As we celebrate the start of the new year, we take a closer look at the new California privacy law for 2020, that will have an impact on the way businesses handle personal data. Called the California Consumer Privacy Act or CCPA, it is meant to provide the residents of California with more control over the way their personal data is stored and processed. Starting today, January 1, 2020, this privacy law is in effect.
Who will this new legislation impact? What are the main things to know about CCPA? What can you do to make sure, as a website owner, that you comply with it?
The new law is bound to impact most website owners and operators, as it previously happened with the European GDPR. Yet, in many ways, the CCPA is not as strict as GDPR and is more explicitly aimed at companies who are selling consumers' personal data.
Which websites will CCPA impact?
First of all, the effects of the law are limited to California residents. However, this does not mean that businesses outside of California will not have to comply with the law, if they deal with customers from this state. Since residents of California can access any website, regardless of where it is being operated from, it basically means that all website owners, in the US and abroad, should take steps towards CCPA compliance.
We have seen this before with the GDPR law in Europe, that was aimed at all companies handling the personal information of EU citizens. At the time the GDPR went into effect, website owners in the US and elsewhere either complied to GDPR for all of their customers, or decided to simply block access to their websites if the visit was being performed from an IP in the European Union.
If you run a website in any of the other American states, you might be facing a similar choice here. If you can afford to leave out your customers living in California, there is the option of blocking visits from Californian IPs. However, data privacy laws are likely to be on the agenda of legislators in the future, too. It is not unforeseeable that more, if not all states, will pass similar legislation in the future. So, instead of progressively blocking out potential customers, it may be wiser to comply now, regardless of where your business is located.
Secondly, unlike GDPR, the effects of the law are somwhat limited. CCPA will concern only the following companies:
- those with gross revenues of at least $25 million
- those who have personal information on at least 50,000 California residents / households / devices per year
- at least 50% of their annual revenue is generated from selling the personal data of Californians
If your website collects personal information, but does not fall under one of the above categories, then you are free to do business as usual. These caveats are a clear sign that the law was not designed with small business owners in mind, but rather that it targets corporations who are profiting from selling large sets of personal information. However, make sure to check the number of unique visitors from California you have on your website. If that number exceeds 50,000 in a year, then you will have to consider CCPA compliance.
What is considered personal data under CCPA?
There is not a big difference from what we already discussed in GDPR related topics previously, as the personal data involved is pretty much the same: names, email addresses, location, biometric data etc. The law defines this as any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household". Please note that publicly available information, as well as deidentified or aggregate consumer information is not considered personal information under CCPA.
What do I need to do in order to be CCPA compliant?
You can still collect and even sell personal information, but you need to make it easy for users to opt-out of this process. The law explicitly says that, if a business sells the personal information of the users, it has to provide a clear link on their homepage, titled "Do Not Sell My Personal Information". Also, it is illegal to offer different services or features based on the choice to opt-in or opt-out. All customers have to still benefit from the same services.
Similar to GDPR, you have to grant customers the right to data access, to delete their personal data, and to request disclosure of all categories of personal data being collected and sold (if that is the case). This will be done on a yearly basis. On request, you have to provide the personal data from the previous 12 months preceding the request. Also, the customer may only file such claims a maximum of twice per year.
- all categories of information you collect and process
- what these categories of information are used for
- how the information is being collected
- what is the procedure to request access to, change, move or delete ones' personal data
- how the identity of the person who submits a request is verified
- if personal data is being sold, then this has to be described here
- how to opt-out of the selling of their data
Does GDPR compliance automatically mean you are also CCPA compliant?
Not necessarily, but chances are that if you have taken steps to comply to GDPR, you are also CCPA compliant. All of the conditions above are found in GDPR as well, with the exception of explicit rules for the selling of personal data.
What are the risks of failing to comply to CCPA?
The main risk website owners face is that of a data breach. Under the law, the company is responsible for preventing unauthorized access and theft of consumers' data. If this should happen, any user whose data is leaked has the right to file for recovering damages in an amount between $100 and $750. A large data breach, where the data of thousands of users is stolen, could potentially lead a company to bankruptcy. Multiply 1000 x $750 and you get an estimate of the impact.
However, before there is any civil action, companies are allowed 30 days to "cure the noticed violation", if that is possible.
Analytics Tools CCPA compliance
As deidentified data, as well as aggregate data, does not fall under the rules of CCPA, most analytics tools are likely compliant by default. However, you should make sure to read the data processing agreement and privacy policies of any such third parties, to make sure you have all the information about the use of personal data. As part of the effort to comply with GDPR, Visitor Analytics has become CCPA compliant as well. Our company does not engage in the selling or sharing of data with others. The data we gather cannot be connected to the identity of any individual or household, or device.