California Consumer Privacy Act (CCPA) is California’s response to the GDPR-like measures for protecting consumers’ privacy.
***Note: This post is a sample chapter from my new ebook called Legal Handbook for Bloggers & Entrepreneurs. The ebook is a comprehensive legal guide, likes of which do not exist in the blogging and entrepreneurial worlds for legal matters.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act of 2018 (“CCPA”) is a California law that gives California resident and consumers the right and ability to control certain aspects of businesses in regard to how to use personal data collected about the consumer by the business, as well as what they are allowed to do with it.
After several changes, the final amendments were signed on October 11, 2019, by the California Governor. This law is set to go into effect on January 1, 2020.
The CCPA has a lot of similarities to GDPR. Those people who have already made sure that their businesses and websites are GDPR compliant will not have a hard time complying with CCPA, as they’ll know exactly how to implement the changes under this new policy.
The CCPA is a lengthy document that has several different sections within it. The most frustrating part about this policy is that it’ll go into effect on January 1, 2020, which means that everyone must comply at that time. However, it’s a living document and, as such, it’ll be continuously amended and changed.
Who has to comply with the California Consumer Privacy Act?
Under CCPA a “business” is defined as any entity, whether a sole proprietorship, partnership, limited liability company, corporation, etc. that operates for profit for its own or its shareholders and stockholders’ benefit.
If a business collects consumers’ personal information or on behalf of which that information is collected, does business in California, or has California traffic, and satisfies one or more of the factors stated below, then that business is subject to CCPA.
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000);
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices. (this is the main basis for why bloggers and other online entrepreneurs must comply with CCPA);
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
Similar to GDPR, you don’t have to live or have your business located in California. If you get traffic from California (which, basically, you do or will if you have an online presence), then you have to comply with CCPA rules.
The reason bloggers and online entrepreneurs fall under CCPA compliance is because of the second bullet point above. That basically makes any website that either sells, transfers, receives personal information of 50000 entries annually. This is not a high number and therefore most bloggers would satisfy this threshold. If you get 134 visits to your blog daily, then you’ll pass the threshold. Or, if you’re using ads on your site or making use of social media platform ads, such as Facebook and Instagram, then all of this will make you subject to the CCPA.
Under CCPA, personal information is defined even more broadly than before. Clearly, information such as name, last name, address, social security number, birth date is considered personal information. However, under CCPA, things like your IP address, domain, email, and more are also considered personal information.
Right to Request Disclosures
A California consumer has the right to request that a business that has collected the consumer’s personal information disclose exactly what information has been collected about the consumer and for what purpose.
Moreover, a business that collects personal information on consumers must notify the consumer as to what specific information the business will collect, and for what purpose— before such information is collected. Also, a business cannot collect more information than they notify the client about or use the collected information for a purpose that differs from what they told the client.
In such cases, the business must notify the consumer before it can use the collected information for another purpose.
A business is only obligated to provide the consumer with information regarding the collected data and the purpose of use when the consumer expressly requests such information.
In case of such requests, the business is obligated to carry out the request at no cost to the consumer, as quickly as possible, and provide the information in an easy and digestible format. However, a business is not required to provide personal information to the consumer more than twice (2 times) in a 12-month period.
Right to Request Deletion of Information
One of the tenets of the California Consumer Privacy Act is that the consumer has the right to request that the business that collected personal information on the consumer delete all of that information. This is the right to request deletion.
This is yet another similarity between the GDPR requirements and CCPA. Also, keep in mind that, similar to GDPR, any business or blog that collects personal information from the consumer must notify that consumer at the time of collecting the information that they have a right to request deletion of data, and must provide a method for communicating this to the consumer.
However, there are some instances when the business in question does not have to comply with the consumer’s request for deletion. Some of the grounds under which a business does not have to comply with a request for deletion are:
- To provide and complete the transaction for which purpose the information was collected in the first place (example: selling and delivering goods and services);
- In compliance with a legal obligation;
- To keep it for internal use that is reasonable to the consumer, and so on.
The Right to Detailed Disclosures
There is yet another section on the right to request disclosures, but this time with more detail than initially. What does this mean?
This simply means that a consumer has the right to request the following information from a business that collected personal information about this consumer:
- The categories of information (or the type of information) that was collected on the consumer;
- The sources from which the information on the consumer was collected;
- The purpose for which the information was collected;
- Information regarding any third-party business (if any) with whom the business shares consumer’s information;
- Any specific piece of information that the business collected about the consumer
Now, before I continue outlining key points of CCPA, I am going to mention that this is not exactly the most brilliant piece of legislature. The preparers wanted to make sure that the consumer will be able to request disclosure and mandate deletion of personal information collected by the business, and have those requests be honored by that business.
