The California Consumer Privacy Act (“CCPA”), Cal. Civ. Code § 1798.100, is set to take effect on January 1, 2020 and aims to enhance California’s consumer privacy rights. With most businesses collecting some sort of Personal Data from consumers, it is important to consider whether the CCPA’s new provisions apply your business – and, if they do – what steps you need to take for compliance.
The CCPA applies to any business that:
(1) Has annual gross revenues in excess of $25 million
(2) Possesses the personal information of 50,000 of more consumers, households, or devices; or
(3) Derives 50% or more of its annual revenues from selling consumers’ personal information.
Different from the GDPR – which has compliance triggered only by the collection of personal data in the EU – The CCPA only applies to businesses. The CCPA defines a “business” as a “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners” that meets one of the above three criteria OR “any entity that controls or is controlled by a business . . . and that shares common branding with the business.”
Something noteworthy about the definition of “business” is that it could potentially also implicate non-profit organizations, particularly if they control or are controlled by a business that meets the CCPA’s definition. Therefore, it is important for any type of business entity, whether for profit or not, to consider whether the CCPA might be applicable to their data collection practices.
High Level, some best practices that qualifying businesses can take to be in compliance with the CCPA include:
(1) Create process for parental/guardian consent for minors under 13, as well as a process for the consent of minors between 13 and 16
(2) Create a “Do Not Sell My Personal Information” link on the homepage of your business website that directs to a page that allows users to opt-out of the sale of their personal data;
(3) Create methods for submitting data access requests, including a toll-free number that users can call;
(4) Avoid requesting opt-in consent for 12 months after a California resident opts out.