Disclaimer: The information provided in this article does not count as legal advice and is not an all-inclusive summary of the California Consumer Protection Act (CCPA). Please consult a licensed attorney for advice on where this law applies to you or your business.
Startups and small businesses, take heed. The California Consumer Privacy Act (CCPA) is something you need to be aware of.
The data privacy law welcomes the new year with a new set of rules for collecting, storing, and using consumer data.
It’s a huge deal for tech giants and big businesses who acquire tons of data every minute. But if you’re thinking your small ecommerce or consultancy business is exempt from the law, you’re wrong. You also need to be CCPA-compliant to dodge huge penalties.
By now you must be trying to make sense of complex laws, but don’t fret. We’ll fill you in all the relevant details so you can prepare your business (website) ahead.
The CCPA in a nutshell
The California Consumer Privacy Act (CCPA) rolls out new privacy rights for California consumers — and new obligations for businesses covered by the law. It’s like the Global Data Protection Regulation (GDPR), only there’s a geographical difference.
Learn more on how these data privacy laws differ to make sure you remain compliant to both.
According to the CCPA website, the act gives site visitors the right to:
Own your personal information
- Know what categories of personal information a business collects
- Know when their personal information is sold or disclosed to a third party and to whom it is sold to
Control your personal information
- Opt-out or say no to the sale of their personal information
- Know that their personal data may be sold and that they have the right to opt-out of the sale
- Receive equal service and prices despite exercising their CCPA rights
- Know, access, and delete pieces of their personal data from a business
Secure your personal information
- Receive reasonable security measures from businesses for their personal information
Hold big corporations accountable
Is your small business covered by this new law?
The CCPA covers for-profit businesses that collect personal consumer information in California. They also affect those that meet at least one of the following conditions:
- Earn $25,000,000 gross revenue in a year
- Collect, buy, or sell over 50,000 consumer records each year
- Make 50% or more of their annual revenues selling consumer data
|💡 What classifies as personal information?
Personal information includes identifiers (real name, email, IP address), commercial information, biometrics, internet activity, geolocation data, employment data, etc.
Businesses that fail to uphold these rights can levy fines amounting to $2,500 per California resident to $7,500 each for repeat offenders.
This means that if you commit a single incident on 1,000 California residents, you may expect to pay up a fine of $2.5 million dollars — even for first-time violators.
How about non-Californians?
Unfortunately, non-Californian small businesses are still bound by this law. That’s if they collect information from California residents — such as during ecommerce checkouts or B2C mobile app registrations.
So even if you’re an online store owner or a local blogger, it’s possible to hit the 50,000 threshold by having only 137 Californians visiting your website.
5 Ways Your Small Business Can Comply With CCPA
If you’ve determined the CCPA applies to your business, the next question to ask is how can you make your business compliant?
Taking the necessary measures is not a walk in the park. But by breaking the task down into actionable steps — best with the help of a legal expert — you’ll find yourself settling in within a few months.
First things first — get a thorough understanding of all consumer data you collect, store, and pass on to third parties. We’re talking tons of information here, so it’s best to follow an intensive data mapping procedure to avoid missing out on anything.
Here are some questions that should help guide you through the process:
- What type of personal information do you collect?
- How are you collecting and keeping this data?
- Where are all consumer data stored?
- Is data being shared with third-parties? If so, with whom?
- What categories do these third-parties fall into?
Here are nine points that’ll help you create a compliant DDP:
- A list and description of new rights afforded to California residents
- The methods for submitting personal data or requests for deletion
- A separate opt-out or “Do Not Sell My Personal Information” page on your website
- A list of all personal data categories collected within the last 12 months
- A list of sources for every category of personal data collected
- Your purposes of collecting and using each category of personal data
- A list of personal data categories sold within the last 12 months
- A list of personal data categories shared for a business purpose in the last 12 months
To be sure, get a data privacy lawyer to review your updated policy and ensure it is CCPA-compliant.
Aside from a DPP, you can also disclose CCPA consumer rights in CCPA-specific notices or once personal data is collected.
Now that California residents are given a new set of data privacy rights, expect them to exercise those rights anytime soon. Get your processes straight as soon as possible.
Develop a process for consumers who wish to request a summary or a copy of their personal data you’re holding. Also create a process for when they want to delete that information.
If you’re sharing or selling personal data to certain vendors and entities, map out a process for when a consumer opts out of that sale.
Inform your vendors of this new provision ahead of time and revise contracts as needed.
Develop at least two methods for consumers who wish to submit requests. Provide a toll-free telephone number or a separate website address that customers can easily access.
If it applies to your business, you can set up a sub-domain for your website that’s targeted only to California residents. This makes data gathering and mapping easier and more organised.
Be ready to respond to consumer requests. Since you’ll need to deliver all data within the past 12 months prior to the request, don’t forget to date the data you collect.
Make sure to respond to information requests within 45 days from receiving them. Deliver the information via snail mail or email in a portable format.
Creating a ready-made template will help you respond to queries faster, so that’s an asset worth making.
CCPA is only the beginning
When you think about it, CCPA is hardly a liability to your business. Data is a resource more powerful than we expect, so it’s a must to protect it and the individuals it belongs to.
As more and more U.S. states pass their own data protection laws, it’s best to fully comply with CCPA today. When the time comes, it will be easier than ever to uphold your customer’s rights — and protect your business from penalties.