To make sure this would be the case, the CCPA legislator drove home these points over and over again. I will not go through the rest of the regulation line-by-line, but I will tell you the important and relevant points for bloggers & entrepreneurs.
Selling or Disclosing Consumer’s Personal Information to Third Parties
If a business sells, transfers or discloses a consumer’s personal information to a third-party for commercial purposes, then the consumer has the right to request that the business discloses to the consumer the following:
- All the different categories of information that the business has collected on the consumer;
- Categories of personal information that the business sold to third parties, and
- A breakdown of the specific information that each specific third-party business acquired about the consumer;
- Any personal information that the business not only sold, but disclosed to a third-party for business purposes.
Not surprisingly, a business should also disclose to the consumer if it plans on selling or disclosing the consumer’s personal information to a third-party.
Note, that the third party does not have any rights to sell or disclose the consumer’s personal information to anyone else, unless they gave the consumer explicit notice, and provided the consumer time and opportunity to opt-out.
Under the California Consumer Privacy Act (CCPA), two rights are being granted special attention—the right to opt-out and the right to opt-in.
Opting-out refers to the consumer’s right to dictate to the business that possesses the consumer’s personal information whether or not the business can sell the consumer’s information. The consumer’s right to dictate that a business cannot sell that consumer’s personal information to a third-party is the opt-out right.
To comply with the opt-out requirements, online businesses have to provide an opt-out button or link in a visible place that states “do not sell my personal information” or something similar.
A business does not have the right to sell a consumer’s personal information if the business knows that the consumer is less than 16 years old. However, if the consumer is younger than 13 years of age, the parents or legal guardians of the consumer must give express consent or affirmatively authorize the business to sell the consumer’s private information. This act of giving consent is referred to as the opt-in right.
After the business receives a consumer direction (whether to sell or not to sell), it cannot go against the consumer’s wishes; otherwise, there are legal consequences for that.
There is a useful provision under the CCPA, which forbids the business discriminating against consumers for exercising the rights given under this policy.
This means that if you, as the consumer, requested that the business does not sell your personal information to a third party, then the business cannot treat you differently because of that.
This means that a business cannot choose to charge you more or not offer you the same products and services as they do others. Not everything can be controlled when it comes to businesses, however. If a business decision has been made for other reasons (not having anything to do with the consumer’s rights regarding the sale of their information), the consumer may be denied goods or services without necessarily putting the business at risk.
There is an interesting point in the legislature where it states that a business may offer financial incentives to consumers for collecting information, providing disclosures, for the right to request deletion, etc. However, there is a very important requirement there that you must be aware of…the consumer must have opted-in before you can offer the incentive.
Let’s think of a hypothetical situation.
Let’s say you have an eCommerce shop, maybe WooCommerce or Shopify, or something as simple as SendOwl. Let’s go on to say that you have a system set up where, when a person visits your shop page, they encounter a pop-up box that offers them a 25% discount on their first shopping session, provided they sign up to your list.
Now, if that person wasn’t on your email list before, or wasn’t part of your network (in other words, has not previously opted in), then you cannot offer them the financial incentive to make a purchase from you and therefore capture their personal information.
Now, if that person has been part of your email list from before, then this won’t be a problem, and you can offer the financial incentives.
Compliance on the Business’s Side
Clearly, the CCPA’s goal is to protect the consumer, notify and educate the consumer of his or her rights, and make sure businesses are aware that they must comply.
The law states that when the consumer wants to make requests for disclosure, deletion, etc. the business must provide 2 or more designated (and easy) methods to make the request.
However, if you’re a blogger or an online entrepreneur, and you operate exclusively online, then you only need to provide an email address to consumers as a method to place the requests they want.
Moreover, if the business in question has an active website, the website itself must be made available for submitting those requests.
The business and its owner must deliver whatever it is that the consumer requested within 45 days after receiving a verifiable consumer request. The requested information must be delivered free of charge to the consumer. The business may extend the 45-day compliance time by another 45 days one time only, provided that the extension is reasonably necessary, and the consumer is notified.
In the case that businesses violate the CCPA, they will be subject to enforcement by the California attorney general’s office. The California attorney’s general office can seek civil penalties of $2,500 for each incidental violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure has been provided. Enforcement will begin after 6 months of the final amendments of the law, or on July 1, 2020, whichever is sooner.
After the GDPR went into effect, it was only a matter of time until something similar was adopted in the United States. The CCPA is a California rule; however, currently, there are several other states that are looking to adopt similar privacy measures.
If you liked this post and found it valuable in it, please click on the share buttons and share them with others.