The California Consumer Privacy Act (CCPA) Went Into Effect: Here is What You Should Know

Following a slew of corporate data breaches over the past decade, consumers are expecting more privacy online regarding their data. In response, governments are beginning to act on consumers’ behalf. Last year, the European Union passed the General Data Protection Regulation (GDPR). On the first of the year California enacted the California Consumer Privacy Act (CCPA). While these two laws are very similar, there are some subtle differences to them. This article will focus on the potential impacts of the CCPA.

The CCPA has wide ranging implications beyond just residents of California. With California representing over 10% of the US population, the laws passed there have impacts beyond their borders.

This article will cover what we think you need to know and do in regards to CCPA. However, we are not lawyers, instead this article simply reflects our understanding of the impact of CCPA.

Personal Information (PI) vs. Personally Identifiable Information (PII):

One of the first items to understand before diving into the specifics of CCPA is the difference between personal information (PI) and personally identifiable information (PII). PI is data that cannot be used on its own to trace, or identify a person. PII is personal information that can be used to identify an individual.

Personal Information (PI) Personally Identifiable Information (PII)

• Device IDs

• IP addresses

• Cookies

• Anonymized user IDs

• Full name

• Home address

• Email address

• Social security number

• Passport number

• Driver’s license number

• Credit card numbers

• Date of birth

• Telephone number

• Log in details

CCPA applies to PII. Instances where PII is collected, purchased or used on digital platforms falls under its jurisdiction.

Who is affected by CCPA?

When CCPA goes into effect on January 1st, 2020, not all businesses will be affected. The CCPA law explicitly states that:

• “A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
• • Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
  • Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”

A layman’s summary of that text provided by this article from CMDS:

• “Not all businesses in the United States are mandated to comply with the CCPA, but all should take notice, as this legislation likely represents the beginning of a national and/or multi-state privacy legislation movement. Currently, CCPA-affected businesses include all companies that collect and process data from California residents that also meet any one of the below requirements:

1. • Exceed $25 million Gross Annual Revenue
   • Obtain PII from 50,000+ California residents, households or devices per year
   • Earn 50% or more of annual revenue from selling California residents’ PII”

Steps to take to comply with CCPA:

Compliance with CCPA requires updates to your website. These updates are somewhere extensive and will require collaboration between your development and legal teams for the best results.

The first 3 items are the user-facing requirements of the CCPA. The remaining items are backend focuses.

1. Provide cookie notifications
   • Secure Privacy offers a good explanation of what is required to be compliant in terms of cookie notifications, this explanation can be viewed here.
   • The most common output of this requirement is a cookie banner if you collect data from visitors. (the opt in/out banners you see more and more on websites when you first enter them)
2. Update Privacy Policy
   • The privacy policy needs to be clear on exactly how PII is being used. Consider the following:
     • A specific list of exactly what categories of information you are collecting, how you are using it and what the purpose of this information is
     • Links for people to opt-out of data collection or have their data removed
     • Include a link titled “Do Not Sell My Personal Information” and link to custom page
     • Information explaining at least two methods of contacting you in order to update, change, remove or transfer PII
     • Include a description of all rights afforded to consumers under the CCPA
     • Confirm non-discriminatory practices to ensure equal treatment for Californians
     • Notify your database that the Privacy Policy has been updated
3. Include Opt-Out check boxes everywhere data is collected
   • An opt-out checkbox must be located at every single location where your website collects data (typically forms). This also includes e-newsletter subscription forms.

Backend updates recommended for CCPA compliance include:

1. Create a backend system to verify the identities of anyone requesting user data
   • The simplest solution is to eliminate shared logins and tie each login to an individual email addresses
   • An extra precaution could be to begin using 2-factor authentication for all website backend and database logins. Avoid getting 2-factor authentication codes by SMS though and instead use apps/services. Google Authenticator is a good option for this.
2. Develop a notification system to alert users of any privacy policy changes or data breaches
   • This can include simple solutions such as an eBlast outlining changes in privacy policy or a website banner similar to the cookie banner.
3. Ensure backend data collection maintains sourcing information for all Californians
   • If your site is using PII, ensure you can track the sources and respond appropriately to any requests received from users or partners.
     • For example, this could apply to a purchased list to use for an eBlast or custom content for a website.

CCPA and other future privacy laws will continue to impact digital properties for companies. The best way to protect your interests is to err on the side of caution. We believe making these changes to your site should cover you in regards to CCPA. However, consultation with legal is still strongly recommended to confirm compliance.

If you have any questions or need help getting your website in compliance contact VIA Studio today to discuss your needs!