With the enactment of California’s CCPA law as of January 1st, 2020, many companies have been left scrambling to comply, asking the question “How do we prepare ourselves?” With laws such as GDPR enacted in Europe during 2018 and similar developments in California, understanding these complex privacy requirements is becoming more and more crucial to adapting and evolving in the online landscape.
The risks to be had after CCPA’s enforcement date of July 1st, 2020 are nothing to scoff at, with up to $7,500 in fines per violation and the risk of losing consumer trust over failure to comply. However, there are plenty of things businesses can do to prepare themselves in the coming months. Below are answers to some of the most common questions Orange142 has received in regards to how to ready your business for the new legislation upon us, and similar laws that may follow it in the future.
What is CCPA?
The California Consumer Privacy Act is a piece of legislation brought into effect on January 1st, 2020 to provide the right to consumers in California to know what data various companies have collected on them, how it is being used and requires the consumer an easy opportunity to opt-out of data collection should they choose. The law describes the applicable personal information as such that “could be reasonably linked, directly or indirectly, with a particular consumer.” The law will begin being enforced as of July 1st, 2020 and will apply to companies that meet any of the criteria below:
- Anyone that does business in the state of California
- Gross annual revenue above $25 million USD
- Any company that processes the personal information of 50,000 or more households, residences, or individuals in the state of California annually.
- Any business that derives more than 50% of its revenue from selling the personal information of users in exchange for monetary assets or valuable consideration.
How Does CCPA Compare to GDPR?
CCPA and GDPR are two sides of the same coin in terms of data privacy regulations, but there are some key differences between the two. GDPR’s primary goal is to receive consent prior to the collection of data to ensure that customers are opting into the process and data is not being collected unknowingly. CCPA however, does not require consent at the point of data collection but instead requires that the user is notified that their information has been collected and that they have accessible options to learn what kind of information was collected and the option to remove themselves from future collection.
How to Prepare Your Site for CCPA
Getting prepared for CCPA can be achieved through a few simple steps:
- Make sure that your Privacy Policy is up to date to include the various categories of information your company and it’s vendors collect about your site’s users in a clear and accessible manner. We recommend working with your lawyer to draft the appropriate verbiage for the Privacy Policy.
- Through a pop-up, or some other means to notify customers once their information has been collected, direct them to your updated Privacy Policy if they would wish to learn more or opt-out.
- Provide an opportunity to opt-out of data collection and a contact phone number for any user looking to inquire more about the information your company holds on them. (Must be a toll-free number)
Alert Example: “By using our website, you accept our cookie policy. Please refer to our Privacy Policy and Terms of Use for more information, or to opt-out of data collection.”
Below is a link to be included in your privacy policy to ensure the opportunity for
users to opt-out. This must be added to their Privacy Policy in addition to the
necessary data collection verbiage.
http://optout.aboutads.info/?c=2&lang=EN
Updates for 2021
On March 15, 2021, three additional regulations were added to the CCPA, effective immediately.
- Businesses that collect and “sell” consumers’ personal information offline, must post offline notice of consumers’ right to opt out.
Note: Offline refers to any circumstance where an organization interacts with a consumer in a non-online manner.
For example, a consumer may give their email address in a brick-and-mortar store, which the clerk then types into the computer system. Despite the use of the computer, this interaction is still considered offline because the primary interaction was in person. So, if the store intended to sell the consumer’s information, they would be required to provide an opt-out notice.
An offline opt-out notice may take the form of signage that is easily visible from where the information is being collected with instructions on how to opt-out.
- Companies selling consumer information may use an optional “opt-out” icon on their website in addition to their own opt-out link.
CCPA regulations already required companies to have a link on the bottom of their website for consumers to opt-out. The opt-out icon, developed by the Attorney General, is an optional addition. If companies choose to also use the icon, it must be placed to the left of the link and the same size as other buttons on their website. The opt out button provide by the California Office of Administrative Law (“OAL”) can be found here.
- Requests to opt-out must be simple for consumers to complete and not designed to discourage a user’s decision to opt-out.
Once consumers make the decision to-opt out, the request should be easy to complete. They should not have to scroll through reasons why they shouldn’t opt-out, share any additional information or read the privacy policy.
Overall, the new regulations primarily impact businesses that are “selling” information or receiving a high volume of opt-out requests. Businesses selling information collected offline should confirm that they have instructions to opt-out posted in an easily visible location. Lastly, all organizations should ensure their opt-out request process is simple to complete and does not require any unnecessary steps.