On January 1st, 2020, the California Consumer Privacy Act, often abbreviated to CCPA, was enforced as the first of its kind in the United States. The CCPA is a state-wide data privacy law that sets regulations for how businesses manage personal information collected from California residents.
If you own a website, you may be affected by the CCPA which would require you to achieve CCPA compliance. Non-compliance can result in heavy fines. Read on for a short introduction to the CCPA.
How is ‘personal information’ defined in the CCPA?
According to the CCPA, ‘personal information’ is information that can:
- Identity a particular consumer or household
- Be related to a particular consumer or household
- Be associated with a particular consumer or household
- Be linked directly and indirectly to a particular consumer or household
Even impersonal data is not exempt from the CCPA if it can be combined with other data to identity a particular consumer or household.
Who is affected by the CCPA?
The CCPA applies to for-profit business that either:
- Sells personal information of more than 50,000 California residents annually
- Has an annual gross venue greater than $25 million
- Or derives 50% of the annual revenue through selling personal information of California residents
It does not matter if your business is located in California or not – as long as your business falls under one of the above-mentioned thresholds, then you are obligated to become compliant with the CCPA.
Under the CCPA, consumers are given more control of their data. Now, consumers have the right to opt out of having their personal information sold to third parties, they have the right to request disclosure of that personal information has already been collected, and they have the right to request for their personal information to be deleted. Finally, California residents have the right to be notified in addition to the right to equal services and prices.
How do I become CCPA compliant?
To become compliant with the CCPA, there are several actions you must take. Your website must tell end-users at or before the data collection about the types of personal information that will be collected and why it is collected. The website must also provide a link that end-users can use if they want to opt out of having their data sold to third-parties.
If the website has visitors below the age of 18, you must obtain their consent before you can sell or disclose their data to third parties. A parent or legal guardian must opt in for end-users below the age of 13.
Finally, if a consumer asks for access to their personal information, you are obligated to provide them the records of personal information that you have collected about them over the past 12 months. This service must be free of charge.