By Eric D. Morton
California’s new privacy law, California Consumer Privacy Act (“CCPA”), went into effect January 1, 2020. The California Attorney General (“AG”) began enforcement this summer. Businesses need to understand if the CCPA applies to them and, if so, what they need to do to comply. What is more, if you’re a California business that reaches into other states, you may be subject to their laws as well.
It’s a brave new world out there when it comes to data. As a result, there’s one inquiry that every business must now consider: What data do I collect, where did it come from, where do I store it, and how am I using it? Even if your business is not subject to CCPA, you must know your data. We wrote about this last year: Where is your data?
Does CCPA Apply To You?
CCPA applies to companies that either (1) have an annual gross revenue of $25 million or more; or (2) buys, receives, sells , or shares the personal information of more than 50,000 California consumers for commercial purposes; or (3) derives 50% or more of its annual revenue from selling California consumers’ personal information.
Many small business owners believe that CCPA does not apply to them, considering they don’t meet the revenue requirements and they don’t make money from selling consumer information. They are also sure that they don’t collect the personal information of 50,000 consumers each year. Thus, they are often surprised to learn that if they operate a popular website that has even 150 unique visitors every day, they are likely to meet the 50,000 consumer threshold simply by collecting data from each of those visitors via Google Analytics, cookies, or some other mechanism. And in that case, CCPA likely applies to them if they’re a for profit business that is not exempt from CCPA.
What counts as consumer personal information? Consumer information is currently defined under CCPA as individual, household, or device information. Among other things, consumer information includes identifiers such as real name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; biometric information; internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement; geolocation data; and many other categories of information that can be used to identify an individual, household or a device used by a consumer or a household. It’s quite a long list, to say the least.
In other words, consumer information can include almost anything that identifies a consumer.
Businesses Obligations and Consumers Rights
Businesses that must comply with CCPA have a number of obligations. Businesses must:
Give Notice. A business that collects a consumer’s personal information must inform consumers, at or before the point of collection, as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used.
Retain Information. CCPA imposes a 12-month look back requirement. Businesses must retain consumer information or a record of what happened to that information for the previous year.
Respond to requests for information. The CCPA grants consumers the right to request that a business disclose all the information it has collected about the consumer. The business must provide two different means to request that information. The business must promptly reply to any such request.
Deletion. Consumers have a right to request that a business delete their information.
Comply with Opt-out/Do not sell requests. Consumers have a right to request that a business not sell their information to third parties. Businesses must provide the means to do so. Even if you don’t strictly “sell” consumer data, your data sharing practices may fit the CCPA definition of “sale,” which is quite broad.
What to do
- Determine what information your business collects and where it is located.
- Determine if your business must comply with CCPA. If in doubt, the safe answer is yes.
- Have a compliant website. This includes giving legally sufficient notice to consumers and opt-out/ Do not sell choices.
- Create systems for compliance. For instance, SOPs should be in place for handling requests for information and the means to comply with such requests.
- Ensure that vendors who receive consumer information from you–and your contracts with them–comply with CCPA.
Eric D. Morton, is the founder and principal attorney at Clear Sky Law Group. He can be reached by at 760-722-6582, 510-556-0367, or email@example.com.