Effective January 1, 2020, many businesses will be required by California law to amend their website’s privacy policy for California Consumers and to comply with the CCPA (California Consumer Privacy Act). The CCPA, modeled after the European Union’s General Data Protection Regulation, is an attempt by California legislators to give consumers more transparency and rights over personal information collected and sold by businesses. This includes the consumer’s:
- Right to request the personal information the business collects and/or sells, on them both in general and specific terms,
- Right to have such personal information deleted,
- Right to opt-out of allowing a business to sell the consumer’s personal information to third parties; and
- Special rights for minors under the age of 16 whose personal information is collected and/or sold to third-parties.
Generally, the CCPA will apply if your business collects personal information from California consumers through its website and/or platforms and any one or more of the following are true:
- You have annual gross revenues in excess of $25,000,000.
- You annually buy, share or receive for commercial purposes, or sell, the personal information of more than 50,000 consumers, including households and devices (e.g. one person or household can have multiple devices).
- You receive 50 percent or more of your annual revenue from selling consumers’ personal information.
Under the CCPA, a business is required to add a special privacy policy for California consumers and to comply with consumers’ requests to exercise rights under the CCPA. The CCPA privacy policy must also be ADA compliant and give consumers several ways to request information and exercise their rights, including an interactive platform and a toll-free number to call. Businesses must also disclose any financial incentives they offer to consumers that do not exercise their rights under the CCPA and cannot discriminate against consumers who choose to exercise their CCPA rights.
The CCPA gives the California Attorney General the authority to bring an action for up to $2,500 per violation, calculated on a per-capita basis (meaning if your violation affects 1,000 users, your company could have damages of up to $2.5 million dollars). In addition, intentional violations allow for actions of $7,500 per violation, calculated on a per-capita basis.
