More and more consumers are rallying for control over their own data, and individual states are starting to respond with new legislation. California’s paving the way with a sweeping new privacy act. The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020. Think this is an issue solely for California businesses? Think again.
If you engage in any business in California, you may be subject to the CCPA. Below is an outline of the businesses affected by the CCPA, the rights of California’s consumer residents, and steps your business can take to comply with these upcoming changes.
Businesses Affected by the CCPA
All for-profit businesses—from sole proprietors to corporations—engaging in business in California and collecting personal information from California residents are potentially subject to this act. The CCPA applies to these businesses if they meet any the following criteria:
- have more than $25 million in annual gross revenue
- receive at least 50% of annual revenue from selling the personal information of California residents
- buy, sell or share the personal information of 50,000 or more California residents, households or devices each year
- receive the personal information of 50,000 or more California residents, households or devices each year for commercial purpose (including commercial transactions for goods or services)
Personal information is defined pretty broadly in the CCPA as information that could identify or link to a particular person or household. Examples include names, addresses, emails, user names, ID numbers, and purchasing histories or search histories.
CCPA and Consumer Rights
Much like the EU’s GDPR, the CCPA recognizes specific rights that California residents have over their personal information. These rights include:
- Knowing the personal information businesses collect and if it’s sold or shared
- Knowing the buyer or recipient of personal information that’s sold or shared
- Accessing their own personal information
- Opting out of personal information sales
- Receiving equal prices and services
Steps to CCPA Compliance
So what exactly does your business need to do to ensure California residents maintain their consumer rights? The CCPA spells out many specific steps affected businesses are required to take to meet these needs, including the following key practices:
Opt-out requests
- Include a “Do Not Sell My Personal Information” link on the homepage of your website if your business sells personal information to third parties. The link must be “clear and conspicuous,” so no burying or obscuring it. The link should direct consumers to another page that enables consumers to opt out of personal information sales.
- Abide by requests to opt out of personal information sales to third parties.
- Don’t sell the personal information of residents age 13-16 without their authorization. Don’t sell the information of residents under age 13 without parent or guardian authorization. Basically, youth must “opt in” before their information can be sold.
Other consumer requests
- Provide a toll-free number and at least one additional contact method for consumers to make information requests.
- Respond to information requests within 45 days.
- Delete personal information upon a consumer’s request (unless it’s necessary to maintain for legal, security or other obligations as outlined in the CCPA ).
All requests
- Don’t charge fees or require consumers to create accounts for any information, deletion or opt-out requests.
- Don’t discriminate against consumers who exercise their rights. For instance, no denying goods or services or charging different rates to those who choose to opt out of personal information sales.
Privacy Policies
- Include the following information in your privacy policy (or on your website if you don’t have a policy): consumers’ rights, the methods for submitting requests, and separate lists stating the categories of personal information collected, sold or disclosed in the last 12 months.
- Update the above information at least once every 12 months.
CCPA Penalties
What happens if you fail to abide by the CCPA? You’ll be notified of your noncompliance and given 30 days to become compliant. At this point, if your business is still noncompliant, you can receive a civil penalty of up to $7,500 per violation.
Consumers can also recover personal damages if they are affected by your business’s failure to maintain “reasonable security procedures and practices.” Damages can be up to $750 “per consumer per incident.” For businesses with numerous consumers, this means a significant data security incident could be costly.
More Business Resources
Considering starting a corporation or LLC? Already doing business in California or other states? Northwest can help you start or maintain your business. We provide industry-leading registered agent service and form businesses in all fifty states, as well as DC and Puerto Rico. We also offer compliance services and loads of free forms and resources.