Is Your Business CCPA Compliant?

By: Vivek Vaidya

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and has wide-reaching implications on businesses in California. To help you understand how the CCPA affects your business, here are a few answers to basic questions:

What do small businesses in California have to worry about when it comes to the CCPA?

In order for the CCPA to apply to your business, you must meet one of the following criteria:

  • You have an annual gross revenue over $25 million
  • You receive, buy, sell or share the personal information of at least 50,000 California consumers
  • You derive at least half of their revenue from selling the information of state residents.  

If a small business meets the above-mentioned criteria, here are the top three things that should be prioritized:

1) Understand the breadth of the law

It’s important to understand the somewhat vague definition of “personal information”, which is defined as any info which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal info can include email addresses, social security numbers, driver’s license numbers, employment information, geolocation, biometric information, commercial information, internet activity, audio/video information, or education information not available to the public.  If you collect this information, you need to have the capability of fielding user requests to access, delete, or change their personal information.

2) Train your employees (even if you only have a few)

The CCPA requires employees who field customer requests about data privacy practices (deleting personal information, opting out of sharing personal information, etc.) and employees who are responsible for the company’s compliance to undergo instruction to understand the law. Generally, this will require instruction of all customer service representatives and whoever handles legal compliance. 

3) Understand the penalties

The penalties for not being CCPA compliant go up to $7,500 per intentional violation and $2,500 for unintentional violations which are enforced by the California attorney general. Consumers also have the right to pursue their own individual action against non-compliant businesses, and can sue the company if a data breach occurs due to carelessness. 

What are the top 5 things they should have in place to be compliant?

Here are the top 5 most pressing details that need to be squared away ASAP if you are a small business owner who meets the criteria of the CCPA:

1) Be sure to clearly outline consumer data. In other words:

A) What personal information do you collect?

B) How do you acquire said data?

C) Where and how do you keep it?

D) Do you share it with other entities?

E) Is the shared data part of provision of service, sale or another purpose?

2) Create a homepage “privacy link”:

The CCPA also calls for a privacy link on the homepage of any relevant entity’s website. It must be “clear and conspicuous,” titled “Do Not Sell My Information,” and linked to a page that allows consumers to opt-out of having their personal info sold to third parties.

3) Update Privacy Policies:

The CCPA gives consumers the right to know exactly what personal information is being gathered about them. In order to comply with that, businesses must provide a disclosure “at or before the point of collection.” It must “inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”

4) Develop a process for fielding consumer complaints:

Starting on Jan. 1, 2020, relevant entities must be ready to field consumer requests about their personal information that are allowed under the CCPA. These requests must be processed free of charge and within 45 days. Some examples include:

A) Request a copy of their personal information

B) Request that their personal info be deleted

C) Obtain consent from a guardian to sell personal info from a consumer under the age of 13

D) Opt out of sharing their personal information with third parties

5) Strengthen data security:

Relevant entities should review and update their info security and privacy policies and actively monitor their data security defenses to ensure that consumer data is not easily stolen, as they can seek damages for data breaches covered under the CCPA. 

Anything else small business owners should know about this law right now?

There is a 6-month grace period from January 1, where mistakes can go unpunished. There is still plenty of time before you need to be truly compliant as a small business owner who meets the criteria of the CCPA. If you have questions about becoming compliant or need legal aid with preparing a Privacy Policy that is CCPA compliant, feel free to contact Vivek Vaidya of Bend Law Group at Vivek@bendlawoffice.com

This article discusses general legal issues and developments. Such materials are for informational purposes only and may not reflect the most current law in your jurisdiction. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. No reader should act or refrain from acting on the basis of any information presented herein without seeking the advice of counsel in the relevant jurisdiction. Bend Law Group, PC expressly disclaims all liability in respect of any actions taken or not taken based on any contents of this article.