The CCPA affords new rights to consumers*, with respect to the collection, use, and sale of their Personal Information (PI)**. In summary, they have a right to know what PI is collected, the right to request its deletion, and the right to say “no” to its storage, use, and sale.
Businesses who violate these rights may have civil lawsuits brought against them, for up to $750 in damages, and/or be issued civil penalties up to $7,500, per violation. These numbers are not meant to scare you, but merely to spur you into action, because there’s still time to prepare.
The steps to compliance are tangible for businesses of every size and budget, and TheEvaSite is here to spell them out for you and provide assistance as needed.
What businesses must comply with the CCPA?
The good news is that not all businesses must comply with the CCPA. The first criterion is that a business interacts with California consumers. This applies to both physical and online interactions, and disregards whether or not the business itself resides in the state. Some businesses believe that, because they do not interact with traditional “consumers,” individuals purchasing goods or services, they are not subject to the law.
However, the CCPA’s definition of consumer is “a natural person who is a California resident,” and extends to a business’ employees and their contacts at other businesses. Likewise, the law applies to business-to-business (B2B) companies as well as business-to-consumer (B2C). If you have any business ties to California, the CCPA might apply to you.
A business must also meet any one of the three additional criteria:
- Has annual gross revenues more than $25 million;
- Alone or in combination annually buys, receives, sells, discloses or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices;
- Derives at least 50 percent of its annual revenue from selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating consumers’ personal information by the business to another business or a third party for monetary or other valuable consideration.
I’m a local small business. There’s no way this applies to me!
“50,000 or more consumers” might sound like an impossible threshold, but it can be met more easily than you think, because of how broadly Personal Information is defined (see below). For example, under the CCPA PI includes browsing history, search history, and other information regarding a consumer’s interaction with a website. Most websites have built in trackers, or utilize an outside platform, like Google Analytics, that automatically collect this information — and then some.
If you have a website, and it gets 137 or more visitors a day from California consumers, you would meet the threshold.
I do have a website. What can I do to prepare?
As illustrated above, if you have a website, mobile application, or run an online advertising campaign, you are at risk of unintentional noncompliance with the CCPA. Even if your risk is small, we recommend taking the following simple precautions, in anticipation of further expansion of the law or a similar law in your state.
+ Confirm where your website gets visits from.
Set an Analytic report to monitoring the traffic trends from this area to your site or app. If you are not tracking yet the traffic at your site blog or app, ask your web manager/provider.
You might not know exactly how many visitors are “California consumers” because they might be looking at your site, blog or mobile app, from outside the state. However, you might get a broad idea by knowing the traffic that comes from California State.
Recommendation – Likewise, you may contact us for help or a quick consultation.
+ Include the required information in your privacy notice
If your website, app and/or business is required to comply with California AB 375, you are required to inform Californian consumers about their rights under the bill. This means that you are required to notify Californian consumers of their rights and your privacy practices in your privacy notice at or before you collect personal information from them.
Also, before you use any category of personal information for other commercial or business purposes, you must obtain explicit consent from consumers.
These rights can be included in your privacy notice or by having a separate link on your website marked as “California Privacy Rights” which leads to a page explaining their California rights.
Recommendation – Check if your Privacy Policy doc (at your website, blog or app) are up to date, if not include what is required accordingly.
At TheEvaSite we are partnering with Disclaimer Template (Attorney-Drafted Website Documents) to provide our clients with valuable resources – like Professional Website Privacy Notices, Disclaimers, and Terms of Use – to protect their Website, App, or SaaS Business from Legal Liability
Definitions
*According to subdivision (e) of Section 1798.140 – “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
**According to subdivision (o) of Section 1798.140 – “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
