CCPA Compliance for Startups

Some have called the California Consumer Privacy Act (CCPA) the "GDPR-lite." In other words, it was the most heavy-duty law dealing with online privacy issues that impacts businesses to be passed by a state government in the United States of America.

The CCPA was actually passed on June 28, 2018. The law went into effect on January 1, 2020.

It is considered an incredibly important law since it constitutes the first, really thorough privacy legislation in the United States.

Any organization or company that does business in the State of California, and that deals with sensitive personal information, is bound by the rules and regulations contained in the CCPA.

It's a fair bet that the U.S. federal government will be watching California to see how the legalities play out. Whether the CCPA is good or bad for businesses and consumers will likely be seen (and ultimately used) as a case study for privacy laws across the country.

In particular, startups are going to need to pay close attention to the CCPA if they do business in California. After all, many of them, particularly technology startups, must make themselves aware of the CCPA's requirements because dealing with customer information is so prevalent in the industry.

For instance, startup founders and executives understand that consumers, end-users, investors, and partners are all more concerned about how private information is captured, used, transferred, and stored than they ever have been before.

They're hyper-aware of the possibility of data breaches and security hacks, and they know just how quickly an awful data event can become a public relations nightmare.

Startup business owners know that these kinds of issues can discourage investors, bring on government scrutiny and subsequent penalization. Worse, events like this can scare away consumers.

With that in mind, we're going to go over the major core requirements of the CCPA immediately below. However, before we do, let's just say that it pays to be as informed as possible. While nobody dreams about sitting down for a nice, long slog through the legal documentation, the fact is that most startups don't have a privacy professional on staff.

Because of that, if you're the owner of a startup or you're a member of the company's leadership team, then there is no substitute for going through the CCPA for yourself. If nothing else, you'll get the gist, and it will help you understand and assess any subsequent information you read on the CCPA.

With that in mind, you can read the full text of the CCPA here.

The Rights of Consumers Covered by the CCPA

First, we'll lay out some of the specific rights the CCPA affords consumers and whether startups have to abide by the legislation's rules and obligations. We'll cover the core requirements of the law and then we'll talk about how these requirements specifically impact startups.

Without further ado then, let's dive in.

The crucial areas outlined in the legislation's opening are the following:

• The right of California residents to know what sensitive, personal data is collected about them
• The right of California residents to know if their sensitive, personal data is disclosed, shared, or sold and to whom
• The right of California residents to say no to the sale of sensitive, personal data
• The right of California residents to access their sensitive, personal data
• The right of California residents to equal price and service if they exert their right to privacy

Do Startups Have to Comply with the CCPA?

If your business website receives more than 138 visits daily, then the answer is yes. The CCPA applies to organizations that are for-profit entities, and which collect and process the private, personal data of California residents.

Additionally, the CCPA applies if the organization meets one of the following three criteria:

• The organization must gross over $25 million per year
• The organization must make at least 50% of its revenue from selling the private information of consumers, or
• The organization buys, receives, and/or shares personal data related to 50,000 consumers

Of the scenarios listed above, the one that's most likely applicable to startups is number 3. The CCPA's use of "personal information" is rather general and broadly defined. Essentially, personal data according to the law includes any data that can be connected directly or indirectly to a specific consumer.

A few examples of this include a consumer's internet activity, IP address, geolocation information, and purchasing history.

Therefore, a startup website that receives 138 visitors per day, or 50,232 visitors per year and that collects the geolocation of those visitors is bound by the provisions of the CCPA.

Core Requirements of the CCPA

Organizations must be able to meet the CCPA's right-to-know standard that provides consumers with end-to-end transparency. Additionally, companies will need to let consumers know when their personal information is collected, what kind of data is collected, how the company plans to use that information, and whether it will be shared or sold.

To meet CCPA requirements, companies must:

• Supply appropriate notifications on any paper documents, mobile apps, and on websites where consumer data is gathered
• Supply a "Do Not Sell My Information" or "Do Not Sell My Info" link so consumers can opt-out of having their personal information sold
• Ensure that all notifications provided to consumers are accessible to everyone, including individuals with disabilities
• Ensure all notifications are visible before personal information is collected

It must be noted that the State of California attempted (controversially) to make it easy for companies to supply an "opt-out" option to consumers by creating an opt-out logo and button, which organizations would have been forced to place on their websites. These buttons and logos would then be used to link to official privacy regulations.

