In 2018, the European Union passed a groundbreaking piece of legislature. The General Data Protection Regulation (GDPR) further limited companies from collecting and profiting from data collected from the customers who lived in the EU. Just seven years before, they passed a law forcing websites to allow people to opt-out of cookies.
Cookies, as we discussed in our earlier series on being off the grid, are tiny packets of text. They’re designed originally to let websites know you had been there before and tailor the user experience. For example, not showing you a pop-up you’ve already responded to. And while they’re used for more than that now, the original creator of cookies says they’re still better than the alternative.
Shortly after the GDPR law was passed in Europe, the Governor of California signed a similar bill into law. The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020.
Note: The California legislature recently extended the deadline for compliance to July 1, 2020.
Do Not Sell My Information
The CCPA, like the GDPR before it, limits companies’ ability to profit from the data of the people who visit their website. It imposes limits on data use within companies and with third parties. You’ve probably seen a lot of websites posting or updating their cookie policies. Some even include a link that says “Do Not Sell My Information.”
The California law includes extensive disclosure requirements. It imposes large fines if not complied with. Luckily, companies have a 30 day window to “fix” any violations once alerted to them. The law further offers state residents the ability to sue, while giving a broad definition of, “resident.”
But most importantly, the law provides California consumers nearly all-encompassing rights to control how their personal information is used and shared. And it severely limits the collection of minors’ (under age 16) data by websites and apps which, in most cases, are required to ask parent’s permission before doing so.
But I’m Not in California
Obviously, if you or your parent company is actually located in California, you must fully comply with the new legislation. If you do business in the state, are incorporated there, own property there, or—depending on who you talk to—have employees who live there and work for you, you must comply.
However, like so many of the laws of California, your company does not have to have a physical presence in the state to be affected by and required to adhere to the laws. Thanks to the Internet, physical borders are a thing of the past. And the state will come after you if you violate the law for even one of their residents.
We should add here that even if you do no business with anyone in California, you might want to go ahead and get compliant.
First, the law says California residents include people who might not seem like residents. Examples include students attending university in California and folks who have their homes in California, even though they work mostly in other places (like film crews in Tampa or Atlanta).
Secondly, the state of Florida currently has two bills in the legislature with similar restrictions to CCPA. Nevada has already passed legislation almost identical to the ones Florida is considering. And other states are scrambling to catch up, while Amazon’s Jeff Bezos and other execs are pushing for Federal regulations mimicking the California law.
Thirdly, it is arguably good citizenship to intentionally protect the privacy of people you interact with. Certainly, you wouldn’t want to be responsible for the disclosure of sensitive personal information—even inadvertently. Taking a hard look the privacy protections required by CCPA and GDPR can help inform policies and procedures that your business might wish to implement regardless of how you’re affected by the need to comply with these laws. A lot of work has gone into thinking through what good stewardship of data looks like, and what the ramifications can be when businesses take a haphazard approach to how they collect, store, and safeguard even seemingly innocuous data throughout their business operations.
Where CCPA Differs from GDPR
This is by no means a comprehensive explanation. But here’s what you need to know to decide whether or not you need to get your websites (and potentially other areas within your business) immediately compliant, or if you can take your time. For example, the law only covers for-profit businesses.
CCPA applies to “any business that earns $25-million in revenue per year, sells (buys or shares) 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information.” Now, thanks to some confusion, or perhaps purposeful vagueness, there is some gray area to be careful around.
The $25-million minimum is not specified to be California income, so all income is probably accounted to hit the threshold. The 50,000 records per year, breaks down to 137 unique visits to your website per day. So if “Bubba” from San Francisco visits your website on his laptop, then his tablet, then finally gets directions to your office on his phone? That’s three unique visits – even though he’s 3000 miles away from his California apartment.
Thankfully, many of the existing vagaries with the original law were amended right before it went into effect. Otherwise, even an ad for Disney World or Universal Studios Orlando on your site might have qualified as doing business in the state of California.
You are also protected, at least for another year, from being penalized for maintaining Human Resources records from California applicants.
One other recent clarification – CCPA now states that “publicly available information,” is not restricted by the law. A.K.A., information that can be found in local, state and federal public records does not meet the state’s definition for personal information.
What Do I Need to Do?
Did you change policies and privacy notices to align with GDPR? There’s a good chance you might have already put into place some of the necessary protections for compliance with CCPA.
But to fully bring your site into compliance with the California and other state privacy laws, you’ll need to update or amend:
- Ensuring opt-in/opt-out ability across site – a link offering “Do Not Sell My Personal Information,” ON YOUR HOME PAGE. In fact, an opt-out checkbox must be located at every single location where your website collects data. This includes e-newsletter subscription forms.
- Ease of requesting information – website AND phone number.
- Special concern for minors – under 13 requires parent permission, 13-16, student may give permission, but age must be verified.
- Recognize and confirm non-discriminatory practices for California residents
- Data collection, processing & backend design – you might also need to update your databases and PHP to accommodate the changes.
We promise you’re not alone. While this is a lot of information to process, CSi Networks can update your systems as needed. We can also come in and work in tandem with you, making sure you get everything updated. If you need help, please just give us a ring. We’re here to provide your peace of mind!