Who Must Be CCPA Compliant? Does It Apply To Me?
A lot of businesses are wondering if they must be CCPA compliant. Many questions are floating around about whether or not it applies to businesses outside of California or to small businesses.
These are all common questions that many people are scrambling to get answers to:
What Is The CCPA?
The CCPA, or California Consumer Privacy Act of 2018, is a new personal data protection law going into effect in California. As businesses continue to collect and use personal information in new ways, the CCPA aims to regulate what data they can collect, who they can collect it from, and how companies need to manage their consumer data.
The CCPA follows in the footsteps of similar legislation passed in Europe in 2016 called the General Data Protection Regulation (GDPR). In the light of recent consumer data breaches such as those that happened to Target and Equifax and the Cambridge Analytica / Facebook scandal, consumers are beginning to demand more rights as far as their data is concerned.
Although California is the first state in the United States to pass such legislation, nine additional states are working on similar legislation. It is only a matter of time before more states pass consumer data protection laws.
What Does The CCPA Do?
We will discuss some of the finer details about what the CCPA entails a little later in this article. First, let’s find out if your business must be CCPA compliant with a quick summary of the law to give you a general idea.
CCPA Quick Facts:
- The CCPA is an extensive law that gives consumers certain rights relating to their personal data.
- The CCPA went into effect on January 1, 2020.
- The law gives consumers the right to notice, request, delete, and opt-out. It also gives them the right to request a copy of their data from a company and exercise their privacy rights.
- The CCPA defines a consumer as: “a natural person who is a California resident.”
FURTHER READING: What Is The CCPA?
Who Needs To Be CCPA Compliant?
There’s a common misconception that the CCPA only applies to California-based businesses. It’s not true! Any business in the world may need to be CCPA compliant depending on a handful of stipulations. Luckily, the CCPA makes it very clear how to determine who must be compliant.
The main qualifier used to determine if your business must be CCPA compliant is collecting personal information from California residents.
The CCPA refers to Section 17014 of Title 18 of the California Code of Regulations a California to define who qualifies as a California resident. It reads, “The term “resident,” as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”
However, a business collecting personal information from California residents doesn’t automatically mean they need to become CCPA compliant. The business–including its parents and subsidiaries–must also meet one or more of the following thresholds:
- Makes a gross annual revenue of $25MM or more
- Acquires personal information from 50,000 or more California residents, households, or devices each year
- Fifty percent or more of the annual revenue comes from selling personal information on California residents (these businesses are often referred to as data brokers)
It’s worth mentioning a second time that a business only needs to meet one of the list items just above, so long as they are collecting personal data from California residents.
Learn more about California Consumer Privacy Act (CCPA) exemptions.
What Qualifies As Personal Information?
Rather than assume what personal information is protected under the CCPA, it’s best to familiarize yourself with those details now. So, what is “personal information” according to the CCPA?
The CCPA states personal information is:
“…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.”California Consumer Privacy Act
This could be several data types, including names, aliases, postal and email addresses, social security numbers, and more.
Here is a comprehensive list as it appears in the CCPA:
- “Personal information” means information that identifies relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
- Personal information includes, but is not limited to, the following:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in subdivision (e) of Section 1798.80.
- Characteristics of protected classifications under California or federal law.
- Commercial information includes personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences are drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Personal information doesn’t include publicly available information. That entails information that is “lawfully made available from federal, state, or local government records if any conditions associated with such information” except biometric information that was collected without the consumer’s knowledge.
Now, there’s one last relevant piece of information before we move on. The CCPA defines “person” as:
“Person” means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.—California Consumer Privacy Act
Now, based on those specifications, if you’ve determined, you don’t need to be CCPA compliant. There’s one more thing you need to consider before you write the idea of bringing your website into compliance…
The CCPA Is The Beginning Of A Nationwide Trend
If your business doesn’t need to be CCPA compliant because it collects personal information from California citizens, it would be smart not to assume you’re off the hook.
“Why?” you ask…
Remember when we mentioned earlier that nine more states are working on similar legislation? Well, that’s why. The reality is consumer data protection laws such as the CCPA are here to stay. If you’re not collecting data from California residents but are collecting it from residents of other U.S. states, it’s only a matter of time before one passes their own version of the CCPA.
