California’s consumer privacy law is coming. Here’s what it means for you!

Here is why you’re suddenly getting spammed with privacy emails and website popups. 

Does this look familiar?

“We’ve updated our privacy notice to provide additional transparency on our information practices as well as to comply with the CCPA.“

There is a reason why consumers are getting bombarded with these notifications as we close out the decade. On January 1, 2020, California becomes the first state to enact a data privacy law that will empower its residents with ownership over their personal information and change the way companies handle personal information.

What does it mean for your company and your website? How can you become compliant?

California’s new privacy law — the California Consumer Privacy Act (CCPA) — goes into effect January 1, 2020. CCPA regulates how companies collect and store data. Under the new law, state residents have the right to opt-out of having one’s personal information sold to third parties, the right to disclosure of what personal information has been collected in the past 12 months, and the right to deletion of that data. The impact of this law is hard to measure because it requires consumers to take action.

The law applies to for-profit companies that generate more than $25 million in annual gross revenue, have more than 50,000 people’s personal data or generate more than 50% of their annual revenue from selling customers’ personal data.

It also means that if you have a small business that makes under $25 million a year, or if less than half of your business income relies on selling personal information to third parties, or if your business does not sell more than fifty-thousand Californians’ personal information, the CCPA does not apply to your company.

If companies purposefully ignore CCPA, California will fine them $7,500 fine per violation. Other rule-breaking carries a maximum fine of $2,500 per violation. California’s Justice Department will begin enforcing the law on July 1. The good news for you is that there is a six months grace period from the law’s implementation to enforcement.

Use this handy CCPA compliance checklist to inform you of some of the key requirements.

• Businesses must feature a Do Not Sell My Personal Information link on their website that users can use to opt-out of third-party data sales.
• Businesses must provide a notice at or before the point of collection informing the consumer of the categories of personal information that the company collects and for what purpose.
• Businesses must respond to an opt-out request within 15 days by stopping further selling and notifying all parties to whom it has sold the personal information in the previous 90 days.
• Businesses must obtain the opt-in consent from consumers age 13 to 15 before selling their personal information, and obtain the opt-in consent from parents or legal guardians on consumers under the age of 13.
• Businesses must provide consumers for free the records of personal information collected in the past 12 months (including sources, commercial purposes and categories of third parties with whom it has been shared) if a consumer requests disclosure or deletion.
• Businesses must respond within 10 days of receiving requests for disclosure or deletion with information on how the request will be processed. Substantive responses must be given to the consumer within 45 days of receiving a verified request.
• Businesses must include two steps for a deletion request, whereby the consumer can submit the request and subsequently agree to the personal information to be deleted.
• Businesses must only offer financial incentives (e.g. different prices, rates, and quality) for goods and services if the differences are reasonably related to the value provided to the business by the consumer’s data.
• Businesses must refrain from discriminating based on a consumer’s choice to exercise their rights.

Do you need a coach to help guide you through the requirements of CCPA and ensure you remain compliant? We can help!

FAQ’s about the California Consumer Privacy Act (CCPA)

What is the California Consumer Privacy Act (CCPA)?

CCPA regulates how companies collect and store data. Under the new law, state residents have the right to opt-out of having one’s personal information sold to third parties, the right to disclosure of what personal information has been collected in the past 12 months, and the right to deletion of that data. The impact of this law is hard to measure because it requires consumers to take action.

How Does CCPA define personal information?

The new California law (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information can include: - Identifiers such as real name, alias, postal address, social security numbers, driver’s license, and passport information. - Identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names… - Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data… - Geolocation data such as location history via devices, Internet activity such as browsing history - Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences and so on.

Does the California Consumer Privacy Act (CCPA) apply to nonprofits?

The law applies to for-profit companies that generate more than $25 million in annual gross revenue, have more than 50,000 people’s personal data or generate more than 50% of their annual revenue from selling customers’ personal data.