Friendly Reminder: We are not lawyers and offer here only a basic explanation of The California Consumer Privacy Act. To ensure legal compliance for your website, please consult a lawyer.
Just when you thought the whole GDPR hubbub was dying down, here comes a Stateside digital privacy law to throw a wrench in your operations.
Here’s the thing - even if you’re a US business, you may not need to make huge changes to your website. But this should definitely be on your radar either way.
And, as we stated above, it’s always best to consult an attorney who is well versed in new data and privacy laws to ensure full legal compliance.
So, let’s get right down to it. What is the CCPA, and do you need to hustle to be compliant?
A Little Background
Europe is way ahead of us on this one. Last year they enacted legislation to make online data collection a lot more regulated. This is hardly a surprise given recent data breaches and the fact that consumers are becoming a lot more savvy and vocal about their online privacy.
The law states that any website located in any part of the world that handles the data of EU citizens must:
- Include SSL encryption
- Allow subjects to access an export of their data and request to have data removed
Many smaller American companies have not paid much attention to this, especially if their website gets little to no traffic from Europe. What’s important is to recognize is that this is just the start of new initiatives to protect people from invasive data collection.
The California Consumer Privacy Act (CCPA)
Although you may have thought that European laws were irrelevant to you, this one’s a little closer to home. The state of California is throwing its hat in the ring and as of January 1, 2020, will begin enforcing data privacy laws to protect its residents.
Although CCPA has a lot in common with GDPR, they’re not equivalent and being compliant with one does not mean you’ll automatically be compliant with both. Fortunately, CCPA is less strict so compliance may be an easier task. Let’s break it all down…
Whereas GDPR widely applies to anyone who processes the data of an EU citizen, CCPA gives us a little more clarity and applies to businesses:
- that make $24 million or more in profit per year or
- that get more than 50,000 visits per year or
- where at least half of your profit comes from selling data
What Does ‘Selling Data’ Mean?
When you hear the words, “selling data” you might think of those companies that sell email lists and assume that this aspect of the CCPA doesn’t apply to you. Unfortunately, it’s a much broader categorization that is still shrouded in a bit of mystery.
In fact, “selling” can mean any sort of exchange of data between companies for the benefit of one company, even if that benefit is not explicitly monetary. So if you’re supplying private data to third-party advertising or remarketing firms, this could very much apply to you.
There’s a lot of legal complexity, especially given the lack of guidance around what constitutes a non-monetary benefit. Once again, it’s best to have an attorney dig in and determine whether or not what your company does fits within this definition. If you want to do a little more research on your own, this blog by The International Association of Privacy Professionals is an excellent place to start.
In this aspect, GDPR is less prescriptive than CCPA. GDPR says you must give visitors a clear and specific explanation of how their data will be used. How you do that is up to you.
CCPA, however, states very clearly that you must have a “Do Not Sell My Personal Information” (DNSMPI) link on your homepage, which links to another page that allows visitors to opt out of the sale of their data.
If you violate GDPR, you have to pony up 4% of your annual revenue or €20 million, whichever is higher. CCPA’s fines are $7500 plus $750 per individual involved. While that may seem like a lot less, it can certainly add up quickly if lots of individuals’ data is involved.
CCPA expands on existing Children’s Online Privacy Protection Act (COPPA) regulations with a special section on how minors' data is handled. It says that children between the ages of 13 and 16 are required to explicitly authorize the sale of their data. And for any kids under 13, a parent must be the one who approved the sale or sharing of their child’s data.
While COPPA doesn’t require sites that aren’t geared toward children to determine the ages of its visitors, CCPA does. The catch is that if a general audience site attains actual knowledge that a visitor is under 13 through compliance with CCPA, COPPA regulations kick in.
So, what does this mean for the future of children’s online privacy? In short, businesses are going to have to get serious about verifying the age of any visitor whose data is collected or sold. We’ll also have to think long and hard about how to handle visitors under 13 as states continue to adopt stricter laws around children’s digital privacy.
What Should We Do?
Some website platforms have begun offering plugins that help you comply with these new legal regulations. And for some small businesses, that may be enough. However, we advise all organizations to seek specialized legal advice before pursuing any compliance solutions.
As web developers, we would be more than happy to execute your chosen compliance plan. However, because we are not lawyers, we are not in a position to advise on a plan of action. That said, we think all US businesses should start incorporating some of these more straightforward asks as a matter of good practice and proactive thinking.
While you shouldn’t panic about these changes, making a game plan with your legal team should be a high priority in 2020. Once that’s been ironed out, we can step in and get all the changes made for you. Then you can rest easy without waiting for the other shoe to drop from California or Europe.