January 22, 2020

What Does the California Consumer Privacy Act Mean for Your Business?

When the GDPR came out in 2018, most businesses had to start complying with privacy laws. 

If you updated your privacy options to comply with GDPR, the process of following the California Consumer Privacy Act (CCPA) will be simple. If not, you may have to take a few more actions. 

Let’s get started to help you become compliant with the CCPA with just a few steps. 

Do You Need to Be CCPA Compliant?

This is actually a two-part question.

First of all, are you a business? A “business” is described as a for-profit legal entity doing business in California that collects personal information regarding California residents. 

If yes, do you meet one of these three criteria?

  • Have $25 million or more in annual revenue, or
  • Possess the personal data of more than 50,000 “consumers, households, or devices,” from California in a rolling 12 months or 
  • Earn more than half of your annual revenue selling consumers’ personal data

If you answered yes to the first question and any of part of the second question, you need to comply with CCPA. 

Nonprofits are typically exempt from the CCPA, but some exceptions do exist. Nonprofits need to follow the CCPA if: 

  • They are controlled by a for-profit business (that falls under the above). 
  • Are co-branded with a for-profit entity. 
  • Or contract with a third party that would potentially sell personal information. 

What Is Considered to Be Personal Information?

What is considered “personal information?” Personal information would be anything collected that could identify, relate, describe, or link a particular California resident or household. Examples of these fall under several categories of information. 

Personal identifiers include:

  • Real name, Alias, Account Name
  • Social Security Number
  • Drivers’ license number
  • Passport number
  • Postal address
  • IP address, as collected through Google Analytics
  • Email address

Commercial information includes products or services purchased, obtained or considered, along with purchase or consumption histories or tendencies. Records of personal property would be another form of commercial information. 

Internet or other electronic network activity includes both browsing and search history. It also includes interactions with specific websites, applications and/or advertisements.

Finally, personal information also includes the following:

  • Geolocation data
  • Biometric information
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information

What Rights Do Consumers Have Under the CCPA?

The CCPA requires that you give users the right to transparency about data collection and the right to be forgotten. 

  • To know that their personal information is or is not being collected
  • What information is being collected
  • How the information is being used
  • The ability to request the category of information being collected and the specific information that is being collected. These categories include auditing, security, debugging, short-term uses, performing services, internal research, and testing/improvement.

Consumers have the right to opt out of having their data sold. An opt-in requirement is in place for minors. Businesses must disclose any personal information collected and the purposes for which that information is used.

Consumers have the right to request that businesses disclose the following:

  • The categories and specific pieces of personal information that the business collects about them
  • The categories of sources from which that information is collected
  • The business purposes for collecting or selling information
  • The categories of third parties with which the information is shared
  • The categories and specific pieces of personal information that the business collects about them
  • The categories of sources from which that information is collected
  • The business purposes for collecting or selling the information
  • The categories of their parties with which the information is shared

Consumers have the right to say no to the sale of their personal information. According to the CCPA, “sale of personal information” includes the following: 

  • Renting or Selling
  • Releasing
  • Disclosing or Making available
  • Disseminating
  • Transferring
  • Otherwise communicating orally, in writing or by electronic or other means by the business to another business or third party for monetary or valuable consideration

Consumers have the right to delete their personal information. They also have the right to equal service and price, even if they exercise their privacy rights. 

In an upcoming blog post, we will review five specific steps your business can take to comply with the CCPA.


Game On!

We’re all about putting up big numbers for your business.