California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Its most notable immediate impact is the “Do not sell my info” or "Do not sell my information" links you see showing up at the bottom of websites, or as pop-ups.

The law, Assembly Bill 375, authored by Assemblyman Ed Chau (D-Arcadia), says a clear and conspicuous link on the business’ homepage must enable a consumer to opt out of the sale of the consumer’s personal information.

How CCPA Benefits California's Consumers

  • You have the right to know what personal information businesses collect, use, share or sell, and you'll be able to delete it. You'll also be able to tell a business to stop selling your personal information.
  • Businesses, including Facebook, Twitter, etc., cannot blackball you if you choose to exercise your rights.
  • Business websites and apps are required to provide a "Do Not Sell My Info" link.
  • The law applies to large businesses with a gross annual revenue of more than $25 million. Before you think you're immune to this new law because you're a small business and stop reading though, note that proper management of vendors is a big part of CCPA compliance. This means that if you work with large clients, they may ask you to sign a contract that requires you to be CCPA compliant. 
  • Companies such as Facebook (which probably knows more about you than your family and friends) may require you to provide a copy of a government ID (i.e. driver license) before it can comply with a right-to-know or right-to-delete request.

The intention of this new law is to limit how much data can be collected and sold. However, the definition of a "sale" under CCPA is broad and will no doubt be challenged in the courts. As an example, Facebook's "like," share or comment are common ways to collect and use information about you. And we all know, to some extent, how they've used/sold the data.

What You MUST HAVE on Your Website

This new privacy law is complicated, especially if you're a large corporation running a global business. Just as with the GDPR, it's not totally clear what it means to be CCPA compliant.

Be that as it may, if you're collecting any user information via your website (contact form, newsletter subscription box, Google Analytics tracking, Google Adsense, IP addresses, or Cookies), you must have a Privacy Policy posted with a link to the page; typically placed in the footer. Your Cookie Policy can be included in your Privacy Policy. A Privacy Notice (which is not the same as a Privacy Policy) is optional. And don't be tempted to copy/paste one from another website. Your policy should be specific to your business and your website.

Having a Privacy Policy posted on your website when you're using a contact form has been a California law since 2003 (California Online Privacy Protection Act). It just used to be a lot simpler; before tech giants figured out how to make mega bucks off of selling your personal information.

If you do business in Europe, then your Privacy Policy needs to also meet GDPR standards.

What if You're NOT Collecting Any User Information via Your Website?

Then technically, you do not NEED a Privacy Policy on your website. However, since data collection and privacy has become a BIG issue, your website visitors -- including legal authorities -- will expect to see a Privacy link in the footer of your website. Many people may not understand that the policy is not a "legal requirement" if you're not collecting personal information.

Even if it's not a legal requirement for you, you should STILL have a privacy policy page with a simple statement that you do not collect, share, or sell personal information. It's far better, and safer, to be transparent and state that you don't collect personal data than to arouse suspicion and/or having to explain why you don't have a policy posted over and over again.

Other policies you may need on your website:

  • Terms & Conditions: If you're linking to 3rd party websites.
  • Disclaimer(s): You have affiliate links, or providing information that could be considered health advice (Medical Advice Disclaimer) or legal advice (No Attorney-Client Privilege), or financial advice. 

The "Do Not Sell" Rule

Specifically, the regulation says that businesses must:

  • Have a page on their website titled “Do Not Sell My Personal Information.” On this page, consumers based in California can opt-out of the sale of their personal data.
  • The business must clearly link to the “Do Not Sell My Personal Information” page from the homepage.
  • The website must describe the consumer’s rights to opt-out of the sale of personal data and provide a link to the “Do Not Sell My Personal Information” page in its privacy policy.
  • Once a user requests that a business not sell their personal information, the business must respect this decision for a minimum of 12 months.
  • Finally, websites should have a way to prove that they are respecting these customer requests.

You may need a "Do Not Sell My Personal Info" link on your website (consult with a legal expert, to be sure) if your business meets one of the core requirements of CCPA.

Core Requirements of CCPA

Does your business meet one of the following three requirements?

  1. Gross revenue of more than $25 million.
  2. Your organization receives, shares, or sells personal information of more than 50,000 individuals, households or devices. (Exemptions may apply.)
  3. Your company earns 50% or more of its annual revenue from selling personal data of Californians.

What Does "Selling" Mean?

According to CCPA, selling is:

“Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

It's unclear what "valuable consideration" means.

In addition to the information provided when you're filling out online forms that require your name, address, phone number, social security numbers, and any other identifiers, IP addresses are also considered "personal data."

What CCPA Means for Social Media Users

As I've mentioned in my newsletters (and in an article posted on my website), Facebook, Twitter, LinkedIn, Google, and other social media companies collect data about their users, and then use and/or sell this information. These tech giants know more about you than you might realize.

The new law is a result of the steady stream of scandals, like Facebook's Cambridge Analytica data debacle, and follows the strict European law GDPR (General Data Protection Regulation) that when into effect last year. The CCPA gives you more rights when it comes to what they do with your data.

Will Social Media Companies Roll Out any New Privacy Tools for You to Use?

Probably not, since they already give users various ways to find out what information they're collecting about you. This data is HUGELY important to Facebook, Twitter, Google, and other big social media sites. Your personal data helps companies target ads, and advertising is big money for social media companies. Data is the new oil!

The fines for failing to comply with the CCPA can be steep. Generally, the fines that can be imposed by the Attorney General are $2,500 per non-intentional violation or $7,500 per intentional violation. “Per violation” means per person whose privacy rights you violated or per website visitor.

Last year, Europe hit Google with a $57 million fine (under GDPR) for failing to clearly inform users how it handled their personal data. Google, of course, was expected to appeal the fine. 

DISCLAIMER: I am not a lawyer and do not provide legal advice. All information in this article regarding CCPA is for informational and self-help purposes only and is not intended to be a substitute for professional legal advice. When it comes to legal matters, best partices is to consult with a legal expert -- especially if you're doing business globally.

Learn more about the CCPA

More details can be found on the state of California’s CCPA Website. The California Attorney General’s office released a proposed text of regulations related to the CCPA for consumers and businesses to understand their rights and responsibilities.

managed wordpress hosting

Recent Posts