Although the California Consumer Privacy Act (CCPA) is a state-level law, it affects businesses outside of the state—even international companies that operate in the United States. The CCPA applies to for-profit businesses that do business in California and fall under one of three main criteria for gross annual income and the use, storage, or sale of personal information.
If your business fits the description, you’ll have to comply with the regulations set by the CCPA. If you’re wondering: “does CCPA apply to government agencies?”, follow the link to see the answer.
What Is The CCPA?
The CCPA is a data privacy law that gives California consumers more control over their personal information or “information that identifies, relates to, or could reasonably be linked with” a California resident or their household.
The law protects personal information beyond basic details such as names and addresses; it also includes other non-commercial or private data, as well as any insights on the behavior or preferences of a consumer based on their online activity.
The CCPA Secures Four Basic Rights For California Consumers:
- The right to know what personal information a business collects, uses, and shares
- The right to delete their personal information collected by businesses (with some exceptions)
- The right to opt-out of the sale of their personal information
- The right to non-discrimination for exercising their rights under the CCPA
Businesses Under The CCPA
Not all businesses have to comply with the CCPA. The law makes the scope clear; it only applies to for-profit businesses that do business in California and meet at least one of the following:
- Has a gross annual revenue of over $25 million
- Buys, receives, or sells (or in any way makes available to another, e.g. renting, disseminating, etc.) the personal information of at least 50,000 California residents, devices, or households
- Derives at least half of its annual revenue from the sale of California residents’ personal information
This means that even businesses that aren’t located in California but do business in the state, e.g. online shops, marketing agencies, etc., must comply with the CCPA. And while it isn’t generally strict with small businesses that don’t need or have the resources to collect, store, or sell personal information through third-party means, businesses are encouraged to adhere to the law’s regulations just to be safe.
How To Comply With The CCPA
The CCPA sets regulations that guide businesses to comply with the law. Here are some examples:
Add An Opt-Out Option
To afford consumers their “right to opt-out,” businesses must provide a clear and conspicuous “Do Not Sell Personal Information” button or link on their website homepages or their mobile application’s settings menu. Businesses are not required, however, to get opt-in cookie consent.
Businesses must review and update their privacy policies to include the details of the CCPA, describing the rights established by the law. It must also make the data practices of the business transparent so consumers know how their personal information is collected and used.
Provide Channels For Data Access Requests
Businesses must provide channels for consumers to request access and/or deletion of personal information collected from them. To this end, businesses have to create a procedure that confirms, verifies, and processes such requests promptly, on top of making sure that there is proper storage of copies of such requests.
Businesses aren’t allowed to sell the personal information of minors without affirmative consent to opt-in. So businesses must obtain opt-in consent through forms or links on their sites from consumers between the ages of thirteen and fifteen or from the parent or guardian of a consumer under thirteen years old before using their personal data.
Train Employees About CCPA
To ensure that the CCPA is followed, businesses must train their employees about the law and how its implementation may affect the operations of the business.
Review Agreements With Third Parties And Service Providers
Many businesses manage personal information through third-party sites and service providers. So business owners must take responsibility for making sure that agreements made in these partnerships are compliant with the CCPA.
Although not all businesses have to comply with the CCPA, all companies, especially those that deal with consumers in California, are encouraged to follow the law to avoid any hefty fines or lost business with the state.
Being transparent about your company’s data practices is also a good way to future-proof operations, especially since international markets are putting value on data privacy. It won’t be long until other states or countries adopt data privacy laws like the CCPA; it’s best to stay ahead.