If you have customers in California, you need to read this post.
California recently enacted the CCPA (California Consumer Privacy Act) as of January 1, 2020. The law gives consumers control over how their information is used and stored and allows them to opt-out of having their information sold. Businesses must respond to the consumer within 45 days of a data request or risk fines and possible lawsuits. Be aware that a business doesn’t have to reside in California for this law to apply. If you have customers in California, there’s a good chance you may need to take steps to be compliant.
It is common for businesses to collect customer information such as email addresses, names, credit card information, phone numbers and possibly some preferences regarding notifications and marketing. Almost all websites also collect customers’ website activity including; geolocation, IP Address, and cookies. All of these data points, if collected on California residents, may now require additional compliance.
First and foremost, I am not an attorney. If you want a legal opinion on these topics you should reach out to one. This post covers the initial steps you can take to see if your business qualifies under the CCPA and how to begin to identify the Personal Information you may be collecting on your customers.
What are the qualifiers that will force the CCPA (California Consumer Privacy Act) on your “For-Profit” business?
A for-profit business qualifies under the CCPA if it collects CA residents’ “Personal Information” and either:
- Has as annual gross revenues of $25 million; or
- Annually buys, receives, sells, or shares Personal information of 50,000 CA residents; or
- Derives 50% of its annual revenues from selling CA residents’ personal information.
What is considered Personal Information under the CCPA
Under the CCPA, Personal Information is not just highly sensitive data like Social Security Number but includes; name, email address, IP address, cookies, protected classifications, geolocation, purchasing or consuming histories, internet activity information such as browsing history, and the list goes on. Needless to say, if you are collecting information about a California resident, you already had a requirement to protect this personal information, but there is more involved under the CCPA.
What does the CCPA (California Consumer Privacy Act) mean for your business?
In order to respond to a consumer data request, you must have a firm grasp on where you store your personal consumer information, where you share it, and how it’s protected.
Here are some steps you should consider to ensure compliance with CCPA:
- Locate any personal information you have stored on consumers. This can be difficult and sometimes requires assistance to locate data in structured databases and unstructured storage such as spreadsheets and documents. We can help with this.
- Identify if you are sharing consumer information with any third parties. Many companies will collect information on consumers and analyze it carefully to improve marketing and increase profitability. Third-party analytics firms are also commonly used to automate sending emails to the consumer, recommend coupons and marketing campaigns by geographic location and even improve other third-party data analytics. You will need to provide the consumer with the names of these organizations and how they are using and processing their information. Caution: depending upon how a third party uses the data, it can be considered “selling” consumer information and this must be disclosed.
- Review the privacy policies that are posted on your website and ensure you tell the consumer how you will use their information and how you will protect it.
- Establish a process to receive consumer requests and make sure you can respond within the 45 day period required by the CCPA.
These are just a few items that you must consider, and if you want our opinion, it is just the tip of the iceberg. It’s rumored many other states will pass similar laws, and possibly the Federal government will follow this practice. If you are a Google Enterprise user, and you count on the reliability and security of Google it may be easier to identify where Personal Information is stored, protect your data and establish compliance.
Contact us to learn more about how we can assist with your CCPA compliance.