24 Sep California Consumer Privacy Act
What you Should Know
By Hunter Laine
The California Consumer Privacy Act (CCPA) went into effect January 1, 2020, before the pandemic that swept the globe and altered daily life. It still, however, stands. It does not affect all businesses, but you should be aware of it. Even if it doesn’t affect you now, in the age of over-information, a push toward greater protection of privacy is the way of the future.
Your company is currently affected by the California Consumer Privacy Act if you:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of your annual revenue from selling California residents’ personal information.
Obviously, this does not apply to everyone, however, read carefully! It can apply even to small businesses depending upon the nature of their business.
The CCPA was created in an attempt to protect consumer privacy and give consumers more rights in regards to their personal information. As stated by the Office of the Attorney General, Xavier Becerra, this refers to:
information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.
If the CCPA applies to your business, you must:
- Provide notice to consumers at or before collecting personal data
- Allow consumers to opt-out, read, and delete their personal data from the business’s storage. Companies must provide a “Do Not Sell My Personal Information” link for opt-out requests
- Respond to consumer requests within specific timeframes
- Show consumers privacy settings that signal their choice to opt-out
- Verify the identity of consumers who ask to read and delete their information, even if they have a password-protected account with the business
- Disclose financial incentives for retaining or selling the consumer’s personal data and how they the value that data
- Maintain records of all access requests for 24 months, as well as how the business responded
A lot of this can feel overwhelming, but it is absolutely necessary and worthwhile. The penalties for failing to comply are steep, ranging from $2,500 for inadvertent errors, to $7,500 for intentional non-compliance.
For more complete information and direct answers to applicable FAQs, click here.