How Your Business Could be Affected by the California Consumer Privacy Act

Protecting your business from the California Consumer Privacy Act

Data: A Gateway to Our Day-to-Day Processes and Transactions

Our data often feels like a form of currency to be used in transactions. You can provide your email in exchange for a discount code for those shoes you’re eyeing or you can connect that addictive game you play on your phone to your social media account in exchange for additional lives. More and more often, surrendering our data is a prerequisite for the experiences we want and the tasks that we seek to complete online. From the convenience of online shopping to the ubiquity of ride-sharing to our online banking, messaging, and coffee-ordering apps, we are often willing to trade rights to our personal data as a gateway to some of those day-to-day processes we desire. 

The Best Way to Protect Your Data is Not to Share It

While almost all of us are concerned about protecting our data, only a small portion of people (around 10%) feel as though they have complete control over their personal information. Many people expect brands and businesses to treat their consumers’ data with respect, integrity, and care. How well companies take care of their consumers’ data has a huge impact on the trust that consumers then place with those companies. The reality is that, for years, there has been little that consumers can do to protect themselves once they have entrusted companies with their data. The primary way that consumers have ensured the security of their personal information has been to not share it in the first place, which for most, now seems like a near-impossibility.

A Worldwide Effort to Give Consumers Control Over Their Data: GDPR & CCPA

With the increased role our personal data plays in our transactions and digital experiences, as well as the frequency and impact of personal data breaches, consumers have been asking local and national governments for improved protection of their personal information. 

In an effort to give consumers more control over their data, the European Union enacted a piece of legislation called the General Data Protection Regulation (GDPR) in 2018. The GDPR establishes a set of standards that enforce better processes and procedures regarding the collection and sharing of EU citizens’ data. These standards are to be adopted in the EU but will also extend internationally to all companies that collect or process the data of EU citizens.

While the GDPR affects U.S. companies, there has not yet been similar legislation enacted in the U.S. That changed on January 1, 2020, when The California Consumer Privacy Act of 2018 (CCPA) went into effect. Though similar in intent, the CCPA is not a carbon copy of the GDPR, and will require different measures in order to obtain and maintain compliance. 

The CCPA provides consumers with the rights to:

  • Know what information is being collected about them, have access to that information, and know whether that information is being sold (and if so, to whom). They have the right to this information from the past 12 months
  • Deny the sale of their personal information
  • Be free from discrimination in price or service, should they choose to exercise their rights under the CCPA

From a consumer perspective, this type of legislation is beneficial and gives consumers some power and control over how their data is used. But what does this legislation mean for the businesses that must comply with the new standards, and how can you be sure that you’re achieving and maintaining compliance on your site? 

Does the CCPA Apply to My Website or Business?

Your business and website will be subject to the CCPA if:

  • You collect and process the personal information of at least 50,000 California residents, households, and/or devices per year
  • Your business has annual gross revenues of at least $25million
  • At least 50% of that revenue is generated from the sale of California residents’ personal information 

If you do not currently meet any of these criteria but could, you may want to consider having a plan or strategy in place for CCPA compliance As soon as you cross the threshold and meet the criteria, your compliance will be required. Even if you will likely never be directly affected by the CCPA, it is still important to understand the types of legislation that are being passed regarding personal information, as similar standards and requirements will likely continue to be enacted.

The CCPA will be enforced by the California Attorney General, but also accounts for a “private right of action”, wherein consumers can bring an action against the company should they experience “unauthorized access… theft, or disclosure” of their personal information. The penalties for non-compliance include statutory damages, and can also affect a company’s reputation and the trust that its consumers place in it.

I Meet the CCPA Criteria … What’s Next?

There are operational and strategic implications that your organization will need to address to stay up to date with CCPA criteria. These include implementing the necessary technical systems and methods and establishing the manpower to field and respond to requests. There is no better way to guarantee that you are prepared than to familiarize yourself with the legislation and ensure that the proper systems are in place. While your website is just one of those systems, we will primarily focus on how you will need to modify your website to ensure CCPA compliance.

Obtain Consent from Minors:

  • While the CCPA does not prevent you from selling the information of your users, it does specify that if you know that you are collecting and selling the data of minors (i.e. 13-16 years old), you must first obtain their explicit consent to do so. If they are younger than 13, then you must obtain the consent of their parent or guardian and must have methods of verifying that the consent-provider is, in fact, the minor’s parent or guardian. For example, requiring the guardian to sign a consent form under penalty of perjury or to contact trained personnel to verify their identity. While your business will need to determine what process makes the most sense for your users and needs, your website experience should help make this process as clear as possible. In addition to accurately explaining your approach to data privacy in your Privacy Policy, you might consider using elements like global alerts and modals (similar to those often used to request permission to track cookies) to initiate the process for parents or guardians to provide consent and learn more about how you use and sell data
  • While the law does not explicitly require or specify a time-frame for the storage of the authorizations themselves, it does state that a parent or guardian must be able to change their minor’s opt-in/out status later on. It will likely be advantageous for you to keep and be able to produce a record of the consent that you have successfully obtained as well as the rejected consent requests should any potential discrepancies or disputes around a minor’s status arise.

Allow Users to Opt-Out of the Selling of Their Data

In order to meet CCPA requirements, you must give your users the opportunity and means to opt-out of the selling of their data via at least two methods (e.g., a toll-free phone number and your website).

You must include a clear, accessible “Do Not Sell My Personal Information” link on your homepage, and that link must enable the user to opt-out of the sale of their personal information without first creating an account. Their choice to opt-out must be respected for at least 12 months before again requesting their authorization to sell their information. 

Update your Privacy Policy

Your Privacy Policy should reflect the changes that you are making in order to be CCPA-compliant, and should be revisited every 12 months. The minimum requirements for your site’s Privacy Policy include:

  • What personal information you collect and process
  • How you use the collected information 
  • Your method for collecting personal information
  • How your users can request access to their personal information or modify, move, or delete their information. You must have two or more methods by which users can request this information, and must fulfill the request for free within 45 days of receiving this request
  • How you will verify the identity of the party who submits such a request
  • How and to whom you sell users’ data and how they can opt-out of the sale of their personal information

Although the CCPA is primarily data-related and will only require minor modifications to your site experience itself, it is an influential and long-awaited step toward providing consumers with more control over their personal information.

How CQL Can Help Your Business Become CCPA Compliant

Interested in learning more about CCPA, and finding out if your business site is compliant? Our Experience Design team can help. Contact us today or click the button below: