When you’re running an online business, you have to be aware of the different laws that affect you. And some very important ones are privacy laws. In the United States, there’s no federal law (yet!) requiring a privacy policy for all websites. But, we do have a few states with laws in place. The current California requires a privacy policy on all commercial websites (California Online Privacy Protection Act). Now, there’s a new privacy law in town. If you aren’t sure this new law applies to you, this article will teach you what you need to know about CCPA.
What is the CCPA?
CCPA stands for California Consumer Privacy Act of 2018. It went into effect on January 1, 2020. The law doesn’t become enforceable until July 2020 to give businesses time to comply. You can read the full law here.
Does the CCPA apply to you?
The CCPA applies to businesses that do business in California that:
- have $25 million annual gross revenue; or
- collect the personal data of 50,000+ California, consumers, households, or devices; or
- make half of annual revenue from selling the personal data of California residents
What is personal data?
CCPA defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
what rights to consumers have under CCPA?
The CCPA extends the right of privacy to explicitly include personal information. These rights include:
- Right to know what personal information is collected about them.
- Right to know if, and to whom, their personal information is disclosed and/or sold.
- Right to opt-out of the sale of their personal information.
- Right to access their personal information.
- Right to equal service and price, whether or not they exercise their privacy rights.
- Private right of action for anyone whose personal information is compromised. for $100-$750.
How to comply with ccpa?
- Have a compliant privacy policy at or before the point of data collection (and update it at least annually). Let them know what personal data you are collecting about them and why.
- Have two methods for consumers to make requests to exercise their rights. You have to at least have a webform. If your business is online, you can use an email address. Otherwise, you need a toll-free number.
- Verify & respond to requests within 45 days. You don’t have to do it more than twice in a 12 month period per consumer.
- Include a “Do not sell my personal information” link on the home page of your website. You should also link to this in the footer.
- Give notice of financial incentives.
what makes a compliant privacy policy?
A privacy policy is a statement letting visitors know what information you collect from them and what you do with that personal information. It usually a page on your site and linked in the footer.
The key to a good privacy policy is to make it easy to find and easy to understand. You can read more about privacy policies generally in this post.
The CCPA has added a few new requirements:
- New rights of California consumers
- How to exercise those rights (the two methods of submitting requests)
- Link to the opt-out page
- List of the categories of personal information that have been collected in the past 12 months and how it has been collected
- What you use the personal information for
- What personal information you’ve sold and/or disclosed for a business purpose in the past 12 months
CCPA doesn’t have apply to most businesses, but if it does apply to you, it doesn’t have to be difficult to comply. Just make sure you follow the steps listed above. Keep in mind if CCPA doesn’t apply to you, you still need to have a privacy policy on your website. It is not only legally required, your transparency also builds trust with your customers.
Disclaimer: This site, and all information contained herein or through communication with me, is intended as legal information only. I am an attorney, but I am not your attorney, so nothing on this site, nor any communication with me, shall create an attorney-client relationship. I am not liable for damages or losses based on any action taken, or inaction, based on the information contained on this site. All areas of the law are fact specific and there is no substitute for legal advice from an attorney licensed in your jurisdiction who is familiar with the specific facts and circumstances of your situation.