The California Consumer Protection Act (CCPA) is a privacy law went into effect on January 1, 2020. Just like the GDPR law that now regulates consumer privacy in the EU, the goal of the CCPA is to protect the rights of individuals when it comes to how companies use their personal data.
While the CCPA only applies to companies doing business in California, the law is likely the first of many around consumer privacy in the US. That makes it only a matter of time before laws impacting your own state will go into effect, so it’s not a bad idea to get ahead of things now.
Plus, laws like this tend to heighten consumer awareness, which means you may get requests from your customers to delete their data. Even if the law doesn’t specifically apply to you, it’s in your best interest to honor these type of requests.
CCPA is about Consumer Rights
The CCPA will give California consumers a number of rights concerning data privacy. Californians will have the right to:
- demand that companies disclose what personal data they’re collecting and who this information is being shared with
- request that a company delete the personal data it has collected on them
- request that their personal data not be sold to third parties
- sue companies if privacy guidelines are violated
What types of personal data must be disclosed and deleted upon request?
Under the CCPA, businesses must disclose and delete the following types of personal data when asked:
- Personal Identifying Information such as: name, address, email address, phone number, birth date, social security number
- Internet browsing stats
- Purchase details
- Information on sales of their information – this means if you are in the habit of selling your email list, you must be able to provide information on where you sold it.
How is the CCPA different from GDPR?
The GDPR requires an “opt-in” meaning you must have a notice on your site that lets people know about the data you collect ahead of time. This is why you’ve been seeing a rush of websites with a pop-up telling you about their privacy policy. Most of these notices simply tell you that by using the site you’re agreeing to the policy, and thus opting-in.
The CCPA, on the other hand, is an “opt-out.” This means you don’t have to have a special notice giving every visitor a heads up, but you do need to have a method through which people can request their information or ask to be deleted. The law requires this to be in the footer of your website.
The scope of the two laws is also different. The GDPR applies to any organization doing business with Europeans, while the CCPA is aimed specifically at larger businesses. Specifically those who:
- Have annual revenue above $25 million
- Generate 50% of their revenue from data sales
- Collect information on 50,000 California residents
What steps should small businesses take?
- Make a list of the information you collect, where you store it and how you use it. Keep in mind third-party tools like Google Analytics, Insightly, or InfusionSoft would all apply here.
- Update your privacy policy to be transparent about the way you use data.
- Create an opt-out request on your website and link to it in your footer.
- Outline a process for responding to requests so you have a clear process to supply the information they ask for, and honor any opt-out requests.
Need help setting up for CCPA compliance? Give us a shout.