What’s happening in California affects everyone. The fight for a person’s right to privacy affects everyone. Because some people in power will pursue their self-interests to the exclusion of everyone else as far as the law will let them, it is necessary to legislate what can be done with personal information. It used to be that most consumers thought the harmless reason for the collection of their information was to serve up more relevant advertising, which was a win-win situation.
Business got more targeted access to consumers, and consumers got more targeted advertising to their tastes and preferences. Everything was more efficient and productive for everyone.
The Impetus For the CCPA
But knowledge is power, and unchecked power corrupts such that it soon became apparent consumers were being manipulated by big business. In fact, the stated goal of certain companies became controlling consumers’ thoughts and behaviors. If you think that’s some kind of sci-fi fantasy, just take a look at what happened with Cambridge Analytica in the last U.S. election. Now, that company is no more, but it is mentioned here because it is specifically the impetus for the California Consumer Privacy Act (CCPA). That is, this data protection law was written in response to that company’s exploitation of consumer data (and recent data breaches that have brought to light just how loose some businesses are with security).
So, now the CCPA is here to protect us and will begin to be enforced in July of 2020. Some companies like Facebook may want to get out of the CCPA requirements and reassure their clients that nothing is going to change, but as noted previously, the CCPA was written in direct response to their exploitation of consumers’ data.
As a company in another state, you might be thinking you aren’t as big as Facebook and you aren’t in California. This law must not apply to you. Wrong. It does not matter whether your business officially resides in California or not, and even small to medium sized companies can be liable.
Does the CCPA Apply to Your Business?
If your business serves California residents and you meet just one of three requirements spelled out in the CCPA, you will be required to conform to the CCPA or suffer the consequences, which are discussed in other CCPA blogs on this site. The CCPA defines a business as any for-profit entity that collects consumer personal data and that meets at least one of the following criteria:
- Has an annual gross revenue of over 25 million dollars US
- Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes
- Derives 50% or more of its annual revenue from selling consumer personal information
This act covers doing business any way and collecting personal data. So, if you are a brick and mortar collecting information over the phone or in your stores, and you meet the criteria, this applies to you.
Clearly, this is not meant to be onerous to small businesses. However, if you think about it, 50,000 people going on your website per day divided by 365 days in a year, yields a result of roughly 137 people per day. 137 people per day is not a lot in terms of the world wide web. That means you don’t even have to have the traffic of a big business to qualify under the CCPA criteria. And if you collect consumers’ information, the law is applicable to you.
How California Law Affects You
Even if you don’t want to do business in California or with California consumers, California law affects the nation. Other states are looking to follow California’s lead. Though similar laws were shot down in Washington and Texas, Nevada has recently passed a data privacy law, and states like New York, and Washington, D.C., may soon follow. In fact Senator Maria Cantwell, a Democrat from Washington state, introduced the Consumer Online Privacy Rights Act (COPRA) in December of 2019, which would give consumers unprecedented rights with the ability to sue businesses on a case by case basis. Change is coming, and it’s best to prepare now.
There are other reasons you should be concerned about what’s going on in California.Economically, it’s a pretty big fish. As far as consumers go, there are 39,512,223 residents with a median income of $71,228 according to the U.S. Census Bureau. The number of households with a broadband Internet subscription is 84.7 percent. Roughly, 85% of the almost 40 million people have access to the Internet. So, it’s a big market to miss out on. The fact is that most if not all companies doing business on the Internet have some California customers.
The CCPA does not use the word “customers,” though, It specifically uses the word “consumers,” which it defines as natural persons who are California residents. Consumers don’t even have to do business with you to be protected. If consumers visit your website, and you have cookies collecting any information that could be linked with their personal identity, you will have to let them know that and give them a way to opt-out of having their information collected by you.
What Does the CCPA Mean By Personal Information?
But there are more obvious ways your company may collect what the CCPA calls “personal information.” Personal information is also known as “personally identifiable information.” And you might be collecting this as part of a login process or to do business with a consumer through a shopping cart or payment system. If you collect personal information in any way, the CCPA applies to you.
So, what does the CCPA consider to be personal information? It may surprise you because it includes a person’s IP and MAC addresses if they can be reasonably linked to a particular individual. It also includes other information like their physical address, name, phone number, email, descriptions of their physical characteristics, and biometric data.
“Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”
The complete list is available from the bill text of California Assembly Bill No. 375.
How To Comply With CCPA
You’re also going to have to supply consumers with a way to get hold of you to demand their rights. CCPA specifies this must be in the form of a toll-free number or a website link, if you have a website. So, you’re going to have to advertise how you’re collecting consumer information. You’re going to have to reveal what you’re doing with it and how a consumer can easily exercise their rights to either have their data deleted or downloaded to use for other purposes with impunity. And if you have a data breach, you have to notify the consumer and the California Attorney General. If you don’t comply, you can be sued by the Attorney General and the individuals whose data has been exposed.
The law is much more detailed than this, though. If you don’t have a legal team advising you, you might want to look for help from a company like RSI Security. RSI Security specializes in compliance frameworks such as the CCPA. We know exactly how to make the modifications you need to maintain your advantage in the California market. Contact us today for a free consultation on how we can help your business succeed.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.