Last updated on 25 May 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
Some have called the California Consumer Privacy Act (CCPA) the "GDPR-lite." In other words, it was the most heavy-duty law dealing with online privacy issues that impacts businesses to be passed by a state government in the United States of America.
The CCPA was actually passed on June 28, 2018. The law went into effect on January 1, 2020.
It is considered an incredibly important law since it constitutes the first, really thorough privacy legislation in the United States.
Any organization or company that does business in the State of California, and that deals with sensitive personal information, is bound by the rules and regulations contained in the CCPA.
It's a fair bet that the U.S. federal government will be watching California to see how the legalities play out. Whether the CCPA is good or bad for businesses and consumers will likely be seen (and ultimately used) as a case study for privacy laws across the country.
In particular, startups are going to need to pay close attention to the CCPA if they do business in California. After all, many of them, particularly technology startups, must make themselves aware of the CCPA's requirements because dealing with customer information is so prevalent in the industry.
For instance, startup founders and executives understand that consumers, end-users, investors, and partners are all more concerned about how private information is captured, used, transferred, and stored than they ever have been before.
They're hyper-aware of the possibility of data breaches and security hacks, and they know just how quickly an awful data event can become a public relations nightmare.
Startup business owners know that these kinds of issues can discourage investors, bring on government scrutiny and subsequent penalization. Worse, events like this can scare away consumers.
With that in mind, we're going to go over the major core requirements of the CCPA immediately below. However, before we do, let's just say that it pays to be as informed as possible. While nobody dreams about sitting down for a nice, long slog through the legal documentation, the fact is that most startups don't have a privacy professional on staff.
Because of that, if you're the owner of a startup or you're a member of the company's leadership team, then there is no substitute for going through the CCPA for yourself. If nothing else, you'll get the gist, and it will help you understand and assess any subsequent information you read on the CCPA.
With that in mind, you can read the full text of the CCPA here.
First, we'll lay out some of the specific rights the CCPA affords consumers and whether startups have to abide by the legislation's rules and obligations. We'll cover the core requirements of the law and then we'll talk about how these requirements specifically impact startups.
Without further ado then, let's dive in.
The crucial areas outlined in the legislation's opening are the following:
If your business website receives more than 138 visits daily, then the answer is yes. The CCPA applies to organizations that are for-profit entities, and which collect and process the private, personal data of California residents.
Additionally, the CCPA applies if the organization meets one of the following three criteria:
Of the scenarios listed above, the one that's most likely applicable to startups is number 3. The CCPA's use of "personal information" is rather general and broadly defined. Essentially, personal data according to the law includes any data that can be connected directly or indirectly to a specific consumer.
A few examples of this include a consumer's internet activity, IP address, geolocation information, and purchasing history.
Therefore, a startup website that receives 138 visitors per day, or 50,232 visitors per year and that collects the geolocation of those visitors is bound by the provisions of the CCPA.
Organizations must be able to meet the CCPA's right-to-know standard that provides consumers with end-to-end transparency. Additionally, companies will need to let consumers know when their personal information is collected, what kind of data is collected, how the company plans to use that information, and whether it will be shared or sold.
To meet CCPA requirements, companies must:
It must be noted that the State of California attempted (controversially) to make it easy for companies to supply an "opt-out" option to consumers by creating an opt-out logo and button, which organizations would have been forced to place on their websites. These buttons and logos would then be used to link to official privacy regulations.
However, this provision was scrapped by an amendment to the CCPA in March 2020. As Jen King, the Director of Consumer Privacy at Stanford University, said in a blog post concerning this subject:
Additionally, startups will also need to:
Finally, startups must recognize that their customers have a right to have their data deleted. If the startup receives a deletion request, it will need to verify the customer's identity, and then let the customer know that their request has been received. The company will also need to ensure the customer knows their request is actively being processed.
Assuming that your startup falls under the CCPA rules, you need to take a hard look at current data flows that involve personal information.
Consider any ways that your organization is gathering information, which could include data collection through apps or on your website. Think about any third parties to whom you may be providing personal information and who you're taking it from.
You must have a firm grasp of whether your business is actively using personal information as defined by the CCPA before you can begin making any changes that might be necessary to ensure compliance. You must be thorough. That means you'll need to speak with internal stakeholders to discover where they may also be collecting, using, storing, or transferring data.
That may sound extreme, but what if your startup has a website or app that gathers the personal information of its users and then someone takes it and uploads it to a third-party cloud services provider (e.g., think about DropBox, Google Drive, or Box.com), and then a company partner has access?
You must understand that there are different CCPA requirements for companies, third parties, and service providers. The bottom line is that you can't fall in line with the legislation if you don't understand how sensitive data flows in and out of your business.
In all likelihood, after a thorough review of your information architecture and data flows, you'll discover that there is a lot you need to do to ensure compliance with the CCPA. You'll need a comprehensive understanding of the CCPA's legal requirements, your information architecture, and your own business goals.
As you work toward compliance with the CCPA, you'll discover that there are many areas where your startup needs to update how you do things. Improvements and updates in procedures and processes, security practices, and in policies may all be necessary.
For example, see how Maven lets their users know they can delete their accounts as well as personal data in the screenshot below:
You must also:
The bottom line here is that most companies, and probably your startup, deals with user data rather heavily. Since the CCPA is now in effect, if you deal with customers in California at all, you are bound to abide by the CCPA's rules.
Even if your startup doesn't deal with California residents now, recall that the CCPA is likely to serve as an example for other states and perhaps even federal privacy legislation in the near future.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
25 May 2022