The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Its most notable immediate impact is the “Do not sell my info” or “Do not sell my information” links you see showing up at the bottom of websites, or as pop-ups.
The law, Assembly Bill 375, authored by Assemblyman Ed Chau (D-Arcadia), says a clear and conspicuous link on the business’ homepage must enable a consumer to opt out of the sale of the consumer’s personal information.
How CCPA Benefits California’s Consumers
You have the right to know what personal information businesses collect, use, share or sell, and you’ll be able to delete it. You’ll also be able to tell a business to stop selling your personal information.
Businesses, including social media companies, cannot blackball you if you choose to exercise your rights. Though it’s been well documented that Facebook has had a serious privacy issue for quite some time. In early July, 2020, Facebook admitted to sharing user data with an estimated 5,000 third-party developers after its access to that data was supposed to expire.
Business websites and apps are required to provide a “Do Not Sell My Info” link.
The CCPA law applies to large businesses with a gross annual revenue of more than $25 million. Before you think you’re immune to this new law because you’re a small business and stop reading though, note that proper management of vendors is a big part of CCPA compliance. This means that if you work with large clients, they may ask you to sign a contract that requires you to be CCPA compliant.
Companies such as Facebook (which probably knows more about you than your family and friends) may require you to provide a copy of a government ID (i.e. driver license) before it can comply with a right-to-know or right-to-delete request.
The intention of this new law is to limit how much data can be collected and sold. However, the definition of a “sale” under CCPA is broad and will no doubt be challenged in the courts. As an example, Facebook’s “like,” share or comment are common ways to collect and use information about you. And we all know, to some extent, how they’ve used/sold the data.
What You MUST HAVE on Your Website
This new privacy law is complicated, especially if you’re a large corporation running a global business. Just as with the GDPR, it’s not totally clear what it means to be CCPA compliant. You are strongly advised to consult with your attorney regarding privacy laws.
Be that as it may, if you’re collecting any user information via your website (contact form, newsletter subscription box, Google Analytics tracking, Google Adsense, IP addresses, or Cookies), you must have a Privacy Policy posted with a link to the page; typically placed in the footer.
Your Cookie Policy can be included in your Privacy Policy. A Privacy Notice (which is not the same as a Privacy Policy) is optional. And don’t be tempted to copy/paste one from another website. Aside from that being copyright infringement, your policy should be specific to your business and your website.
Having a Privacy Policy posted on your website when you’re using a contact form has been a California law since 2003 (California Online Privacy Protection Act). Privacy policies used to be a lot simpler, before tech giants figured out how to make mega bucks off of selling your personal information.
If you do business in Europe, then your Privacy Policy needs to also meet the General Data Protection Regulation (GDPR) standards.
What if You’re NOT Collecting Any User Information via Your Website?
Then technically, you do not NEED a Privacy Policy on your website. However, since data collection and privacy has become a BIG issue, your website visitors — including legal authorities — will expect to see a Privacy link in the footer of your website. Many people may not understand that the policy is not a “legal requirement” if you’re not collecting ANY personal information.
Even if it’s not a legal requirement for you, you should STILL have a privacy policy page with a simple statement that you do not collect, share, or sell personal information. It’s far better to be transparent and state that you don’t collect personal data than to arouse suspicion and/or having to explain why you don’t have a policy posted over and over again.
Other policies you may need on your website:
- Terms & Conditions
- Disclaimer(s): You have affiliate links, or providing information that could be considered health advice (Medical Advice Disclaimer) or legal advice (No Attorney-Client Privilege), or financial advice.
The “Do Not Sell” Rule
Specifically, the regulation says that businesses must:
- Have a page on their website titled “Do Not Sell My Personal Information.” On this page, consumers based in California can opt-out of the sale of their personal data. The business must clearly link to the “Do Not Sell My Personal Information” page from the homepage.
- The website must describe the consumer’s rights to opt-out of the sale of personal data and provide a link to the “Do Not Sell My Personal Information” page in its privacy policy.
- Once a user requests that a business not sell their personal information, the business must respect this decision for a minimum of 12 months.
- Finally, websites should have a way to prove that they are respecting these customer requests.
You may need a “Do Not Sell My Personal Info” link on your website (consult with a legal expert, to be sure) if your business meets one of the core requirements of CCPA. There’s a “Do Not Sell” notice on this site mainly out of an abundance of caution.
Core Requirements of CCPA
Does your business meet one of the following three requirements?
- Gross revenue of more than $25 million.
- Your organization receives, shares, or sells personal information of more than 50,000 individuals, households or devices. (Exemptions may apply.)
- Your company earns 50% or more of its annual revenue from selling personal data of Californians.
What Does “Selling” Mean?
According to CCPA, selling is:
“Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”It’s unclear what “valuable consideration” means.
In addition to the information provided when you’re filling out online forms that require your name, address, phone number, social security numbers, and any other identifiers, IP addresses are also considered “personal data.”
What CCPA Means for Social Media Users
As I’ve mentioned in my newsletters (and in an article posted on my website), Facebook, Twitter, LinkedIn, Google, and other social media companies collect data about their users, and then use and/or sell this information. These tech giants know more about you than you might realize.
The new law is a result of the steady stream of scandals, like Facebook’s Cambridge Analytica data debacle, and follows the strict European law GDPR (General Data Protection Regulation) that when into effect last year. The CCPA gives you more rights when it comes to what they do with your data.
Will Social Media Companies Roll Out any New Privacy Tools for You to Use?
It’s unclear as to whether or not social media companies will be rolling out new privacy tools. They already give users various ways to find out what information they’re collecting about you. This data is HUGELY important to Facebook, Twitter, Google, and other big social media sites. Your personal data helps companies target ads, and advertising is big money for social media companies. Data is the new oil!
The fines for failing to comply with the CCPA can be steep. Generally, the fines that can be imposed by the Attorney General are $2,500 per non-intentional violation or $7,500 per intentional violation. “Per violation” means per person whose privacy rights you violated or per website visitor.
LEGAL DISCLAIMER: I am not a lawyer and do not provide legal advice. Nothing in this article should be considered legal advice. All information in this article is for informational and self-help purposes only and is not intended to be a substitute for professional legal advice. When it comes to any/all legal matters, best practice is to consult with a legal expert — especially if you’re doing online business globally.
Learn more about the CCPA
More details can be found on the state of California’s CCPA Website. The California Attorney General’s office released a proposed text of regulations related to the CCPA for consumers and businesses to understand their rights and responsibilities.
Policies for your website that update when the laws change.
Protect your business from fines and lawsuits.
Termageddon is the longest-running Privacy Policy generator listed as a vendor by the International Association of Privacy Professionals (iapp.org). The company is founded and run by a licensed privacy attorney who also serves as the Chair of the American Bar Association – ePrivacy Committee.
As a Certified Agency Partner, I charge an annual license fee of $99 (same as charged by Termageddon). In addition, there’s a one-time charge to set up the policy and place it on your website. This does not impact reviews and recommendations.