Use this checklist to make sure you’re on the right side of California’s data privacy law
The California Consumer Privacy Act (CCPA) became law on January 1, 2020. While it’s not accurate to call the CCPA the “American GDPR,” it did grant California consumers significant new data privacy rights, including the right to know what information companies are collecting on them and why, the right to prohibit the sale of their information, and the right to sue companies that violate their data privacy rights — even absent a data breach.
Does your company have to comply with the CCPA?
- Your company’s annual gross revenue is at least $25 million
- At least 50% of your company’s annual revenue is derived from selling personal data
- Your company buys, sells, or shares personal information belonging to at least 50,000 California consumers, households, or devices
The International Association of Privacy Professionals estimates that over 500,000 U.S. businesses must comply with the CCPA, about 80% of them located outside of California. Companies located outside the U.S. must comply as well, so long as they do business with California residents and meet at least one of the three criteria specified above.
A description of consumers’ rights and instructions for exercising them
That’s right. You need to inform your customers about the rights they have under the CCPA, such as the right to opt out of having their information sold or shared, the right to obtain a copy of all information your company has collected on them, and the “right to be forgotten.” You also must provide them with “one or more designated methods” by which they can contact your company to exercise those rights.
A detailed description of your data collection and sharing practices
- What categories of personal information your company is collecting and why
- How your company collects this information
- Who your company may share this information with, and why it’s being shared with those parties
- A list of all the categories of personal information your company has sold or shared over the past 12 months, or a statement that you don’t sell or share personal information
- If your company sells consumer information, a link to a page specifically titled “Do Not Sell My Personal Information.” It’s important to note that this link is in addition to, not a replacement for, the one that the CCPA requires you to put on the front page of your website.
A description of your data collection policies regarding minors 16 and under
The CCPA defines minors as being under the age of 16. Organizations cannot collect data from minors unless they opt in. If the minor is at least 13 years of age, they can opt in themselves; if the minor is under 13, their parent or guardian must opt them in.
A non-discrimination statement
The policy’s effective date
The CCPA requires that organizations review their privacy policies every 12 months. Note your policy’s effective date, and change it after you complete your annual review, even if no changes were necessary.
Other states are following California’s lead
One of the reasons why the CCPA is not the “American GDPR” is that it applies only to California residents. However, that doesn’t mean businesses that aren’t covered by the CCPA are off the hook. As California goes, so does the nation; numerous other states, tired of waiting for the federal government to address the issue, are using the CCPA as a model to craft their own data privacy laws. Even if your company doesn’t need to comply with the CCPA, it will probably face similar legislation soon.
It’s a good time to take a hard look at your data collection and governance procedures. States are passing CCPA-like laws because their constituents are demanding them. As more consumers insist that companies not only secure their data but also protect their privacy, organizations with solid data security and transparent privacy policies that put the consumer in control will have a distinct edge over the competition.