While there’s no need to head into a digital bunker, if your business is online you need to understand CCPA’s implications. Here’s a quick breakdown (and here’s a handy fact sheet from the State of California.)
Is this about me?
Businesses are subject to the CCPA if one or more of the following are true:
- Has gross annual revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
So… how does the CCPA work?
While less broad in scope, California’s privacy act ensures its consumers have some of the protections European citizens enjoy under the EU General Data Protection Regulation (GDPR).
Those protections are:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- The right to delete personal information held by businesses and by extension, a business’s service provider.
- The right to opt-out of the sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
What’s Personal, Anyway?
Like your relationship status, it’s complicated. The statutory definition includes eleven specific categories that businesses must use when providing their required disclosures. A few of these categories are:
- Identifiers (real name, email address, IP address, etc.)
- Personal Information (electronic signature, bank account number, employment history, etc.)
- Protected Classification Characteristics (race, national origin, religion, etc.)
- Commercial Information (property records, product purchases, and consumer histories, etc.)
- Digital Activities (cookies and browser histories, we’re looking at you.)
While California is the first state to enact privacy protections, it won’t be the last. So even exempt brands should stay informed and plan to (eventually) get on the bandwagon.