The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020 is your website compliant? Don’t jeopardize your business with noncompliance.
An essential requirement for running any business nowadays would be to protect your customer’s data and privacy. Since the California Consumer Privacy Act (CCPA) will take effect on January 1, 2020, many businesses are scrambling to make sure they’re compliant.
If you’re feeling a bit underprepared, you’re not alone.
I’ll walk you through the new privacy rights, some of the basics of the law, and what to do to make sure your website is compliant.
Before CCPA there was COPPA and CAN-SPAM
A few years ago, the U.S. federal government passed 2 laws pertaining to privacy. They included the Children’s Online Privacy Protection Act (COPPA) and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM).
And every state has adopted its own version of a data breach legislation notification law.
When the GDPR was enacted in 2018, California saw an opportunity to protect its consumers by passing the most extensive citizen privacy protection law in the United States.
What is the CCPA
The California Consumer Privacy Act (CCPA), establishes the basis for handling consumer privacy rights for residents of California. It also imposes regulations on businesses that may process their personal data information. This law takes effect on January 1, 2020.
Individual consumer rights
- Individuals have the right to know what personal data a business plans to collect.
- Tell people if their personal data is sold, disclosed, or transferred and to whom.
- Individuals have the right to know with whom their information is being shared.
- Consumers can deny sharing of their personal data.
- Consumers must have access to their personal information.
- Everyone will receive the same pricing and service, whether they’ve exercised any of the privacy rights or not.
Businesses affected by the CCPA
The CCPA will affect any for-profit business that operates in California and collects consumers’ personal data information. They will have to comply if they meet any of the following conditions:
- Have an annual gross revenue of $25 million or higher
- If they buy, sell, receive, or share consumer data from 50,000 or more consumers. This also includes households or devices as well.
- If the company makes the majority of its annual revenue from selling personal data information
Expectations of your business
All California businesses must notify consumers of their data privacy rights. This must include the right to delete their data, know how their data will be used as well as how to exercise their rights.
Consumers rights request timeline
Companies must implement a process to verify consumer requests. Companies must have a system in place that adds a date to the data they collect for it to be retrievable later on.
Providing contact information regarding privacy requests.
Businesses need to have two contact methods available for people to submit requests. At a minimum would be a phone number and email address if they have one (a physical address if they don’t). Businesses must also respond within 30 days of receiving the request via either by mail or electronically.
Deleting your data
When a request is made to delete a consumer’s data information, the companies must comply. Unless that information is necessary to complete a specific transaction, or if it’s security or fraud-prevention related or another purpose listed in the Act itself.
Opt-out expectations for your business
If your business sells data, you are required to disclose that you sell data. You’ll need to include a “Do Not Sell My Personal Information” link on your pages to give consumers a chance to opt-out.
Your business must also continue to give equal service and pricing to any consumers who chose to opt-out.
Penalties for non-compliance
Legal fees aside, businesses would face a $7,500 fine for each violation that hasn’t been addressed in 30 days. This also includes Civil penalties, which range up to $2500 per violation.
Making your websites compliant
Your website is the best way to comply online. It will serve as the best tool to meet regulatory requirements.
Bundled or single consent will no longer be permissible under the new CCPA. Your website will need to display any unique consent forms for each instance of gathering personal data information.
Additionally, your website should automatically recognize when consent still needs to be collected even after a consumer lands on a different data-gathering area.
Right to be forgotten
Under the new CCPA, a consumers’ ‘right to be forgotten’ gives them the right to remove all personal data information from your system. This includes all locations and repositories where their data may reside on your network.
You need to be aware at all times where consumer data resides on your website, so it’s found easily and removed in a timely manner.
You’ll want to receive a notification from your website when someone requests removal from your website so you can react in a timely manner.
Your website should also track any employee requests for consumer personal information. Knowing who in your business has had or is accessing consumers personal data information maintains strict compliance.
Given the new compliance regulations with CCPA and the potential for other data privacy laws to come into effect, the most critical features your website can have are flexibility and to be customizable.