Do You Really Have to Comply With the CCPA?
Last week's column dealt with the thorny topic of whether or not a web-based business really needs to comply with the European Union's new (well, fairly new) General Data Protection Regulation, or GDPR.
Since the GDPR was made effective in May 2018, a number of U.S. states -- most prominently California -- have adopted "mini-GDPR" laws designed to regulate web-based businesses that have a significant economic presence in their states.
The California law -- called the California Consumer Protection Act of 2018, or CCPA -- technically went into effect on Jan. 1 of this year, although due to delays in adopting regulations to help interpret the law, California did not begin actively enforcing it until July 1, 2020. Failure to comply can result in a lawsuit from the California attorney general's office or (more likely) from aggrieved consumers who have a "private right of action" to enforce the law.
The CCPA applies to for-profit companies that collect and handle the personal information of California residents, regardless of a physical location in the state, and (a) have annual gross revenue in excess of $25 million (b) receive or share personal information of more than 50,000 California consumers annually or (c) derive at least 50% of annual revenue from the sale of personal information of California consumers.
The term "sale" is defined in an extremely broad way, covering any communication or transfer of a consumer's personal information to another business or third party for monetary "or other valuable consideration" -- if the company receives any sort of benefit in exchange for the data, it is subject to the CCPA. Traditional website privacy policies -- which allow web-based companies to share data with their "affiliates" (seldom, if ever, defined) without the customer's consent -- will need to be re-thought and revised if the CCPA applies.
Now, I can hear some of my readers saying, "Hold on a minute! This is a column for small businesses. You have just told me my business is too small to even worry about the CCPA, so I'm on to the next article." Before you turn the page, there are two reasons why your business should consider at least making an effort to comply:
-- At least 17 U.S. states (including New York, Maine, Massachusetts and Nevada) have adopted laws similar to the CCPA over the past 12 to 18 months.
-- Your customers in other states are probably well aware of the CCPA's requirements and will sooner or later expect you to offer them similar rights.
Perhaps the most important right granted to consumers under the CCPA is the right to opt out of sales of their personal information to third parties. The CCPA requires businesses to provide notice about the consumer's opt-out right by adding a conspicuous, separate and dedicated "Do Not Sell My Personal Information" link on their home page, where consumers can exercise this right. For consumers between the ages of 13-16, opting out is not enough; the consumer must opt in to having their personal information sold. For consumers under the age of 13, parental consent is required.
California consumers also have the right to know and to request access to their personal information including (1) what categories of personal information have been collected, disclosed or sold, (2) the sources from which their information was collected, (3) the third parties receiving the personal information and (4) the website's purpose for collecting or selling such information.