CCPA Effective from January 1, 2020

The new law is bound to impact most website owners and operators, as it previously happened with the European GDPR. Yet, in many ways, the CCPA is not as strict as GDPR and is more explicitly aimed at companies who are selling consumers' personal data.

First of all, the effects of the law are limited to California residents. However, this does not mean that businesses outside of California will not have to comply with the law, if they deal with customers from this state. Since residents of California can access any website, regardless of where it is being operated from, it basically means that all website owners, in the US and abroad, should take steps towards CCPA compliance.

We have seen this before with the GDPR law in Europe, that was aimed at all companies handling the personal information of EU citizens. At the time the GDPR went into effect, website owners in the US and elsewhere either complied to GDPR for all of their customers, or decided to simply block access to their websites if the visit was being performed from an IP in the European Union.

If you run a website in any of the other American states, you might be facing a similar choice here. If you can afford to leave out your customers living in California, there is the option of blocking visits from Californian IPs. However, data privacy laws are likely to be on the agenda of legislators in the future, too. It is not unforeseeable that more, if not all states, will pass similar legislation in the future. So, instead of progressively blocking out potential customers, it may be wiser to comply now, regardless of where your business is located.

Secondly, unlike GDPR, the effects of the law are somwhat limited. CCPA will concern only the following companies:

• those with gross revenues of at least $25 million
• those who have personal information on at least 50,000 California residents / households / devices per year
• at least 50% of their annual revenue is generated from selling the personal data of Californians

If your website collects personal information, but does not fall under one of the above categories, then you are free to do business as usual. These caveats are a clear sign that the law was not designed with small business owners in mind, but rather that it targets corporations who are profiting from selling large sets of personal information. However, make sure to check the number of unique visitors from California you have on your website. If that number exceeds 50,000 in a year, then you will have to consider CCPA compliance.

There is not a big difference from what we already discussed in GDPR related topics previously, as the personal data involved is pretty much the same: names, email addresses, location, biometric data etc. The law defines this as any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household". Please note that publicly available information, as well as deidentified or aggregate consumer information is not considered personal information under CCPA.

You can still collect and even sell personal information, but you need to make it easy for users to opt-out of this process. The law explicitly says that, if a business sells the personal information of the users, it has to provide a clear link on their homepage, titled "Do Not Sell My Personal Information". Also, it is illegal to offer different services or features based on the choice to opt-in or opt-out. All customers have to still benefit from the same services.

Similar to GDPR, you have to grant customers the right to data access, to delete their personal data, and to request disclosure of all categories of personal data being collected and sold (if that is the case). This will be done on a yearly basis. On request, you have to provide the personal data from the previous 12 months preceding the request. Also, the customer may only file such claims a maximum of twice per year.

Also, please make sure to include the following in your privacy policy:

• all categories of information you collect and process
• what these categories of information are used for
• how the information is being collected
• what is the procedure to request access to, change, move or delete ones' personal data
• how the identity of the person who submits a request is verified
• if personal data is being sold, then this has to be described here
• how to opt-out of the selling of their data

Not necessarily, but chances are that if you have taken steps to comply to GDPR, you are also CCPA compliant. All of the conditions above are found in GDPR as well, with the exception of explicit rules for the selling of personal data.

The main risk website owners face is that of a data breach. Under the law, the company is responsible for preventing unauthorized access and theft of consumers' data. If this should happen, any user whose data is leaked has the right to file for recovering damages in an amount between $100 and $750. A large data breach, where the data of thousands of users is stolen, could potentially lead a company to bankruptcy. Multiply 1000 x $750 and you get an estimate of the impact.

However, before there is any civil action, companies are allowed 30 days to "cure the noticed violation", if that is possible.

As deidentified data, as well as aggregate data, does not fall under the rules of CCPA, most analytics tools are likely compliant by default. However, you should make sure to read the data processing agreement and privacy policies of any such third parties, to make sure you have all the information about the use of personal data. As part of the effort to comply with GDPR, TWIPLA has become CCPA compliant as well. Our company does not engage in the selling or sharing of data with others. The data we gather cannot be connected to the identity of any individual or household, or device.

If you need more detail about the new privacy law, you can read the full text of the 1.81.5. California Consumer Privacy Act here. If you would like to know more about how TWIPLA complies to privacy laws, please read our Privacy Policy and Data Processing Agreement.