So....what is CCPA? CCPA is the California Consumer Privacy Act...don't stop reading yet - even if you don't live in CA, your website likely has visitors from CA and therefore this applies to you. The Act was passed & signed in 2018 and goes into effect on January 1, 2020 - Happy New Year friends!!!
I will have a few posts about this topic and we will be going a bit backward - this post will explain what you need to do if you are a small business owner or freelancer and do not make $25 million-plus. I sure as hell don't, but you may have clients that do, so we will talk about those businesses in another post. Even if you don't specialize in this area, bringing it to their attention will win you major points! AND save them MONEY if they were not aware this applies to them.
What do you have to do to become CCPA compliant:
Have a contact specific individual contact page on your site. Not just a small 'contact me' box in the footer.
Add a “Do Not Sell My Personal Information” page to your site and link to it on your homepage
Potentially have a toll-free phone number for users to submit requests for their personal information to be deleted from your website (there is an amendment in the works that would exclude most of us from this, but just keep this in the back of your mind). I will gather some info and resources for you on this in the event this clause does stick.
Okay, now let's go more in-depth on what the above actually means.
Website visitors need at least two (2) methods to contact you to request their information be deleted from your site. A contact page and a toll-free number - again, the toll-free number may end up being stricken from the law. Once you receive a request, you have to comply and complete the deletion within 45 days of the initial request. The Act specifically states "days" not business days, keep that in mind.
You cannot assess a fee for this nor can you simply block traffic from California to avoid the Act altogether. Even if you did, a lot of people now use VPNs (Virtual Private Networks) which mask their IPs and you have no way of knowing truly where they are located - so this wouldn't be a foolproof method.
Additionally, the CCPA states that you can’t provide a different experience just because users exercise their rights, which I would take to mean that you can’t just block users from California.
So what will happen if you are a rebel without a cause and just "see what happens", you will get a notice giving you 30 days to comply, sure or fix your non-compliance. If it’s not something you fix, and the consumer has already suffered damages, then the consumer can bring a lawsuit to seek damages ranging from $100 - $750, injunctive or declaratory relief, and/or anything else the court deems proper. And guess what, this is PER INSTANCE!
If you continually violate CCPA the court can take a lil' looky lou at your assets, liabilities, and net worth to see what is up for grabs. Those operating as Sole-props need to be on this Act like white on rice since you have zero protection. The purpose of this Act and those coming (Nevada, Washington, Texas all have similar Acts coming down the hill) is to ensure consumers rights are upheld and their personal information is being handled with care meaning they would likely approve a fine that lines up the seriousness of the misconduct and what you can actually afford on top of the $100 - $750 you may already be fined
If you still sit back and chillax or you do make remediations, but not all of them, guess who else will hit you up, the Attorney General...yup, big ol' AG joins the game! They can (and probably will) fine you - up to $7,500 PER INSTANCE! We're talking big money here friends and I hate to say this, but there are people out there who stay up on laws like this and pounce the second compliance is due and search for businesses who are yet to be compliant and start filing lawsuits left and right looking for a payout. By no means am I saying comply just because of this, comply to be a decent person and a trustworthy business. You are a consumer too and I'm sure you want the businesses that you use to comply and protect your rights...right?
This wraps up our first post on CCPA, every Wednesday I will have a new post up so you fully understand the Act and what you need to do. I am also creating new Privacy Policies for you so you don't have to worry about it. There will be a version for those who do not sell information or use third-party apps and those that do. Be sure to sign up for our newsletter so you are notified the moment those hit The Shop x Complianceology.
Drop your comments or questions so I can address them in the next post. This Act isn't an easy one...
**Although I am a Licensed Business Coach and Compliance Auditor, this post is not legal advice and is educational and informational only. Reading this post and others does not constitute a client-consultant relationship. Should you want to work 1:1 on this Act or another topic, please contact me at firstname.lastname@example.org.
Follow us on social media!
Don't forget to sign up for our newsletter to stay up to date when new blogs are posted, tips and tricks, resources, educational tools and more.
When you sign up you will receive a code for 20% off your order at The Shop x Complianceology for all of the legal documents you needed, bespoke templates you won't find elsewhere and the first to be notified of new courses and our membership program that will come with a HIGHLY discounted price for subscribers and that will NEVER go up. You'll get that price for life!