Although the California Consumer Privacy Act (CCPA) is a state-level law, it affects businesses outside of the state—even international companies that operate in the United States. The CCPA applies to for-profit businesses that do business in California and fall under one of three main criteria for gross annual income and the use, storage, or sale of personal information.
If your business fits the description, you’ll have to comply with the regulations set by the CCPA. If you’re wondering: “does CCPA apply to government agencies?”, follow the link to see the answer.
The CCPA is a data privacy law that gives California consumers more control over their personal information or “information that identifies, relates to, or could reasonably be linked with” a California resident or their household.
The law protects personal information beyond basic details such as names and addresses; it also includes other non-commercial or private data, as well as any insights on the behavior or preferences of a consumer based on their online activity.
Not all businesses have to comply with the CCPA. The law makes the scope clear; it only applies to for-profit businesses that do business in California and meet at least one of the following:
This means that even businesses that aren’t located in California but do business in the state, e.g. online shops, marketing agencies, etc., must comply with the CCPA. And while it isn’t generally strict with small businesses that don’t need or have the resources to collect, store, or sell personal information through third-party means, businesses are encouraged to adhere to the law’s regulations just to be safe.
The CCPA sets regulations that guide businesses to comply with the law. Here are some examples:
To afford consumers their “right to opt-out,” businesses must provide a clear and conspicuous “Do Not Sell Personal Information” button or link on their website homepages or their mobile application’s settings menu. Businesses are not required, however, to get opt-in cookie consent.
Businesses must review and update their privacy policies to include the details of the CCPA, describing the rights established by the law. It must also make the data practices of the business transparent so consumers know how their personal information is collected and used.
Businesses must provide channels for consumers to request access and/or deletion of personal information collected from them. To this end, businesses have to create a procedure that confirms, verifies, and processes such requests promptly, on top of making sure that there is proper storage of copies of such requests.
Businesses aren’t allowed to sell the personal information of minors without affirmative consent to opt-in. So businesses must obtain opt-in consent through forms or links on their sites from consumers between the ages of thirteen and fifteen or from the parent or guardian of a consumer under thirteen years old before using their personal data.
To ensure that the CCPA is followed, businesses must train their employees about the law and how its implementation may affect the operations of the business.
Many businesses manage personal information through third-party sites and service providers. So business owners must take responsibility for making sure that agreements made in these partnerships are compliant with the CCPA.
Although not all businesses have to comply with the CCPA, all companies, especially those that deal with consumers in California, are encouraged to follow the law to avoid any hefty fines or lost business with the state.
Being transparent about your company’s data practices is also a good way to future-proof operations, especially since international markets are putting value on data privacy. It won’t be long until other states or countries adopt data privacy laws like the CCPA; it’s best to stay ahead.