Companies with a significant online presence — particularly e-commerce businesses — have been operating under the scrutiny of GDPR oversight since May of 2018. The General Data Protection Regulation is enforced by all European Union (EU) countries to protect citizens’ personal data, which gets collected by any company conducting business in the EU.
Under the terms of GDPR, says ZDNet, “Organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners — or face penalties for not doing so.”
Have Online Customers in California? Meet the CCPA
A lesser-known, but equally important, sweeping data privacy regulation is the California Consumer Privacy Act or CCPA. The act was announced in 2018, but won’t technically be regulated until January 2020. It applies to all companies that:
- Conduct business in California, even if it’s only online
- Collect personal data of California residents
And meets at least one of the following metrics:
- Have annual gross revenues of $25 million or more
- Obtain personal information of at least 50,000 California residents, households or devices per year
- Earn at least 50 percent of annual revenue from selling California residents’ personal information
California residents covered under CCPA have the right to:
- Know what personal information a company is collecting
- Know if their data is sold, and to whom
- Opt-out of selling their information
- Obtain a copy of personal information
- Sue for damages if their personal information is breached
Additionally, the CCPA defines personal information as:
- Online history
- Demographic information:
- Name
- Phone number
- Mailing address
- Email address
- Social security number
- Account numbers
- Driver’s license and passport numbers
- Education and employment histories
- Biometric data
What does CCPA Compliance Mean for U.S. Companies?
We think the first thing to know about CCPA is that your firm’s compliance with GDPR doesn’t automatically mean you comply with CCPA’s stipulations. And you don’t want to get this wrong; California’s law comes with a big stick. For every violation, expect a $7,500 fine and a civil case against your company.
However, if you DO meet all the GDPR requirements, you’ll also conform to some CCPA requirements. Keep in mind, if you collect and process users’ personal information, ensure your privacy policy includes but is not limited to the following:
- What kind of information you receive and process
- Why do you collect and process information
- How do you collect and process information
- How users can request access, change, move, or delete their data
- The method for verifying the identity of the person who submits a request
- Sale of users’ data and how they can opt-out of the selling of their data
Finally, to comply with California’s consumer privacy law, you’ll need to follow and regularly update these five general guidelines:
- Update your privacy policy with information on how, why and what personal information you collect and process.
- Update your privacy policy with information on how your users can request access, change, or erasure of the data that you have collected.
- Introduce a method for verification of the identity of the person making such requests
- Introduce a “Do Not Sell My Personal Information” link on your home page. If your users click the link, it means you can’t sell the users’ data to a third-party. According to Computer Services, Inc., this must be a “clear and conspicuous statement that is linked to a page that allows consumers to opt-out of having their personal information sold.”
- Obtain prior consent from minors 13-16 years old before selling their data. For children younger than 13 you must obtain prior permission from their parents
For more detail regarding CCPA privacy policies, read this short article by California-based law firm KirkPatrickPrice.
Start Planning Now
Like any business compliance challenge, preparing your company to comply with the CCPA when it’s official in January 2020 will take considerable planning across multiple functions — IT, operations, sales and marketing, and finance. Use the lists above to help get you started. Experts predict that California is just the first state that’ll lead to an avalanche of others demanding similar consumer protection.
It may be centuries-old advice, but Benjamin Franklin’s homespun wisdom still holds sway today: “By failing to prepare, you’re preparing to fail.”