Country and Language
Disclaimer: The information provided in this article does not count as legal advice and is not an all-inclusive summary of the California Consumer Protection Act (CCPA). Please consult a licensed attorney for advice on where this law applies to you or your business.
Startups and small businesses, take heed. The California Consumer Privacy Act (CCPA) is something you need to be aware of.
The data privacy law welcomes the new year with a new set of rules for collecting, storing, and using consumer data.
It’s a huge deal for tech giants and big businesses who acquire tons of data every minute. But if you’re thinking your small ecommerce or consultancy business is exempt from the law, you’re wrong. You also need to be CCPA-compliant to dodge huge penalties.
By now you must be trying to make sense of complex laws, but don’t fret. We’ll fill you in all the relevant details so you can prepare your business (website) ahead.
The California Consumer Privacy Act (CCPA) rolls out new privacy rights for California consumers — and new obligations for businesses covered by the law. It’s like the Global Data Protection Regulation (GDPR), only there’s a geographical difference.
Learn more on how these data privacy laws differ to make sure you remain compliant to both.
According to the CCPA website, the act gives site visitors the right to:
Is your small business covered by this new law?
The CCPA covers for-profit businesses that collect personal consumer information in California. They also affect those that meet at least one of the following conditions:
|💡 What classifies as personal information? |
Personal information includes identifiers (real name, email, IP address), commercial information, biometrics, internet activity, geolocation data, employment data, etc.
Businesses that fail to uphold these rights can levy fines amounting to $2,500 per California resident to $7,500 each for repeat offenders.
This means that if you commit a single incident on 1,000 California residents, you may expect to pay up a fine of $2.5 million dollars — even for first-time violators.
Unfortunately, non-Californian small businesses are still bound by this law. That’s if they collect information from California residents — such as during ecommerce checkouts or B2C mobile app registrations.
So even if you’re an online store owner or a local blogger, it’s possible to hit the 50,000 threshold by having only 137 Californians visiting your website.
If you’ve determined the CCPA applies to your business, the next question to ask is how can you make your business compliant?
Taking the necessary measures is not a walk in the park. But by breaking the task down into actionable steps — best with the help of a legal expert — you’ll find yourself settling in within a few months.
First things first — get a thorough understanding of all consumer data you collect, store, and pass on to third parties. We’re talking tons of information here, so it’s best to follow an intensive data mapping procedure to avoid missing out on anything.
Here are some questions that should help guide you through the process:
Here are nine points that’ll help you create a compliant DDP:
To be sure, get a data privacy lawyer to review your updated policy and ensure it is CCPA-compliant.
Aside from a DPP, you can also disclose CCPA consumer rights in CCPA-specific notices or once personal data is collected.
Now that California residents are given a new set of data privacy rights, expect them to exercise those rights anytime soon. Get your processes straight as soon as possible.
Develop a process for consumers who wish to request a summary or a copy of their personal data you're holding. Also create a process for when they want to delete that information.
If you’re sharing or selling personal data to certain vendors and entities, map out a process for when a consumer opts out of that sale.
Inform your vendors of this new provision ahead of time and revise contracts as needed.
Develop at least two methods for consumers who wish to submit requests. Provide a toll-free telephone number or a separate website address that customers can easily access.
If it applies to your business, you can set up a sub-domain for your website that’s targeted only to California residents. This makes data gathering and mapping easier and more organised.
Be ready to respond to consumer requests. Since you’ll need to deliver all data within the past 12 months prior to the request, don't forget to date the data you collect.
Make sure to respond to information requests within 45 days from receiving them. Deliver the information via snail mail or email in a portable format.
Creating a ready-made template will help you respond to queries faster, so that’s an asset worth making.
When you think about it, CCPA is hardly a liability to your business. Data is a resource more powerful than we expect, so it's a must to protect it and the individuals it belongs to.
As more and more U.S. states pass their own data protection laws, it’s best to fully comply with CCPA today. When the time comes, it will be easier than ever to uphold your customer’s rights — and protect your business from penalties.
Other Cool Stuff