Are you familiar with the new California Consumer Privacy Act (CCPA)? If you deal with consumer data for customers living in California, you need to familiarize yourself with this Act now. The purpose of the CCPA is to provide California residents with the following rights:
- The right to know what personal data is being collected about them.
- The right to know whether their personal data is sold or disclosed and to whom.
- The right to say no to the sale of personal data.
- The right to access their personal data.
- The right to request a business to delete any personal information about a consumer collected from that consumer.
- The right to not be discriminated against for exercising their privacy rights.
The CCPA does not apply to all businesses, entities, and organizations. Nonprofit organizations, as well as many for-profit entities, are excluded from this Act. So how do you know if the CCPA applies to your business? Let’s discuss who this will affect.
This Act only applies to for-profit entities that do business in California, collect consumers’ personal data, and meet one of the following thresholds:
- Annual gross revenue of more than $25 million
- Buy or sell the personal data of 50,000 or more consumers or households annually
- Earn more than half its annual revenue from selling consumers’ personal data
If your business does not meet any of the three thresholds or the general requirements, then the CCPA does not apply to your business. If you do fall under a business to be governed by the CCPA, however, keep reading. Here is some information that you need to know.
There are several requirements your business must comply with to avoid sanctions under the CCPA. Failure to meet these requirements may result in fines of up to $7,500 per violation. As a company governed under the CCPA, you are required to:
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes (Cal. Civ. Code § 1798.120(c)).
- Add a “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt-out of the sale of the resident’s personal information (Cal. Civ. Code § 1798.135(a)(1)).
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number (Cal. Civ. Code § 1798.130(a)).
- Update privacy policies with the newly required information, including a description of California residents’ rights (Cal. Civ. Code § 1798.135(a)(2)).
- Avoid requesting opt-in consent for 12 months after a California resident opts-out (Cal. Civ. Code § 1798.135(a)(5)).
Again, failure to meet these requirements is punishable by fines of up to $7,500. The actual penalties depend on the type of violation discovered with intentional violations carrying more substantial penalties than unintentional violations. If the CCPA applies to your business, now is the time to act to implement the requirements listed above.