The California Consumer Privacy Act (CCPA) is a state-wide data privacy law, the first of its kind in the United States, that was signed into law in 2018 after the Cambridge Analytica scandal that regulates how businesses all over the world are allowed to handle the personal information of California residents.
The effective date of the CCPA is January 1, 2020 and businesses have until July 1, 2020, to fully comply. You may have heard of the GDPR, which was implemented on May 25, 2018, as a European privacy regulation. However if you are GDPR-compliant, that doesn’t mean that you are CCPA-compliant. They are similar, but not identical, so make sure you know how CCPA applies to you and what you need to do to comply.
The key points of CCPA
Here’s a top-level summary of some of its basic tenets:
Right to request disclosure: Businesses must disclose what information they collect, why they collect it, and any third parties that share that data.
Right to access: California residents may submit a request to access the personal information collected about them in the past year. You have 45 days after the request to disclose:
- The categories of personal information you collected;
- The categories of personal information you sold;
- The categories of any third parties to whom you have sold their personal information;
- A list of which categories of their personal information you sold to each party; and,
- The categories of their personal information you disclose for business purposes.
Right to request deletion: California residents can submit a request for businesses to delete their personal information.
Right to opt out: California residents can opt out of their data being sold, however businesses can offer “financial incentives” for being allowed to collect and sell data. Businesses must receive consent from minors before selling their information.
Right to equal services and price: Businesses cannot change their pricing or level of service or deny goods or services to someone who exercises their rights.
Personal information as defined in the CCPA could include direct identifiers (like name, alias, address), unique identifiers (like cookies, IP addresses and account usernames), biometric identifiers (like face and voice recordings), geolocation identifiers, internet activity (like browsing history and search history), personal data (like health, medical, financial, religious, political, sexual preferences, employment and education data). While aggregate or anonymized data in itself is not personal information, it can become so if it can be used by inference or in combination with other data to identify an individual or a household.
What happens if I don’t comply?
Failure to comply with the CCPA can yield fines for businesses of $7,500 per violation and $750 per affected user in civil damages for businesses. The per violation is per California user, which can add up quickly. For example, if you collect data from 1,000 California residents, you may be fined $7,500 x 1,000, which is a total of $7,500,000.
Who is responsible for CCPA?
CCPA applies to any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, (i.e. a for-profit business), in the world that has an annual gross revenue exceeding $25 million, collects or sells the personal information of more than 50,000 California residents annually, that does business in the State of California, or derives more than 50 percent of its annual revenue from selling the personal information of California residents.
The first threshold of earning more than $25 million revenue is pretty straightforward and most bloggers probably are not close to this level.
Collecting or selling the personal information of 50,000 California residents annually is where most bloggers might fit under. While 50,000 visitors sounds like a lot, it comes out to 137 visitors to your site per day for you to be liable under the CCPA. Even if you’re not from California as long as you do business in California, or as a blogger, by having visitors from California, the CCPA will apply to you. While you need to ensure that you provide the CCPA rights to your visitors from California, you are not required by law to do the same for all your other visitors (although it’s probably the easiest way to comply). Does the 50,000 visitor threshold need to all be from California or is that 50,000 visitors total? According to the CCPA, a person can live in California and not be a resident or live outside of California and still be a resident. Confusing! The safest option is to take the threshold of 50,000 visitors as meaning any devices and visitors regardless of whether they’re located in California or not.
You might also think that you don’t process any personal information on your blog. However most blogs include these personal data collection systems like contact forms, comment systems, Google Analytics, and mailing lists and more. Therefore if you have 50,000 visitors and a blog you most likely will need to comply with the CCPA. (And if you have 4 million or more visitors there are extra requirements that we won’t go into detail here, but know that they exist!)
The last threshold is if the business derives 50 percent or more of its annual revenues from selling consumers’ personal information. Sale of personal information is defined in the CCPA as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. This would include personalized or retargeted display ads, Facebook conversion pixel, or even basic tools like analytics. There is an exception to this for Service Providers, which may process a business’s information and keep it for themselves. Any business that provides auditing, security, fraud, troubleshooting, customer service, payment processing, order fulfillment, internal research, quality control activities, or short term non identifiable use is exempt from CCPA.
The conditions in which you have to comply with CCPA are not cumulative. You have to meet just one of these conditions for the CCPA to apply to you.
How Some Bloggers Can Avoid CCPA
Unlike the GDPR, the CCPA only applies to businesses, meaning only blogs for profit. So, if you blog as a hobby and don’t make money blogging, then the GDPR may apply to you but the CCPA does not apply to you.
What should I do to make my blog CCPA compliant?
- What, why, and how you collect and process personal data updated annually
- How users can access, change, or remove their personal data that you’ve collected
- Your method for verifying the identity of a user who is making one of those requests
- How data is sold and how a user can opt-out of having their data sold
Get consent from minors
You’ll need to get consent from minors between the ages of 13 and 16 or from parents or legal guardians of children under 13. You are required to obtain consent (opt-in) right when they get to your website or before you sell their data. Regardless, you cannot sell their data without their consent. You do not need user consent before collecting and using data from other non-minor users of your site.
Allow users to change their information
California users should have the ability to access, change, move, or delete their personal data. Your site should have a method for users to submit these types of requests, like a contact form or an email or mailing address. If you have a physical location, you must also have a toll-free number. (This requirement has changed so bloggers or small online businesses do not need to operate a toll free number).
Verify the user’s identity when they make a request
If users get in touch to change their information, you need a way to verify their identity. You should use the same type of authentication used when the personal data was originally collected, for example, you can ask to confirm prior collected information. If you cannot verify the user’s identity, you should comply as best as you can. If a user wants their information deleted, but you cannot verify the user’s identity, you can let the user opt-out of having their information sold instead of fully deleting their information. If there is no way to comply, you can deny the request.
Add a “Do Not Sell My Personal Information” link to your homepage
Keep records of exchanges with customers
Businesses have to keep records of all user requests, and must also record and save their responses. While there is no time period to keep these records, a minimum of 24 months is recommended, but if it’s simple enough, keeping them indefinitely is the safest option. If you receive a user request asking for disclosure of their collected personal information, you must provide the user all personal information collected in the past year (including sources, purposes and categories of third parties with whom it has been shared) for free. Users can also request deletion of this data.
It’s possible that businesses will offer incentives to those who allow for the sale of their data. If this is the case, you have to disclose details of the incentive, including how you calculate the value of the personal data.
The Differences Between CCPA and GDPR
While the CCPA guidelines look similar to the GDPR, there are some important differences. Thus if your business is currently GDPR-compliant, that doesn’t mean it is automatically CCPA-compliant. Some of the CCPA guidelines non inclusive of the GDPR are:
- Adding a “Do Not Sell My Personal Information” link on the homepage
- Creating a method for users to request changes to or deletion of their personal information
- Identifying the user who makes that type of request
- Getting consent from minors before selling their information
- Showing which categories of personal information has been sold in the past year
Will we have to comply with another regulation next year?
Most likely there will be more privacy regulations as lawmakers navigate this ever changing online world. Nevada has already passed a more limited data law and many other states have pending legislation. There is a proposed bill at the federal level in the United States for an Online Privacy Act, which we hope will simplify things, however you never know what will happen next.