We provide the information below as a courtesy. Do not take the information below as legal advice or a client-attorney relationship. Please consult an attorney to get specific advice on following CCPA standards.
Are you aware of the California Consumer Privacy Act (CCPA)? The law went into effect on January 1, 2020.
What are consumers allowed to do under CCPA?
- See what data your business collected about them
- Learn where your business got the data from
- Know why your business is using the data
- Find out who your business is sharing the data with
- Stop your business from selling their personal information
- Hold your business responsible if you do not take reasonable steps to protect their data
Which businesses are required to follow CCPA standards?
- For-profit companies that do business in California
- Makes at least $25M in annual revenue
- Holds data on more than 50,000 California consumers
- Earns more than 50% of revenue from selling data
Which businesses do not need to follow CCPA standards?
- A healthcare provider or insurer under HIPAA
- A financial firm under Gramm-Leach-Bliley
- A credit reporting agency under the Fair Credit Reporting Act
- Responding to efforts to obey federal, state, local law, subpoena, or a summons
What are examples of CCPA-protected personal data?
- Names
- Aliases
- Addresses
- Emails
- Phone Numbers
- Account names
- Social security numbers
- Medical information
- Driver’s license
- Passport number
- IP address
- Biometric data
- Browsing history
Regulators allow 30 days to correct violations. This same time window applies when consumers write a CCPA-related notice to a company. Otherwise, the Attorney General may charge $2,500-$7,500 for each violation. Also, consumers can sue businesses for damages from $100-$750 for each violation. Consumers do not have to prove the violations caused them harm. They need to prove your business broke the law.
What actions can businesses take to follow CCPA standards?
- Implement data security measures by following the NIST cybersecurity framework. The FTC has a short guide to understanding the framework here.
- Review data stores for CCPA-protected information. You can use a data security platform such as Varonis. This program scans file servers, SharePoint sites, email accounts, and Office 365 accounts.
- Use a CRM program to gather and control consumer data. The program should follow a CCPA-compliant classification system, including marking the source of the data.
- Do not buy cheap lists from third parties. Many businesses buy cheap lists of company contacts and send them email blasts without getting their permission. But, if the contact asks you to remove their information, you must ensure the third-party provider deletes the data as well. Plus, sending emails to these lists leads to fewer messages delivered, reduced open rates, and higher spam complaints.
- Send another opt-in email to your subscribers. Let them know the law is changing and update their email preferences by a certain date. If you get no reply, assume that you no longer have consent and remove the contact from the list. Also, send periodic opt-in emails to contacts who are not opening your messages.
- If you are unsure if certain contacts allowed your business to send them messages, remove them from your database.
- Update your website with CCPA-friendly details including:
- An SSL certificate
- Privacy Policy page with a link on the footer of your website
- Cookie consent banner
- A web page for requesting access to their data
- Contact form with fewer fields and an opt-in checkbox