What is the CCPA and why the California Consumer Privacy Act probably applies to your online business
The California Consumer Privacy Act, commonly referred to as the CCPA, was enacted in 2018 and became effective on January 1, 2020, though there is a six month grace period for enforcement which give companies that engage with California residents time to implement and work out best practices for these new requirements. This landmark piece of legislation secures new privacy rights for California consumers, though it will have far-reaching impact as companies determine how best to manage their data collections.

For-profit companies doing business in California that collect the personal information of consumers are required to comply with the CCPA. Your organization does not need to be headquartered in California, have an office in California, or directly sell anything to residents of California to be subject to the law.

Basic Rule. In general, the CCPA applies to a “business” that:

  1. does business in the State of California,
  2. collects personal information (or on behalf of which such information is collected),
  3. alone or jointly with others determines the purposes or means of processing of that data, and
  4. satisfies one or more of the following

(i) annual gross revenue in excess of $25 million,

(ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or

(iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

What is “personal information”? The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Amendments to the CCPA clarify that “personal information” does not include de-identified or aggregate information, or “publicly available information” that is lawfully made available from federal, state, or local government records.

For an online business, whether it sells products or services or provides content, it likely gathers at least one piece of personal information. It could be an email for a newsletter or comments or an IP address for analytics. But rarely will a business website forego capturing some form of identifier for its visitors. This is likely how the business would know where its visitors are from. And while it’s impossible from a simple online identified to determine if someone is or is not a legal resident of the location for which they are identified, it’s up to the business to either treat every visitor identified as being in California as a resident for general CCPA determination evaluation or have some other way to more clearly identify the residency since that is a CCPA triggering element.

Does this apply to my business? Most will look at those criteria and if they do not generate $25 million in annual gross revenue or buy/sell consumer personal information and say the CCPA doesn’t apply to them. This was my first impression, until I read more closely how the CCPA defines the word “sell” in part (ii) in the above definition.

This is how nearly all online content creators and entrepreneurs fall under the CCPA. Specifically, the CCPA statute defines “sale” to mean: “… selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

While an online entrepreneur or company with an online presence may not “sell” data in the traditional sense of the word, the words “releasing”, “make available”, “transferring” and “otherwise communicating” all deal with the use of cookies and data gathering related to ad networks, affiliate programs, analytics measurement, and use of third-party software to help with things like downloadable content, online webinars, the sale of products/services, and much more.

What do I need to do to comply with the CCPA? If you went through compliance steps for GDPR, you’re likely very close to being CCPA compliant. However, the CCPA is not focused on obtaining opt-in consent so your Privacy Policy likely needs to be updated not only to make the additional required disclosures. In addition, if you do not have a clear Cookie Policy (which you should have if you have UK visitors due to the UK Cookie Law) you will need a Cookie Policy. And finally, you should have a separate notice for California residents that explain what type of information is collected in the 11 categories covered by the CCPA and how they can go about having their personal information removed and not “sold”.

What is in the CCPA notice California residents? There are a number of things, but the main two are (1) disclosure about categories of information your company has collected in the past 12 months and (2) information on how to opt out of your business “selling” their personal information.

What’s this need for an 800-number I keep hearing about? Unless your business is operated wholly online, your business will need to establish an 800 (or other toll-free prefix) number for California residents to contact the business to obtain instructions on how to opt out of having their personal information “sold”. If you’re an online entrepreneur, businesses that operate exclusively online and have a direct relationship with consumers from whom they collect personal information are permitted to provide only an email address to consumers for opt-out contact.

What is this ‘Do Not Sell’ button I keep seeing? The ‘Do Not Sell’ button or link is a shortcut method for California residents to opt-out of data collection and “sale” for the next 12 months. It’s a quick way for many online providers to block the transfer of data. The CCPA provides that businesses must  establish “a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information…” that can be exercised at any time. It can be a simple form or an integrated third-party software solution, but whatever you choose to collect the request you will need to them make sure you implement the request. While you don’t need to delete ALL personal information, any information you “sell” must either wholly exclude their personal information or be anonymized so as not to identify the individual specifically.

If I don’t have to comply with the CCPA or I don’t sell personal information should I still comply? I’ve shared with clients that even if they are not subject to the CCPA, compliance becomes an issue of optics. When people visit your website, they’ll likely notice that your site doesn’t have the same disclosures, links, or popups that other sites they visit are now showing. Visitors may not think that you don’t have to comply, rather they may think you’re not in compliance or you’re not being forthright with them. It’s better to be transparent and say that you don’t sell their data or that based on the requirement of the CCPA your business is exempt from compliance. By not having some explanation, you’re allowing visitor, competitors, or other third parties create the narrative as to why your website doesn’t have these new privacy features.

CONCLUSION: The CCPA is just the beginning of what is likely to become a patchwork of privacy laws passed by states and countries. Nevada enacted a privacy law in late 2019, beating California to changing the law. In addition there are a number of other states contemplating privacy laws. Compliance with the CCPA and new privacy laws definitely will take time and incur costs. Having worked with dozens of companies to bring their processes into compliance, I’ve heard time and again from my clients that the process wasn’t as difficult as they had thought. If you need to bring your business into compliance with the CCPA and other state privacy laws please consider working with our firm. With over 20 years of working with online entrepreneurs, we’re keenly aware of your needs and unique circumstance and can help you without disrupting your daily operations.