Online privacy has become a prominent issue in the United States and abroad in the last several years. To address the issue, California passed the California Consumers Protection Act (CCPA) last year. This legislation is slated to go into effect on January 1st, 2020.
For small business owners, this means your website and data collection practices will need to be CCPA compliant by the end of the year, assuming your business meets the threshold of required CCPA compliance.
What Is The Purpose Of The CCPA?
This legislation was passed because personal data is increasingly playing a more important role in online and offline business practices. The goal of this legislation is to increase California residents’ privacy and ensure they are allowed to refuse or opt-out of having their personal data collected or sold by third parties.
Which Businesses Does CCPA Apply To?
Technically, this legislation applies to any business in the world that:
1) Collects personal data of California residents
2) Exceeds any one of the following three thresholds:
- Has annual gross revenues of $25 million or more
- Obtains personal information of at least 50,000 California residents, households, and/or devices per year
- Generates 50% or more of their annual revenue from selling California residents’ personal information
If your small business meets one or more of those thresholds, you need to become CCPA compliant by December 31st, 2019.
What’s The Difference Between CCPA And GDPR
It’s important to understand that GDPR and CCPA are two entirely separate regulations. We’ve written previously about GDPR, and while there are some similarities, CCPA is not as extensive as GDPR and is focused exclusively on California residents.
If your business is already GDPR compliant, that does not mean it is automatically CCPA compliant as well. While there’s a good chance that your business has already met some of the requirements for compliance, you likely still have more work to do.
What Qualifies As ‘Personal Data’?
The legislation defines personal data as “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Practically speaking, personal data includes, but is not limited to:
- Email addresses
- Biometric data
- IP addresses
- Internet of Things information
- Geolocation data
- Employment information
Publicly available information is not considered personal data under the CCPA.
What Are The Penalties For Failing To Comply?
If your business is required to comply with the CCPA and fails to do so, the penalty is severe fines. If your business is still non-compliant after thirty days of being notified, you’re at risk of being fined up to $7,500 per violation.
This means if you collected data on one hundred users without being CCPA compliant, you could be looking at $750,000 in fines.
How Do I Make My Business CCPA Compliant?
The steps required to meet CCPA requirements will depend on your business type and existing data collection methods. Some businesses will have an easier time meeting the requirements than others. Still, every business should consider speaking with an expert to verify they’re compliant before the end of the year.
While you can attempt to make your small business compliant on your own, we highly recommend consulting with an experienced IT professional.
To learn more about the CCPA and get help meeting the requirements, please contact us today for assistance.