However, this provision was scrapped by an amendment to the CCPA in March 2020. As Jen King, the Director of Consumer Privacy at Stanford University, said in a blog post concerning this subject:

"I've been wary about this requirement since I first learned of it, primarily because the existing mechanisms by which we inform the public about privacy are ad hoc and aren't a product of strategic thinking informed by research. A "Do Not Sell" logo will compete with privacy policy links, security indicators, e-commerce seals, and, of course, with content."

While the button and logo icons were scrapped, the CCPA still requires that startups provide their website visitors with an obvious way to view their Privacy Policy. The policy should contain language letting consumers know how they can opt out of having their information sold.

Additionally, startups will also need to:

• Supply users with an opt-out option in all communications, whether on or offline
• Ensure that all requests to opt-out are documented
• Maintain and store all documented records of such requests

Finally, startups must recognize that their customers have a right to have their data deleted. If the startup receives a deletion request, it will need to verify the customer's identity, and then let the customer know that their request has been received. The company will also need to ensure the customer knows their request is actively being processed.

Understand How Your Startup Will Support Consumer Rights

Assuming that your startup falls under the CCPA rules, you need to take a hard look at current data flows that involve personal information.

Consider any ways that your organization is gathering information, which could include data collection through apps or on your website. Think about any third parties to whom you may be providing personal information and who you're taking it from.

You must have a firm grasp of whether your business is actively using personal information as defined by the CCPA before you can begin making any changes that might be necessary to ensure compliance. You must be thorough. That means you'll need to speak with internal stakeholders to discover where they may also be collecting, using, storing, or transferring data.

That may sound extreme, but what if your startup has a website or app that gathers the personal information of its users and then someone takes it and uploads it to a third-party cloud services provider (e.g., think about DropBox, Google Drive, or Box.com), and then a company partner has access?

You must understand that there are different CCPA requirements for companies, third parties, and service providers. The bottom line is that you can't fall in line with the legislation if you don't understand how sensitive data flows in and out of your business.

Review Your Privacy Policy

In all likelihood, after a thorough review of your information architecture and data flows, you'll discover that there is a lot you need to do to ensure compliance with the CCPA. You'll need a comprehensive understanding of the CCPA's legal requirements, your information architecture, and your own business goals.

Something else you'll need to review is your company's Privacy Policy because according to the Internet Society's Online Trust Alliance (OTA), most Privacy Policies are not up to CCPA standards.

For example, the OTA analyzed over 1,200 Privacy Policies from businesses around the globe and discovered that while many stated that they didn't share data with third parties, not even one Privacy Policy stated explicitly that website users would be notified when their data was shared or sold, which the CCPA demands.

Becoming CCPA-Compliant

As you work toward compliance with the CCPA, you'll discover that there are many areas where your startup needs to update how you do things. Improvements and updates in procedures and processes, security practices, and in policies may all be necessary.

What Your Privacy Policy Needs

There are many things your startup's Privacy Policy could include. However, immediately below is a quick checklist of the major things you must include to be compliant with the CCPA.

• State clearly what information your startup collects
• State why you collect this personal information and what you use it for
• State who your startup may share personal information with, and why
• State how your startup gathers personal information
• Provide users with information on whom they can contact if they want more details on how their information is used and stored
• Provide information on consumer rights according to the CCPA
• Update your startup's Privacy Policy every 12 months to ensure that it is current and compliant with the CCPA
• Provide information on how users can have their personal information deleted

For example, see how Maven lets their users know they can delete their accounts as well as personal data in the screenshot below:

You must also:

• Provide information on how users can opt-out of your data gathering efforts
• Ensure that consumers know you do not discriminate against them if they choose not to participate in your data gathering efforts

Finally, you must make sure that when you update your Privacy Policy you must make that fact public. You will need to either provide or send out notices that changes have been made.

The bottom line here is that most companies, and probably your startup, deals with user data rather heavily. Since the CCPA is now in effect, if you deal with customers in California at all, you are bound to abide by the CCPA's rules.

Even if your startup doesn't deal with California residents now, recall that the CCPA is likely to serve as an example for other states and perhaps even federal privacy legislation in the near future.

Therefore, even though the CCPA's privacy requirements might seem daunting, updating your Privacy Policy is a good idea. Compliance doesn't have to be hard, and it's in your best interests.