Enterprises handling data should be aware that a new set of regulations is to take effect on January 1st, 2020, and affected businesses may want to know how to ensure compliance with the California Consumer Privacy Act (CCPA) within the next six months to avoid penalties. These changes will not only impact corporate policy and operational changes, but also website compliance with CCPA.
In recent years, flows of data have opened many commercial opportunities, which in turn led to tensions between the data markets and privacy advocates. Nonetheless, if you’ve followed our blog for some time, you know that there has been a set of rules with international implications which have alleviated these tensions and have determined how companies are to handle data prior to the enactment of the CCPA. Following its entry into effect, and incurring the “Brussels effect”, widespread adoption of General Data Protection Regulation (GDPR) standards by major multinationals, has ensued due to their global implications; indeed, we have already discussed the implications of GDPR for businesses.
The EU has lead the way with its enactment of GDPR in May 2018, which primarily aimed to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU and the EEA. Again, if you’ve followed our blog, you are already close to being CCPA compliant, after having followed our 5 steps on how to make your business GDPR compliant.
Many have asked if being GDPR compliant makes a business CCPA compliant. The answer needs the following explanation: differences between CCPA and GDPR include the scope and territorial reach of each, definitions related to protected information, levels of specificity, and an opt-out right for sales of personal information. Where GDPR covers all personal data regardless of source, the CCPA, in some cases, only considers data that was provided by a consumer, and excludes personal data that was purchased by, or acquired through, third parties. As such, one of the differences between CCPA and GDPR is that the implications in GDPR are much broader than in the CCPA.
In the same sense, not all businesses in the United States have to comply with the CCPA. Businesses affected include all companies that collect and process data from California residents which also meet at least one of the below requirements:
- Exceed $25 million of gross annual revenue
- Obtain Personal Information (PI) from over 50,000 California residents, households, or devices per year
- Earn 50% or more of annual revenue from selling California residents’ PI
If your business meets at least one of the below requirements, the steps to make your website CCPA compliant will go as follows:
- Introduce a method for verification of the identity of the person making such requests;
- Introduce a “Do Not Sell My Personal Information” link on your home page;
- Obtaining a prior consent from minors 13-16 years old before selling their personal data. For minors younger than 13 you have to obtain a prior consent by their parents.
Non-compliance with the CCPA puts you at risk of huge fines such as penalties going up to $7500 per violation if you remain non-compliant after 30 days upon being notified about it.
Nonetheless, if you’ve followed our step with the GDPR compliance, you are covered for most parts of the CCPA. It is important to note that compliance with GDPR doesn’t mean full compliance with CCPA; therefore you will have to perform due diligence to ensure your website is compliant with CCPA.