Not to be outdone by the European Union, the California Consumer Privacy Act is a landmark piece of legislation that went into effect at the start of 2020. It’s main purpose is to allow a California resident with the right to know what personally identifiable (and semi-anonymous) data is collected on them and to be informed if this data is sold or disclosed to third parties.
If so, a company would be required to inform the consumer who the third party is. It also gives the right to California residents the ability to say no to the sale of personal data, to review the data collected on them, and finally to request deletion/destruction of that personal data. There are protections included that prevent a customer from being discriminated against if they chose to exercise any of those rights.
Finally, it also requires the business the “implement and maintain reasonable security procedures and practices” towards the end of protecting that data.
Is My Business Excluded From CCPA Compliance?
Regardless of where your business is located, if it “does business” in California (meaning any transactions are done with California residents) you might have to comply with the CCPA.
If your organization earns more than half of its income selling consumer data/information, then you are absolutely required to comply.
If your business has marketed to, bought the data for, or has data on more than 50,000 individual consumers, you are required to comply.
Finally, if your company has gross revenues over $25 million annually, you are required to comply.
How Exactly Do I Comply?
If your content is likely to attract readership of minors under 13 years old, you must have a process in place (such as age verification) that obtains the parental or guardian consent. For minors older than 13 years old, but less than 16 years old, you must obtain their consent to share their data. This is under Cal Civ. Code 1798.120c
If you are in the business of sharing or selling the data from your website, you must have a link on your homepage titled “Do Not Sell my Personal Information”. This page must have some mechanism that allows the consumer to opt out of the sale of their personal information. This is according to Cal Civ Code 1798.130a.
At the minimum, in your privacy policy, you should have different methods listed for how a consumer might send you a request for a copy of the information you have on them. The law is a little confusing, because it states at a minimum a toll free number should be provided. However, legislation requiring businesses to have a toll free number does not sound like that was the intent.
The same provision goes on to say that online companies must at least provide a working email address for which consumers can make these requests. (Cal. Civ. Code § 1798.130(a)). Update privacy policies with newly required information, including a description of California residents’ rights (Cal. Civ. Code § 1798.135(a)(2)).
Another way to comply is to have a Privacy Policy page accessible on your website, which explains California consumer’s rights to privacy.
The company should also not request opt in to their data for 12 months after a California resident opts out. Cal Civ Code 1798.135.a.5
What kind of liabilities and punishments are defined in the law?
Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents (Cal. Civ. Code § 1798.135(c)
Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).
A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155)
Privacy notices must be accessible and have alternative format access clearly called out.
The Department of Justice reviewed and approved all of this law’s language in 2017.
If I am not even in California, do I have to comply?
Very clearly YES. States enforcing each other’s law is a well-trodden path. Yes there are some exceptions, however, States are generally supposed to give full faith and credit to each other’s laws. In fact, that phrase ‘full faith and credit’ might tip you off to just how time-honored and entrenched this concept is. It happens to be Section 1 of Article number 4 in the US Constitution: “Full Faith and Credit shall be given in each State to the public Acts, Records, and judicial Proceedings of every other State.”
States have a legal framework for complying with this, and if a judgement is issued against you or your company in California, it will likely be ‘domesticated’ to your state. Then enforcement of that judgement can begin on your bank, and your assets.