California Consumer Privacy Act (CCPA)

The CCPA was signed into law in June of 2018 and while you’ve likely heard of it, you may not be clear as to how it can affect your business, website, and customers.  

What is the CCPA?

The California Consumer Privacy Act is a bill created to protect the privacy and data of consumers in California.  The act requires businesses to tell their consumers the data they’re collecting and also the option to opt out of the sale of their personal information.  

When does the CCPA go into effect?

The CCPA is set to take effect January 1, 2020, with enforcement beginning July 1, 2020.  

Who needs to comply with the CCPA?

The CCPA applies to companies who 1. Has consumers in California, and 2. Meet one of the following:  

  • Annual gross revenue exceeding $25 million
  • Buys, sells, receives, or shares alone or in combination, the personal information of 50,000 or more California residents, devices, or households annually.
  • Obtains 50 percent or more of it’s annual revenue from selling consumers’ personal information.

If your business meets any of the above and sells to consumers in California, you are required to comply with the CCPA.  

What is considered “personal information” under the CCPA?

The CCPA defines personal information under a few, well defined categories.  Personal information as defined by the CCPA is much broader than that of traditional “Personally Identifiable Information.” The categories most relevant for your marketing and advertising efforts are as follows:

  • Real name, alias, account name, postal address, email address, unique personal identifier, IP address, online identifier, social security number, driver’s license number, passport number, etc.  
  • Geolocation data
  • Internet activity information including history, search history, browsing history, and interaction with a specific website, application, or ad.
  • Assumptions drawn from any information used to create a profile on a consumer reflecting preference, characteristics, behavior, attitudes, psychological trends, intelligence, and abilities.  

Essentially, any marketing, advertising, or analytics tag loading on your website, will be collecting at least one data point that will fall into at least one of the categories listed above.  For example, if you’re using Google Analytics to collect behavior patterns on your website, you are collecting information regarding a consumer’s “interaction with a specific website, application, or ad.”

What are the requirements mandated by the CCPA?

There are a number of requirements outlined in the CCPA.  Your company will have to do the following to stay in compliance with the CCPA:

    • Transparency: Your consumers must be told what personal information is collected from them, where it is from, how it will be used, and with whom it will be shared.   
    • Disclosure at or before personal information is collected: Consumers visiting your website must be made aware that their “personal information” is being collected. This disclosure must be on the homepage of your website. 
  • Objection to the sale of personal information: Consumers can opt-out of the sale of their personal information. There must be a simple way for consumers on your website to do so.
  •  Privacy notice disclosure: Your website’s privacy notice must have specific information pertaining to the CCPA. This includes the following:
    • A description of consumers’ rights to request personal information collected. 
    • A description of consumers’ rights not to be discriminated against for implementing CCPA rights.
    • One or more means for consumers to submit concerns/request: eg: a toll-free number.
    • A notice of the consumers’ rights to request their personal information be deleted.
    • Information regarding the transfer and sale of personal information to third parties.
    • Specific information about the categories of personal information collected/sold/shared.  

Non-compliance penalties under the CCPA

Penalties under the CCPA vary based on each violation. From an action handed down by the State of California, a non-intentional violation can be up to $2,500 per record, and if the violation is deemed intentional, the fine can be up to $7,500 per record. The law also allows individuals to file additional private actions. 

As the website owner, your organization, is responsible for each of the platforms collecting personal data from your consumers. This includes third-parties who may be piggybacking others onto your website.