.

However, if you signed up for the Swyft Filings Registered Agent Service, you will be charged its initial fee three days after you place your order. From then on, you will be charged according to the terms of your subscription until you change your registered agent with the state or dissolve your company. If you change your agent or dissolve your company on your own, let us know so we can discontinue billing.

Other potential subscription-based options include SnapMailbox, 360 Legal Forms, and ComplianceGuard. If you opt for SnapMailbox or 360 Legal Forms, you will be charged a monthly fee after their respective 30-day free trials end. ComplianceGuard has an annual fee after a 14-day free trial. All three of these services are completely optional.

When will my order be processed?

Our team processes all Standard orders on a first come, first served basis. If you opt for Express or Same-Day Processing, we prioritize your order and send it to the front of the line. However, no matter how fast we get it out the door, you’ll still have to wait for your state to address your filing.

Swyft Blog

Everything you need to know about starting your business.

Each and every one of our customers is assigned a personal Business Specialist. You have their direct phone number and email. Have questions? Just call your personal Business Specialist. No need to wait in a pool of phone calls.

Woman in room with flowers in vases.
Preparing to Launch

5 LegalZoom Alternatives for Entrepreneurs

If you’ve considered forming a Limited Liability Company (LLC), corporation, or nonprofit, you’ve probably heard of LegalZoom. This service has helped entrepreneurs with business formation since 2001.
Coffee Shop Owner on Computer
Preparing to Launch

Northwest Registered Agent vs. LegalZoom

Our Northwest Registered Agent vs. LegalZoom comparison reviews each service’s formation time, customer service, and offerings so you make an informed choice.
Nonprofit Spotlight: Bailey's Bookworms' Mission of Literacy
Managing Your Business

Nonprofit Spotlight: Bailey's Bookworms' Mission of Literacy

Swyft Filings is a business formation service that automates the filing process for entrepreneurs, making it easier to get their LLC, C corp, S corp, or nonprofit off the ground. Since 2015, we've helped over 300,000 businesses incorporate.
Blog Card Image
Managing Your Business

What's an Apostille?

Swyft Filings is a business formation service that automates the filing process for entrepreneurs, making it easier to get their LLC, C corp, S corp, or nonprofit off the ground. Since 2015, we've helped over 300,000 businesses incorporate.
zenbusiness vs legalzoom - Swyft Filings

ZenBusiness vs. LegalZoom: Comparing LLC Formation Services

Our ZenBusiness vs. LegalZoom comparison reviews each service’s formation time, customer service, and other features so you make an informed choice.
Setting Up Business Credit
Managing Your Business

How to Get an EIN to Open a Business Bank Account

In most cases, you need an employer identification number to open a business bank account. Follow these steps to get an EIN for your business banking needs

Do what you love. We'll handle the paperwork.

Trusted by over 250,000 businesses since 2015. Start your business with confidence. Affordable. Fast. Simple.

Incorporate now
Dummy Switchback Image