A Guide to CCPA, the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) was passed in 2017 and went into effect on January 1, 2020, and will start being enforced on July 1st, 2020. It is changing the fundamentals of the Internet, much like GDPR, which went into effect in 2018.
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following:
- Has annual gross revenues in excess of $25 million;
- Buys or sells the personal information of 50,000+ consumers or households; or
- Earns more than half of its annual revenue from selling consumers’ personal information
What are the CCPA requirements?
It is important to start preparing for CCPA compliance. The law is already in effect and we expect penalties to begin on July 1st. This is what your business needs to implement to be compliant:
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes.
- “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number.
- Update privacy policies with the newly required information, including a description of California residents’ rights.
- Avoid requesting opt-in consent for 12 months after a California resident opts out.
What are the CCPA fines & penalties?
CCPA non-compliance isn’t cheap. Expect to pay $2,500 per unintentional violation and $7,500 per intentional violation.
The CCPA also allows consumers to sue businesses and collect between $100 to $750 in damages if their personal information has been breached due to the business failing to implement and maintain reasonable security procedures and practices.
According to Donata Kalnenaite, privacy expert and lawyer at Termageddon, the CCPA is truly the first encounter with privacy regulation for most American companies. This means that not only the policies and procedures of these companies will need to change, but also the attitudes toward the collection, use, and disclosure of data.
CCPA infringement fines are calculated per violation (per person whose rights were infringed upon), which means that fines can add up to large amounts, even if you have only a few hundred visitors to your website per month.
It is imperative that companies start preparing for the enforcement of this law.