California’s new consumer privacy law, the California Consumer Privacy Act (CCPA), goes into effect on January 1, 2020. Does every business need to comply with CCPA? And what is required to be in compliance?
The CCPA applies to your company if you meet at least one of the following requirements:
- Your annual gross revenues are at least $25 million.
- You buy, receive, or sell personal information of at least 50,000 California consumers (meaning residents, homeowners, or devices) per year.
- At least 50% of your annual revenue is generated from selling California residents’ personal information.
If you meet requirement #1, you probably know that your gross revenues exceed that amount, so read on.
Requirement #2 is a bit deceptive. 50,000 California consumers seems like a lot. But if your business is open every day, that works out to just 136 customers per day. A busy retail store, restaurant, or online business can easily exceed that number. And if you have multiple locations (such as several restaurants), you’re all the more likely to hit the threshold.
Even if your company doesn’t meet any of the requirements listed above, owners and managers of growing companies should consider whether implementing CCPA compliance is still a wise strategic move. After all, you don’t want to wake up and find that your company has passed one of the compliance thresholds without CCPA compliance being in place. And if your company is potentially an acquisition target for a larger firm that is required to comply with CCPA, having the right policies in place can prevent the acquisition being complicated by these types of issues.
The requirements to comply with CCPA are not just complex – they’re a moving target. That’s because the California Attorney General’s office is still in the process of issuing regulations to define how the law is being put into place.
That said, here’s some of what we know at this point. Note that this is not a comprehensive list of requirements.
Companies impacted by CCPA must do the following:
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years before their data can be shared.
- Place a “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information.
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number.
- Update privacy policies with newly required information, including a description of California residents’ rights.
- Avoid requesting opt-in consent for 12 months after a California resident opts out.
Each of the bullet points listed above is a general description – there are details, nuances, and, in some cases, exceptions to all of them. This blog post isn’t intended to cover every detail of CCPA, but rather to create understanding of the general scope of the law and how to start thinking about compliance.
Need to bring your company into compliance with CCPA? Contact me.