Does the New California Privacy Law Affect My / Your Business?
But here are the details…
What is the CCPA ( California Consumer Privacy Act )?
California residents will be able to demand companies to disclose what information is collected on them and request a copy of that data.
Companies will be forced to delete consumers’ data if requested by the consumer and will be prohibited from selling information if the customer asks them to via a mandatory “do not sell” link on your website.
Consumers will also have the right to “receive equal service and price whether or not they exercise their privacy rights” which means, companies won’t be able to treat a user differently because they have requested their data.
Businesses That the CCPA Affects
Businesses are required to comply with the new regulations if they have annual gross revenues of more than $25m, acquire 50% or more of their revenue from selling consumers’ data, or annually buy / receive / sell, or share the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
This is roughly 500,000 businesses in the US that will be required to comply with the new law.
And to be clear ONLY California residents “have this right”.
What Does This Mean For You?
Well if you sell to people in California, have over $25,000,000 in gross annual revenue or sell consumer data then you’ll need to create a page for you website that has a link to email or form that a consumer can submit asking you to Do Not Sell to them (and you’ll have to not sell to them if they submit).
AND if one of those California consumers asks you for the data you’ve collected on them you’ll have to give it to them. And if they ask for it to be deleted you’ll have to delete it.
Here’s the Thing!
Most companies are only collecting basic data on consumers in the form of lead generation or customer information to process orders. Think name, address, city, state, purchase history, etc.
If you have that information it will be easy to hand over or delete.
But what most consumers are “freaking out” about is the pixel / cookie tracking that happens in browsers and shows you ads (what people call creepy). YOU ARE NOT RESPONSIBLE for that tracking. It is not your business collecting that data. This is more likely to be Google or Facebook.
DO NOT confuse the CCPA with the European GDPR (which is the whole “give people a message on your site telling them your tracking them” thing).
For Reference here is how Disney does it (to be fair they are the extreme and do way more than you need to)