How the California Privacy Law Can Help Your Business
We’re being watched.
Sadly, in 2020, this feels like old news. The personal details of our lives, from where we grab takeout to our political leanings to the place we let our mouse linger on a website – it’s all being tracked. The data isn’t just used to bombard us with hyper-targeted ads and political messaging, but also to influence policing practices, insurance premiums, college admissions, housing opportunities, online dating matches, and career growth. Whoa.
For consumers, it’s a problem that feels intractable. For some business owners, it’s a moral dilemma. But this year, California enacted a sweeping new digital privacy law called the California Consumer Protection Act (CCPA). This summer, it became enforceable. Some businesses see the law as a major headache.
Not us. We see it as an opportunity.
What the CCPA Means for Your Business
To best understand how the CCPA will affect your business, look it at from the point of view of the consumer. The CCPA effectively lays out a bill of rights that California consumers have over their personal information. If you’re a California resident, you now have the right to:
- Know when a business is collecting information about you
- See the personal information a business has collected on you
- Opt out* of having your personal data sold
- Request that a business delete your personal data (with some caveats)
- Receive equal treatment and prices when exercising your data rights
*Consumers under 16 must “opt in” to data sales.
It’s important to note that not all companies are covered by the CCPA – only businesses that collect or receive data on more than 50,000 people, make more than $25 million annually, or generate more than half of their revenue from selling the personal data of Californians.
What Your Business Website Needs to be CCPA Compliant
The burden is on the consumer to actively request collected personal data or opt out of information sales, but businesses covered by CCPA have some obligations under the law, too. Most of them involve changing your company website.
-
For your business to be CCPA compliant, your company website must include:
- A prominently displayed link labeled “Do Not Sell My Personal Information” on your homepage and in your privacy policy. The link should lead to a page that gives consumers a straightforward way to opt out of information sales. Of course, you only need to provide this link if your business sells personal data and you must comply with all opt out requests.
- Note: California consumers who are 16 years old and younger must opt in to allowing their personal information to be sold, and consumers who are under 13 need a parent or guardian to authorize the sale of their data.
- A toll-free number and a page where consumers can request the personal information your business has collected on them.
- You can’t require a customer to create an account to make personal information requests. However, you do need to have a system in place for verifying consumer identities before handing out personal data.
- You have 45 days to deliver the information requested.
- A page describing the consumers’ new rights under CCPA and instructions for how consumers can make requests.
- If you have a privacy policy page, this information should go there.
- This page should also provide lists on what kind of information your company has collected, sold, and disclosed about consumers.
These are the requirements for your website, but your business might have to make some other changes, too. For more information, check out our deep dive on how the California Privacy Law affects businesses.
How to Use the CCPA To Your Advantage
Since the CCPA went into effect, we’ve kept an eye on how businesses have responded. We’ve seen it all – the good, the bad, and the ugly. Some companies have risen to the challenge, making CCPA requests easy on their customers. Others… not so much.
According to a report in the Washington Post, Best Buy forces consumers to change settings on their phones and web browsers, which makes other websites break. Mastercard requires the customer to adjust a long series of security preferences.
On the other hand, some companies have made requests for data deletions and opting out of data sales easy. Some of the big tech companies, like Amazon, Apple, Google, and Facebook, take CCPA requests from all Americans, not just Californians. While the effect on business remains to be seen, we know one thing for certain: forcing your customers to jump through annoying hoops to exercise a lawful right is a bad look. Instead, show your customers how much you care about their experience by making CCPA requests simple and quick.
1. Use your privacy policy to set your business apart from the competition.
To comply with CCPA, you’ll need a privacy policy (or at least a web page) that describes California consumer data rights. Why not use this as an opportunity to highlight your company’s amazing privacy policies?
At Northwest Registered Agent, our Privacy by Default policy page not only enumerates all the ways in which we protect consumer data (including never, ever selling it), but it also lists the above-and-beyond things we do to help our clients protect their personal information. For example, we let businesses use our business address on public documents and make sure the state government sees our bank information and IP address instead of the customer’s information. These steps protect our clients from spammers, advertisers, and fraud. It’s something that other companies can’t (or won’t) provide, and we’re proud of it.
Maybe your privacy policy isn’t something you’re proud of. Or maybe it’s just a lot of hard-to-understand fine print that you hope no one will actually take the time to read. If so, complying with the CCPA is an excellent opportunity to make a change. Write up a privacy policy that your customers can understand and get excited about. Make it a selling point.
2. Make CCPA requests easy.
Is there anything worse than wasting your customers’ time?
If exercising CCPA rights force your customers to dig around on your website, wait on hold, fill out a miles-long form, or (please no) get a form notarized, your customers are going to become annoyed with you. Worse yet, they might suspect your business has something to hide. If you do collect and sell personal data, handling CCPA requests swiftly and fairly will help reassure your customers.
How you decide to receive CCPA requests is up to you, to a certain extent. Some companies provide a form. Others list an email address where customers can request their personal data or to opt out of data sales. Whatever route you take, make sure it’s user-friendly and quick. As soon as you get a request, let the customer know you’ve received the request and you’re on it.
Note: You can’t require a customer to make an account to request personal information, and you can’t discriminate against them for exercising their CCPA rights. That means pricing and services must stay the same and a CCPA request shouldn’t cost the consumer a dime.
3. If you can afford it, just don’t sell personal data.
We get it. Sometimes, you can sell your clients’ data for more money than you can make by selling your services. But more and more consumers are waking up to the fact that their privacy is slipping away, and they don’t like it.
When the social or legal landscape changes, successful businesses adapt. At Northwest Registered Agent, we watched as other companies sold client data, and we decided we’d never do that. Why? Because building trust with customers always pays off in the long run. So we decided not only to protect client data, but to make shielding client privacy a key tenet of our manifesto. Whether you choose us for LLC or corporation formation or registered agent service, you can be sure that your personal information will remain just that – personal.
- A prominently displayed link labeled “Do Not Sell My Personal Information” on your homepage and in your privacy policy. The link should lead to a page that gives consumers a straightforward way to opt out of information sales. Of course, you only need to provide this link if your business sells personal data and you must comply with all opt out requests.