California, as a state, and one of the largest business presences in the world, has recently passed and enacted a set of laws known as the California Consumer Privacy Act. These laws are similar to the GDPR which we’ve posted about elsewhere. Yet they are different in what scope of information they affect and what companies are required to do about it.
Some of the basics are as follows:
- This act affects any company that “has at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law. Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States.An amendment made in April exempts “insurance institutions, agents, and support organizations” as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).” – If your company does NOT meet these requirements, you can probably stop reading now unless you enjoy learning!
- All information collected of any consumer or client online has to be shared with them on request, or deleted, also on request. All consumers also have the right to demand to see all companies with which their data has been shared.
- Any and all consumers may sue a company in response to a violation of their privacy rights, whether or not there was any kind of a data breach.
- All companies with a website need a button or option on the footer of their website for people to opt-out of data collection. It must be clearly visible and easy to access.
- All companies must keep this data for 12 months, in order to be able to produce it at any given time when requested.
- Personal Information is defined as:
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
Characteristics of protected classifications under California or federal law
Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
Biometric information
Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
Geolocation data
Audio, electronic, visual, thermal, olfactory or similar information
Professional or employment-related information
Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes. - Any report requested must be given in 30 days, detailing any of this information collected and whomever it may have been shared with.
What does this mean for your business?
You’ve probably already upgraded your site to match the requirements of the GDPR enacted in the EU. That means you’re most of the way to being CCPA compliant already. However, there are some other strict facets your site may need to be upgraded for. These things aren’t important for most businesses, as they don’t collect the types of information listed above. However, for those that do, they need to take a hard look at their security and database systems to separate out what’s saved versus what’s not, and to whom. For most other businesses, a few steps may be necessary:
- Edits or updates to privacy policies and systems to include the new information regarding consumer’s rights.
- Addition of a footer or other button additions to allow users to remove themselves from data collection or to prevent the sale of that data.
- Setup of a system, place, or email address for requesting data about any data collected.
- Keep automated systems to anonymous data, or find an updated system that allows for separation of data based on identifiers that can be tracked to a specific person.
- Inform people (Through any means you wish) that your privacy policies and such are updated and have information about their rights as a consumer. This can be through the aforementioned button on the footer or through a banner, popup, or other means.
When do I have to be compliant?
All companies that the CCPA applies to are supposed to have been keeping a years’ worth of data, as of January 1, 2020. Most all companies have kept such data as part of the GDPR. Any company has to be compliant within 30 days of receiving a notification or complaint about consumer’s privacy. However, the sooner a company is prepared, the better, as the CCPA allows filing of a suit if the privacy concerns are not met.
Is there a checklist I can follow, like the EU’s graphic?
Yes! However, it is third party, and we cannot guarantee that it is accurate or will remain so due to amendments to the laws. Venable has a basic checklist that re-states most of the information provided here.
For your convenience, we have been doing a large amount of research into the CCPA and what it means for your business. If you have any questions at all about the CCPA, we’d love to help you set up your site to comply or share any information we have.