Estimated read time: 3 minutes, 58 seconds
Have you heard about the California Consumer Privacy Act (CCPA)? This historic privacy bill was unanimously passed and signed into law in the summer of 2018. When it takes effect in 2020, this new law has the potential to significantly affect your business – even if you’re not based in California.
So are you positioned to be CCPA compliant? See what you need to do and how the CCPA may affect your online sales in the years ahead, no matter where your business is located.
What is the CCPA?
The CCPA is a ruling that protects the rights of the Californian consumer. If you’re involved in ecommerce, you’ve probably already dealt with the General Data Protection Regulation (GDPR) that took effect to protect the privacy of residents of the European Union last year. CCPR takes a similar approach to privacy but is specific to California residents.
The CCPA gives Californians the right to:
- Know what personal information is being collected about them online
- Know if their information is being sold or disclosed and to whom
- Stop the sale of their personal information
- Request to see the personal information collected about them
- Request deletion of personal information
- Receive equal service and pricing regardless of privacy choices
Who does the CCPA affect?
Are you an online retailer? Then pay attention. If you think the CCPA won’t affect you because you’re not based in California, pay even closer attention.
The CCPA applies if you’re a for-profit entity, collect or control any information about a California resident, and meet any one of the following criteria:
- You have personal information about 50,000 or more people, households or devices.
- You earn more than half of your revenue from selling consumers’ personal information.
- Your annual gross revenues total $25 million or more.
That’s right. Even if your business is in another state, if you have any dealing with California residents, you will be expected to comply with the CCPA.
What is considered “personal information” under the CCPA?
Good question! If you’re wondering if the definition of personal information has changed under the CCPA, it has.
The CCPA broadens the definition of “personal information” to include any data that “identifies, relates to, describes, is capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
This expands the definition under California Law to include IP addresses, browsing history and internet search information, location data, work history, education information and more. The CCPA also specifies that any “inferences drawn” from personal information data to “create a profile about a consumer reflecting the consumer’s preference, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” constitutes personal information as well.
What can you do to be CCPA compliant?
Is your data a mess? Time to fix it. To be CCPA compliant, you need to be able to locate and serve personal information about California residents upon request. Do you work with any third-party processors, e.g. ecommerce platforms? If so, do you know how they’re using your customers’ data? It’s time to find out. Since the CCPA is so similar to GDPR (although there are some key differences), it’s a good idea to recall any resources and processes you used to become GDPR compliant.
Another element of the CCPA is that it raises the opt-in age for the collection of data. Previously, the Child’s Online Privacy Protection Act required consent from a legal guardian to collect data on users under the age of 13. The CCPA raises that age. Now, users under 16 will be required to opt-in. But those between the ages of 13 and 16 can provide their own authorization instead of requiring a guardian’s ok.
If you’re concerned you won’t be compliant by the deadline, you’re not alone. Only half of the affected businesses expect to be compliant by the deadline. The good news? Although the law goes into effect in January, enforcement isn’t scheduled to begin for another six months.
How might the CCPA affect business going forward?
There are still some unanswered questions on this front. But it’s probably safe to assume that, while California is the first to adopt a GDPR-like measure, it won’t be the last. As the world’s fifth largest economy, where California leads, other states often follow.
If your business isn’t currently required to carefully manage consumer data and provide it upon demand, there’s a good chance it will be soon. Is your data management up to snuff? And what do you know about the third parties that have access to your data? Now is the time to do discovery. Get started data mapping now so you don’t get caught in a jam later.