The California Consumer Privacy Act (CCPA) took effect on January 1st, 2020. This new privacy law will affect businesses all over the world. The law makes a lot of demands on businesses. In particular, it requires businesses to fully disclose how they treat consumers' personal information.
The CCPA takes the United States closer to the sort of strict privacy regime that has existed for many years in the EU. It's clearly influenced by the EU's General Data Protection Regulation (GDPR). But even GDPR-compliant businesses will have a lot of work to do to comply with the CCPA.
The CCPA applies to "businesses." However, the CCPA defines "business" very narrowly.
A business is any for-profit entity doing business in California, that either:
Has annual gross revenues of at least 25 million USD per year,
Annually buys, sells, receives, or shares personal information from at least 50,000 consumers, households, or devices, or
Makes over 50 percent of its gross annual revenue from selling personal information
A business also "determines the purposes and means of the processing of personal information." If you're familiar with the GDPR, you'll know that this is the definition of a "data controller."
Most companies fit this description. If your business collects personal information directly from its users, it probably fulfills this criteria.
Most businesses that aren't data controllers are "service providers."
Service providers process personal information on behalf of other businesses. For example, MailChimp emails a company's customers on that company's behalf. Service providers are known as "data processors" in other privacy laws.
Does the CCPA Apply to Businesses Outside of California?
The CCPA isn't (only) aimed at businesses based in California. It's aimed at any business that processes the personal information of consumers in California. So, much like another major California privacy law, the California Online Privacy Protection Act (CalOPPA), the CCPA applies to businesses all over the world.
Your business could be based anywhere from Fresno to France - as long as your services are accessible in California, you could be covered by the CCPA and have to adhere to its requirements.
This might not sound too bad until you consider that a "violation" occurs each time a person accesses your non-compliant website or app.
We're going to take a detailed look at each of these requirements and some examples of businesses that are already complying.
There are a couple of important things to note before we do this.
Note how the clause begins with a phone number and email address that customers can use to exercise the rights. Then, further details and important information is included such as what the customer must do, and any limitations for the requests.
While FloraFlex is obviously keen to demonstrate compliance with the CCPA, it's worth noting that only businesses that do sell personal information are required to comply with this part of the CCPA.
Categories of Personal Information You Collect
You must provide a list of the categories of personal information you've collected over the past 12 months.
To comply with this requirement, you need to know what constitutes "personal information" under the CCPA. Here's the definition as it appears in the CCPA:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The CCPA lists the following categories of personal information:
Identifiers (such as name, email address, social security number, IP address, etc.)
The categories of personal information listed in the California Customer Records Statute (available here)
Protected legal characteristics
Audio, electronic, visual, thermal, olfactory, or similar information
Inferences about personal preferences and attributes drawn from profiling (e.g. via cookies)
You don't have to use a chart format, but it's something to consider since it helps keep things organized and makes information easier for your users to sort through.
Your Sources of Personal Information
In addition to telling your users what categories of personal information you collect, you need to disclose your sources of personal information.
You may collect personal information from a variety of sources, depending on the context in which your business operates. You only need to list the categories of sources, i.e. the types of companies or other sources.
Note that the company has not sold any personal information in the past 12 months, so it lists "No" for each of the CCPA's categories of personal information. You can also make a simple blanket declaration that you have not sold any personal information in the past 12 months.
Personal Information You've Disclosed for Business Purposes
Auditing legal and regulatory compliance
Detecting security breaches
Protecting against fraud and malicious activity
Taking action against wrongdoers (e.g. fraudsters and hackers)
Identifying and fixing technical errors
Contextual ad customization that does not involve or contribute to profiling
Internal research to develop or demonstrate technology
Testing or improvement of any service or device "owned, manufactured, manufactured for, or controlled by" the business
Note that these examples are not exhaustive.
Here's how marketing company Lumen5 discloses how it shares its users' personal information with service providers:
Instructions on how California consumers can request access to and deletion of their personal information
If you sell personal information, a link to your "Do Not Sell My Personal Information" page
A list of the categories of personal information you've collected over the past 12 months
Your sources for each category of personal information you collect
Your purposes for collecting each category of personal information
A list of all the categories of personal information you've sold over the past 12 months, or a disclosure that you don't sell personal information
A list of all the categories of personal information you've disclosed for business purposes over the past 12 months or, a disclosure that you don't disclose personal information for business purposes