By: Vivek Vaidya The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and has wide-reaching implications on businesses in California. To help you understand how the CCPA affects your business, here are a few answers to basic questions: What do small businesses in California have to worry about when it comes to… Read More
By: Vivek Vaidya
The California Consumer
Privacy Act (CCPA) went into effect on January 1, 2020 and has
wide-reaching implications on businesses in California. To help you understand
how the CCPA affects your business, here are a few answers to basic questions:
What do small businesses in
California have to worry about when it comes to the CCPA?
In order for the CCPA to
apply to your business, you must meet one of the following criteria:
- You have an annual gross revenue over $25 million
- You receive, buy, sell or share the personal information of at least 50,000 California consumers
- You derive at least half of their revenue from selling the information of state residents.
If a small business
meets the above-mentioned criteria, here are the top three things that should
1) Understand the breadth of the law
It’s important to
understand the somewhat vague definition of “personal information”, which is
defined as any info which “identifies, relates to, describes, is capable of
being associated with, or could reasonably be linked, directly or indirectly,
with a particular consumer or household.” Personal info can include email
addresses, social security numbers, driver’s license numbers, employment
information, geolocation, biometric information, commercial information,
internet activity, audio/video information, or education information not
available to the public. If you collect
this information, you need to have the capability of fielding user requests to
access, delete, or change their personal information.
2) Train your employees (even if you only have a few)
The CCPA requires
employees who field customer requests about data privacy practices (deleting personal
information, opting out of sharing personal information, etc.) and employees
who are responsible for the company’s compliance to undergo instruction to
understand the law. Generally, this will require instruction of all customer
service representatives and whoever handles legal compliance.
3) Understand the penalties
The penalties for not
being CCPA compliant go up to $7,500 per intentional violation and $2,500 for
unintentional violations which are enforced by the California attorney general.
Consumers also have the right to pursue their own individual action against
non-compliant businesses, and can sue the company if a data breach occurs due
What are the top 5 things
they should have in place to be compliant?
Here are the top 5
most pressing details that need to be squared away ASAP if you are a small
business owner who meets the criteria of the CCPA:
1) Be sure to clearly outline consumer data. In other words:
A) What personal information
do you collect?
B) How do you acquire
C) Where and how do
you keep it?
D) Do you share it
with other entities?
E) Is the shared data
part of provision of service, sale or another purpose?
2) Create a homepage “privacy link”:
The CCPA also calls for
a privacy link on the homepage of any relevant entity’s website. It must be
“clear and conspicuous,” titled “Do Not Sell My Information,” and linked to a
page that allows consumers to opt-out of having their personal info sold to
3) Update Privacy Policies:
The CCPA gives consumers
the right to know exactly what personal information is being gathered about
them. In order to comply with that, businesses must provide a disclosure “at or
before the point of collection.” It must “inform consumers as to the categories
of personal information to be collected and the purposes for which the
categories of personal information shall be used.”
4) Develop a process for fielding consumer complaints:
Starting on Jan. 1, 2020, relevant entities must be ready to field consumer requests about their personal information that are allowed under the CCPA. These requests must be processed free of charge and within 45 days. Some examples include:
A) Request a copy of
their personal information
B) Request that their
personal info be deleted
C) Obtain consent from
a guardian to sell personal info from a consumer under the age of 13
D) Opt out of sharing
their personal information with third parties
5) Strengthen data security:
Relevant entities should
review and update their info security and privacy policies and actively monitor
their data security defenses to ensure that consumer data is not easily stolen,
as they can seek damages for data breaches covered under the CCPA.
Anything else small business
owners should know about this law right now?
There is a 6-month
grace period from January 1, where mistakes can go unpunished. There is still
plenty of time before you need to be truly compliant as a small business owner
who meets the criteria of the CCPA. If you have questions about becoming
compliant, feel free to contact Vivek Vaidya of Bend Law Group at Vivek@bendlawoffice.com.
This article discusses
general legal issues and developments. Such materials are for informational
purposes only and may not reflect the most current law in your jurisdiction.
These informational materials are not intended, and should not be taken, as legal
advice on any particular set of facts or circumstances. No reader should act or
refrain from acting on the basis of any information presented herein without
seeking the advice of counsel in the relevant jurisdiction. Bend Law Group, PC
expressly disclaims all liability in respect of any actions taken or not taken
based on any contents of this article.