2018 turned out to be the year that digital privacy became a mainstream issue around the world.
It began with Chris Wylie and the revelations that his company, Cambridge Analytica, harvested the personal data of over 87 million people during the 2018 midterm elections.
The news shocked the public and led to increased calls for more protection for user’s personal information on the internet.
Not long after, viewers watched as Facebook CEO Mark Zuckerberg testified to congress about user privacy, leaving an even more sour taste in the mouth of the public.
The issue hit a fever pitch when a real estate developer gathered enough signatures to encourage the California legislature to unanimously pass the broadest digital security law in the country: The California Consumer Protection Act of 2018, or CCPA.
While the law provided much needed protections for consumers, it also created headaches for small business owners lacking the resources to stay in compliance with such a wide-ranging law.
But small businesses ignore legislation like the CCPA at their peril, as violations can cost tens of thousands of dollars in penalties.
Read on to explore the CCPA further and find out how you can simplify these regulations for your website.
What Is CCPA?
The CCPA is intended to protect the online privacy of the 40 million Americans living in California and give them more control over their digital data.
The law includes a broad range of regulations regarding the acquiring, storing, accessing, and erasing consumer data and incurs hefty fines for businesses falling out of compliance.
The CCPA lays out six intentions, providing California residents the rights to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
While CCPA protects data collected from users, the law does not cover publicly available information published by local, state, or federal government agencies. The CCPA also does not cover anonymous or aggregated data.
What Is Personal Information?
Compared to GDPR the CCPA contains a broader definition of personal information, defining it as:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household.”
Personal information includes:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Characteristics of protected classifications under California or federal law.
- Commercial information including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
But My Business Isn’t Located In California…
Despite the law’s name, the CCPA does not just apply to businesses physically located in California.
Rather, the law applies to any for-profit business that operates in the state of California, collects personal data from California residents, or does one of the following:
- Earns gross annual revenues of at least $25 million.
- Purchases, receives, or sells personal information of 50,000 or more consumers, households, or devices on an annual basis.
- Earns 50% or more of annual revenue from selling personal information of California residents.
Further, CCPA applies to all California residents, including those who happen to be temporarily outside California at the time that businesses collect their personal information.
Additionally, businesses that share branding with other CCPA-liable businesses must also comply with the law.
Exemptions from CCPA regulations are granted for government agencies, nonprofits, health providers, insurers, and financial companies.
Staying In Compliance
While the original CCPA text runs 23 pages long, you won’t need to comb over the entire text to gain a broad understanding of the law.
The following set of steps will help you get your site into compliance and out of any potential risk.
Find out what personal information you collect
First you want to take stock of all the data being collected from your users. Along with the what, you’ll also need to know how you collect information, where you store it, how it’s secured, and whether or not you sell this data.
Create a comprehensive privacy policy
Your privacy policy should clearly explain what data you collect and why you collect it. At a minimum, your privacy page needs to include:
- What user information you collect, including email addresses, financial information, and even IP addresses.
- How you obtain this information.
- The reason you’re asking for personal information.
- How you store and protect user information.
- How you update your policy and how you update users about these changes.
- Who has access to your information, which could include newsletter services and any third-party tools.
You can use services such as Rocket Lawyer or TermsFeed to create free customized privacy policies for your site. These tools allow you to tailor your policy to meet a varying degree of regulatory frameworks, such as GDPR, CalOPPA, CCPA, and more.
Create an accompanying cookie policy
In addition to a privacy policy, you may want to create a separate cookie policy to provide more transparency for users. While CCPA does not require consent for using cookies like GDPR does, any data stored in cookies counts as personal information storage.
Your cookie policy should provide a brief explanation of cookies and why you use them, along with a list of the specific cookies used on your site and the purpose behind their use.
You’ll also need to gain user consent for your cookie use if you want to comply with both GDPR and CCPA regulations. Pop-up banners are typically the most effective way to gain user consent as they are difficult, if not impossible, to ignore.
This banner will pop up the first time a user visits your site and should accomplish the following three goals:
- User is aware and consents to cookie use
- User has the option to set their cookie preferences
- User can revoke consent at any time
Allow users to opt-out
Under CCPA law, websites must allow users to opt-out of selling their data or using it for marketing purposes.
Websites should feature a clear “Do not sell my information” link for users to submit an opt-out request. This link cannot require users to register an account with the site.
Allow users to be forgotten
In addition to selling data, users can also request that you delete any personal information collected from them.
Website owners should ensure their privacy policy covers the steps for users to have their information deleted.
Gain additional cookie consent from minors
Websites must gain parental consent for minors under 13, while minors 16 and under must give additional consent in order to have their personal data collected.
There are additional restrictions under Children’s Online Privacy Protection Rule (COPPA), which you can learn more about here.
Make sure your data is secure
Getting compliant serves as the perfect time to ensure that you’re keeping your user data as safe as possible.
This includes enabling HTTPS on your site and using only trusted hosting and internet service providers.
Train your staff on CCPA compliance
It’s not enough for website owners to understand CCPA. Every member of a business needs to be on board for the times where the owner isn’t around to handle a problem.
It’s best practice to determine a protocol for handling opt-out requests to prevent an issue from falling through the cracks. It’s also important to clarify how requests will be evaluated.
Opt-out requests need to be responded to within 45 calendar days before incurring a fine, although businesses can request a 45-day extension if they notify the requester.
What Happens If I Don’t Stay In Compliance?
As with any government regulation, you’re best to stay on the right side of the law and not leave anything to chance.
Violating the rules contained in the CCPA can run you some gnarly fines, starting at $2,500 per violation if found to be unintentional, rising to $7,500 per violation if found to be intentional. No matter how successful your business, this isn’t a cost you want to take on, especially when it’s preventable.
If found to violate CCPA, the Attorney General’s office will contact the website owner and allow them 30 days to address the issue. If the issue isn’t addressed, the fines begin.
In addition, data breaches can lead to individual legal actions against non-compliant businesses. Since 2020, over 50 businesses have dealt out payments to users in response to data breaches, including Walmart, Tik Tok, and Zoom.
In these cases, users can seek statutory damages of up to $750 per consumer, per incident, which can add up pretty quickly if a large data breach occurs.
These numbers aren’t meant to scare you, but rather to illustrate how important it is to keep your user data safe and secure.
Trustworthy Is Always the Best Policy
Along with keeping you out of financial trouble, staying in compliance with state and federal regulations establishes your website, and business, as one worthy of trust.
All it takes is one data breach to throw your reputation into doubt, something very difficult to come back from.
The next few years will likely see similar laws enacted across the country, either through state or federal legislatures. Getting in line with CCPA ensures that you’ll already have a head start in complying with whatever comes down the line.
If you’re ready to establish trust, consider getting your Trust Score from DigitalTrust. The Trust Score analyzes your site for over 50 trust factors, including usability, safety, transparency, and reputation.
You can also qualify for a free trustmark, a third-party authentication indicating your site’s trustworthiness. It’s just one more step towards radiating feelings of trust with your users, increasing engagement and, if all goes well, sales.