Now is your opportunity to get ahead of the curve.
Microsoft Leads The Consumer Data Protection Trend
In 2018, Microsoft announced it would be extending the GDPR rights on its products to consumers worldwide, not just European citizens. The technology giant explained their decision to do so, citing their commitment to data protection for all.
“We believe privacy is a fundamental human right… We know that people will only use technology that they trust. Ultimately, trust is created when people are confident that their personal data is safe and they have a clear understanding of how and why it is used. This means companies like ours have a huge responsibility to safeguard the privacy of the personal data we collect and the data we manage for our commercial customers.”–Microsoft’s commitment to GDPR, privacy and putting customers in control of their own data
Maintaining their stance on data protection, Microsoft has recently announced they intended to fulfill the same pledge regarding the CCPA. They will provide the same rights outlined in the CCPA to all United States Microsoft customers, not only California residents. “We will extend CCPA’s core rights for people to control their data to all our customers in the U.S,” explained Julie Brill, Microsoft’s Chief Privacy Officer.
In providing data protection rights beyond the state of California, Microsoft is getting a head start on compliance with similar legislation across the country and gaining the trust of new and existing consumers.
If You Are GDPR Compliant, Are You Already CCPA Compliant?
Earlier, we mentioned the GDPR, the European legislation that preceded the CCPA. When the GDPR went into effect, businesses around the world made changes to comply with the laws. Perhaps even your company made changes to become GDPR compliant.
If that’s the case, you’re likely wondering if you need to do anything further to become CCPA compliant.
Well, the answer is yes; there are still things your business will need to do to become CCPA compliant. While the GDPR and CCPA achieve similar goals, there are some differences. That being said, if you are presently GDPR compliant, it’s good news because that means you may already fulfill some CCPA requirements.
We strongly recommend you work with a professional developer specializing in CCPA compliance to ensure you’ve covered everything. However, some additional steps you’ll need to take to become CCPA compliant if you are currently GDPR compliant are:
- Add a “Do Not Sell My Personal Information” to your business website’s homepage.
- Establish and put methods into effect to process requests for access, changes to, and deletion of personal data.
- Establish and put into effect a method to get consent from minors before you can sell their personal data.
Again, the list above may not be conclusive–it all depends on your website.
Are There Any Exceptions To CCPA Compliance?
Yes, there are a few circumstances. However, it would be extremely unusual for a business otherwise required to comply to be wholly exempt from the CCPA. Furthermore, it is only slightly more likely that said the business would be exempt from individual aspects of the CCPA, although it is possible.
In other words, the exceptions apply to various types of consumer information, not the business itself.
Some examples of these circumstances would be personal information that includes:
- Protected Health Information or medical information that is governed by the Health Insurance Portability and Accountability Act (HIPAA)
- Personal information that is subject to the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act (this primarily affects financial institutions)
- Personal information provided to or from consumer reporting companies that are maintained under the Fair Credit Reporting Act
- Any personal information that is covered and protected under the Driver’s Privacy Protection Act (Note: there is a pending amendment that would add exceptions to this but only for vehicle warranty and/or recall purposes)
In addition, the CCPA states that it should not prevent a business from complying with federal, state, or local laws. Nor shall it restrict a company from collecting, using, retaining, selling, or disclosing any aggregated consumer information or de-identified data.
Your business may also find some CCPA exceptions if every aspect of commercial conduct regarding the collection or sale of consumer’s personal information takes place entirely outside of the state of California.
If You’re Required To Be CCPA Compliant, What Does That Mean For Your Site?
If you’ve already gone through bringing your website up to compliance with the Americans With Disabilities Act (ADA), you know how fuzzy legislation can sometimes be as far as what it specifically requires to become compliant.
Luckily, the CCPA is a little more clear-cut. It states an entire list of requirements businesses must meet to become CCPA compliant, including those outlined above. That being said, given the complexity and importance of the legislation, it’s still a tricky issue to tackle. It’s best not to do attempt a DIY CCPA compliance project without proper experience. It takes a great deal of familiarity and expertise to complete a successful CCPA compliance overhaul.
Don’t hesitate to contact us at 3 Media Web with your CCPA questions. Our experts are ready to help.