If you have a website in the United States, you can count on some of California’s 40 million residents visiting your site. On January 1, 2020, the California Consumer Privacy Act (CCPA) goes into effect. Is your site ready?
What is the CCPA?
The California Consumer Privacy Act of 2018 established a number of consumer privacy rights. As legislation goes, it’s pretty readable. If you are responsible for digital marketing or consumer affairs, you should read it. For everyone else, I’ve read the full text of the CCPA and the Attorney General’s guidelines for you. Here’s your executive summary.
The law starts by laying out some personal rights for the digital age:
- You have the right to know about and control the sale of your personal data.
- You can request a business delete personal information about you (with some limits).
- You can tell a business not to sell your personal information.
- A business can’t discriminate against you for exercising your rights.
- Both consumers and the Attorney General can take a business to court for failing to comply with requests.
- Businesses must not collect information about children without parental or guardian consent.
OneTrust wrote a very readable summary of proposed CCPA regulations as part of their CCPA blog series.
Is CCPA the same as GDPR?
No. They’re similar, and they overlap, but being General Data Protection Regulation (GDPR) compliant does not ensure you are also ready for CCPA. PwC summarizes the differences in this chart:
Who must comply with CCPA? Are there any exceptions?
The law applies to companies that interact with California residents, and where any of these three things are true:
- $25 million or more in revenue per year
- Buys, sells, receives, or shares personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of their annual revenue from selling consumer personal information
In other words, you can get out of CCPA if you are small, don’t process much consumer data, and don’t make money from that data.
The law covers interaction with California residents who happen to be outside the state. Yes, tourists and holiday visitors count.
There are nine cases where a business does not have to delete data:
- To complete a transaction which requires that information
- To detect or prosecute security incidents
- To debug or repair errors in a system
- To exercise free speech
- To comply with the California Electronic Communications Privacy Act (Part 2, Title 12, Chapter 3.6, Section 1546 of the California Penal Code)
- To engage in public or peer-reviewed scientific, historical or statistical research
- For “solely internal uses” that are “reasonably aligned with the expectations of the consumer”
- To meet a legal obligation
- Other internal uses which match why the consumer gave you the data
What must I do?
Under CCPA you must:
- Notify consumers of their CCPA rights, including the right to deletion, right to know, and data portability rights.
- Tell consumers how to exercise these rights.
- Be ready to fulfill consumer requests.
- Be ready to find and remove personal information from your data.
- Be ready to mark personal data as non-portable (not to be sold or transferred).
- Provide Californians with at least two ways to contact you, including a website or toll-free phone number.
CCPA is mostly about business processes, but it does have some technical requirements too.
If you have a website, you must provide a page to California residents that enables them to send you their requests. If you ever sell personal information, you’re required to have a very specific bit of text somewhere on the page that reads: “Do Not Sell My Personal Information”. That must link to a description of their rights under CCPA and provide a way to opt out of the sale of their personal information.
If you have not disclosed personal information about consumers, you must disclose that fact. In other words, you have to declare something; you cannot ignore CCPA.
Seyfarth-Shaw has provided a great, detailed CCPA requirements explainer on business process requirements.
What is considered personal information?
The act is quite broad: Any piece of data that can be tied to any identity information about any person is personal information. This explicitly includes:
- Real name or alias
- Personal identifiers
- IP address, browsing history and search history
- Email address
- Social security number
- Drivers license number
- Passport number
- Any unique identifier of a person or device
If a piece of data even looks similar to any of those things, it’s covered.
It also includes information about:
- Personal property
- Products and services purchased
- Purchasing history
- Browsing history
- Biometric data
- Class or income
The act specifically says personal information can include:
“Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Does this affect services like Google Analytics, Hubspot, and Marketo?
Yes. They’re considered service providers to your company. Most of these are updating their processes and legal statements to reflect CCPA.
The law shields you from liability for service providers, so long as you send them any opt-outs you get from consumers. But if you fail to pass that deletion request, you may be on the hook. Make sure that every service your website uses is CCPA compliant.
What are the penalties for violating CCPA?
This one’s fun: It’s not entirely clear yet! The law provides for penalties of “up to” $7,500 per violation, enforced by the state Attorney General. But what is the scope of a violation? Would a one-time transfer of 10,000 people’s data be considered one violation, or 10,000? Is that a $7,500 problem, or a $75,000,000 problem?
Consumers, too, can bring direct claims. Damages range from $100 to $750 per resident, per incident, or actual damages – whichever is greater. What does “per incident” mean? That’s unclear, too.
Depending on how the Attorney General interprets the California Consumer Privacy Act, businesses could get off with a slap on the wrist, or they could be on the hook for millions of dollars. We just don’t know yet.
The International Association of Privacy Professionals predicts that “damages will be tabulated on a per-capita basis.” This is how the damages are calculated for the 2003 California Online Privacy Protection Act, which itself draws on 1973’s People v. Superior Court ruling by California’s Supreme Court. For purposes of risk management, you should assume the worst case.
We also don’t know how far the extraterritorial coverage will reach. If you sell to a Californian from New York City, can the law be enforced on you? The concept of a law applying outside its native territory isn’t new – GDPR is also extraterritorial. But, like the EU’s GDPR, it’s not clear how enforcement will work outside California.
Proskauer Rose has an extensive CCPA analysis including the ambiguous penalty situation.
Disclaim ALL THE THINGS!
We’re digital marketers and architects. We’re not attorneys. This post is not legal advice. Please talk to your legal department or counsel about CCPA. Have them review and approve your policies and procedures. Above all else: collect as little data as you possibly can. The best way to stay out of trouble is to not do anything wrong.
I originally wrote and published this blog for Imarc.