California’s New Privacy Law (CCPA)
We thought 2019 was a tough year for the online tech world, and now 2020 begins with a bang with a new chapter in privacy laws and the protection of personal information. That’s right folks, California passed a strict new law that just went into effect on January 1, 2020. The California Consumer Privacy Act (CCPA) is the toughest privacy and data legislation to pass in the United States, but what does it mean for your website? Are you affected? We will break it down for you the best we can.
What Is The CCPA?
California is the first state to take serious action to protect consumers’ data and its use. The new law allows California residents to opt-out of their data being collected, shared, and sold. It also allows them to request a report on the data collected, and to ask for it to be deleted. Reports on data must include all data collected from the previous 12 months.
The law doesn’t affect every company, but if you are a California-based business or collect information online from anyone who lives in California, the CCPA may apply to you.
Who Does It Affect?
The CCPA only applies to certain for-profit businesses - they must collect and control California residents' personal information, do business in the state of California, and meet at least one of the following criteria:
- Have an annual gross revenue larger than $25 million.
- Collect and/or disclose personal information of 50,000 or more California residents, households, or devices each year.
- Earn 50% or more of their annual revenue from selling California residents' personal information.
Nonprofits and companies that do not meet any of those thresholds are excluded from compliance.
What Data & Personal Information Is Included?
The CCPA goes farther than any previous legislation in terms of what’s considered personal information and consumer data. It’s no longer just about selling email address data. It includes, but is not limited to:
- Identifiers like names, usernames, email, driver’s license or passport numbers, IP address and postal address.
- Protected class information, such as race, color, national origin, religion, age, sex (gender), sexual orientation, and physical or mental disability.
- Browser and internet search histories.
- Bio-metric information.
- Geo-location data.
- Audio, electronic, visual, thermal, olfactory or similar information.
- Consumer preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- Education information that is not publicly available.
What’s At Stake?
The penalties for noncompliance are steep. While the law is in effect now, it will not be enforced until July 1, 2020. At that time, fees will range from $2,500 per violation to $7,500 (if it’s an intentional violation). Consumers may receive compensation from $100 to $750 for data breaches, and class action lawsuits are a possibility.
Any company that must comply with the law needs to seriously take a look at what information they collect, who they share or sell that information to, and where they store it. If a consumer requests a report of their data, it must be supplied within 45 days. Companies must also have a system in place for easily deleting data if the request made. If you are affected by this new law, it’s time to take action.
What Verbiage Needs To Change?
One key factor in compliance with CCPA is a privacy disclosure on websites notifying visitors about what information is being collected and how it will be used. Privacy policies were already required, but now the information is more stringent. In fact, CCPA compliant privacy policies must now include the following:
- A description of the consumer’s rights and one or more designated methods for submitting requests to enforce those rights;
- A list of the categories of personal information that the business has collected about Californian consumers in the last 12 months;
- A list of personal information that the business has sold in the last 12 months by category. If the business has not sold any information in the last 12 months then this has to be stated as well; and
- A list of personal information that the business has disclosed to third parties in the last 12 months by categories. If the business has not disclosed any information in the last 12 months, then this has to be stated as well.
Automated Privacy Policies
Written By Real Attorneys
CCPA may not affect your business now, but each state has its own laws and policies. Are you covered? Don’t get caught without proper privacy policies in place - the cost is just too high.