Four Tips on Staying Compliant with the California Consumer Privacy Act (CCPA)

California business owners are well aware of the many legal protections enjoyed by consumers in the Golden State. A recent example of these protections is the California Consumer Privacy Act (CCPA). This act gives California consumers the right to demand details on how their personally identifiable information is collected and shared by companies. Furthermore, it allows consumers to sue non-compliant companies.

This digital privacy law provides more extensive protections than almost any other state or federal law. Many CCPA provisions mirror the European Union’s General Data Protection Regulation (GDPR). Below are four tips to help your company get on the road to CCPA compliance.

Note: In 2023, California will replace the CCPA with the California Privacy Rights Act (CPRA), a measure approved by voters in November 2020. The CPRA will keep much of the CCPA intact; the most notable change, however, is the creation of a state agency designed to enforce state law. 

1. Determine if the CCPA rules will apply to your company.

The CCPA only applies to for-profit businesses. Many employers, however, believe they do not need to worry about the law because their business is not headquartered in California. If your company meets one of the three following criteria and does any business in California, it must comply with the CCPA regardless of your homebase location:

  • It has a gross annual revenue of at least $25 million.
  • It buys, sells, or receives the personally identifying information of at least 50,000 Californians.
  • At least half of its revenue is obtained through selling the personally identifying information of Californians.

Please note that some employers are exempt from the CCPA because they are subject to similar, industry-specific regulations. 

2. Take stock of the data your company currently tracks and/or is planning to track. 

You should be aware of every data point your company collects. Understand exactly how your company collects that data and, if applicable, the discrepancies between data points collected by different departments within your company. The CCPA considers the following to be personally identifiable data: 

  • Blatant identifiers, such as name, addresses, Social Security numbers, and credit card details;
  • Search history and other browser activity;
  • Biometrics (eye and hair color, height, retina patterns);
  • Geographic location of a searching device; and
  • Characteristics related to protected classes (race, ethnicity, age, sexual orientation, etc).

3. Allow consumers to opt out of data collection. 

Under the CCPA, companies must give consumers the chance to refuse having their information sold to third parties. You should clearly place an “opt-out” section on your home page and/or the landing pages that consumers use to first access your site. Additionally, you must not discriminate against consumers who choose to opt out. 

4. Be ready to respond to consumers who request information. 

Consumers covered by the CCPA have the right to ask companies about the personally identifiable information being collected about them. As soon as a consumer requests this information, the company has 45 days to respond. Your company should respond with any data that corresponds with the above description of personally identifiable information. Lastly, your company must offer consumers at least two ways to request access to the information collected about them. 
Complying with the CCPA goes well beyond having a robust privacy policy for your company’s website. CCPA violations could cost your company up to $7,500 per intentional violation, and the fines for unintentional violations can quickly add up too. Integrated General Counsel is happy to go over your company’s policies and provide optimizations where appropriate. Contact our team today to discuss your company’s legal needs.