The California Consumer Privacy Act was created to offer the residents of California new consumer rights relating to the access, deletion, and sharing of their personal information collected by businesses. It was enacted in 2018, went into effect January 1st, 2020, and will be enforced starting July 1st, 2020.
What is the California Consumer Privacy Act?
CCPA is a state statute to help ensure privacy rights and consumer protection for residents of the state of California. It was modeled after the General Data Protection Regulation (GDPR) from the European Union enacted in 2016. Its intention is to make businesses more transparent about the information they collect and store about their consumers, and give those consumers more control over their data.
CCPA achieves this by requiring businesses and services to provide California residents the right to:
- Know what personal data is being collected.
- Access to their personal data.
- Request their personal data be deleted.
- Know whether their personal data is sold or shared, and to whom.
- Say no to the sale of personal data.
Who does CCPA impact?
While CCPA is a state and not a federal act, it applies to any business that collects consumers’ personal data, does business in California, and satisfies at least one of the following:
- Has annual gross revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
Why is CCPA important?
Even if your business isn’t affected by CCPA, the privacy rights and transparency it promotes are good practices for any business to follow. While this is the first law of its kind in the U.S., it will most likely not be the last. Implementing and maintaining reasonable security practices and disclosing them to your customers instills confidence and helps protect your customers and your business.
Steps for CCPA Compliance
These settings should be regularly reviewed. Consulting with a tax professional and/or an accountant on the applicable laws for your state, country, and business is recommended.
2. Review Your Data Collection and Protection Plan
As businesses are collecting more and more personal data, it is important they create and maintain a data collection policy to allow their consumers the opportunity to request a copy of or deletion of their personal data. Providing a mechanism for customers to have control over their personal data is paramount, and can be as simple as a form where they can make the request. WordPress 4.9.6 introduced a Personal Data Exporter and Removal tools to export/remove personal data associated with an email address for just this reason.
3. Create a Privacy Notice
4. Create a “Do Not Sell My Personal Information” Page
If a business does sell personal information of Californian consumers, they are required to have a web page titled, “Do Not Sell My Personal Information” or, “Do Not Sell My Info.” This page must contain:
- A summary of their right to opt-out of the sale of their personal data.
- A method where they can request to opt-out.
- Instructions for any other methods where they can request to opt-out.
Whether your website or business is required to comply with CCPA or not, it is good to take stock and evaluate your current data collection practices and make improvements. Providing your customers more transparency and control over the personal data you collect instills confidence and loyalty. Making these improvements now also helps protect your customers and business in the future.