CCPA Recap, Clarification, and "Good News"

CCPA isn't in the lime-light anymore, but it's still here, not going anywhere and already has enhancements in the works that are due to go live in 2020. But first, I want to clarify the 3 CCPA qualifications as I'm seeing a lot of misinformation and even some lawyers on FB telling small businesses not to worry about it period or to even implement/update their privacy policy.

CCPA largely applies to big businesses, but can absolutely still apply to small businesses, not to mention as business owners we need to be proactive and not reactive in this day and age. But, we'll get to that later...The 3 qualifications CCPA has is:

CCPA applies to every company in the world if:

>> They collect personal data of California residents

>> They (or their parent company or a subsidiary) exceed at least one of the three thresholds:

> Annual gross revenues of at least $25 million OR

> Obtains personal information of at least 50,000 site visitors per year OR

> At least 50% of their annual revenue is generated from selling California residents’ personal information

You only have to meet one qualification, not all three.

The qualification small businesses need to look at is "Obtains personal information of at least 50,000 California residents, households, and /or devices per year". This seems like a massive number, but it's less than 150 site visitors per day and the site visitor only needs to stay on a page for about 10 seconds or less for their information is collected. If you have decent traffic, you absolutely need to be looking at your numbers for the preceding 12 months to see where you are at and if you've hit that number.

Obtains personal information per CCPA means: "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration."

I assume the additional changes that are coming this year is due to the fact that in some areas CCPA is vague and this is where you can easily get into trouble. The biggest one is that it does not clearly define if data collection of 50,000 has to 100% be on California residents only or if it means just 1 California resident then requires you to comply. I asked a lawyer about this on their FB post that was telling small-businesses to just ignore the Act fully and their response was "Guess California has a lot to tell us"....Didn't seem very helpful or show their followers what exactly to do with that info....Grey areas like this is the exact reason you want to be proactive and not reactive until it's clarified as fines begin at $7k per instance. Do you want to roll that dice? Or better yet, can you afford to, per instance?

Ex. Per instance means that if you collected information on

70,000 people, that is 70,000 instances.

It does seem daunting, but to comply really is not rocket science. Get a compliant privacy policy (like ours here) or update your current one (grab a CCPA-only clause to add to your existing policy here), add a popup consent/opt-out banner and a contact method so California site visitors can request for you to delete their information from your site. But, this is just what you need to do on your site. (There are internal procedures that you will need to have in place that I will touch on in the next blog. Again, they are not hard)

Another item I've yet to hear anyone mention is that although CCPA went live on January 1, 2020, fines will not be issued for non-compliance until July 1, 2020 and if you are cited, you will have 30 days to become compliant. But with changes coming, it is unclear if this will remain in the Act.

Now, why do I recommend you implement a policy even if you do not meet any of the qualifications yet? Why not? Once you do meet them OR if the Act is changed and you meet them at that time, you're ready. Good business practice is to be ahead of the game so you don't have as much work to do during the game, especially since what you need to do is not terrible. And this may actually be one of the more important items, your site visitors will have a lot of respect for you and trust your business even more.

Stay tuned for the next blog to see what else you need to do. If this truly does not apply to you, you want to know this for when it does and to be able to assist your clients on this if/when it applies to them!


Your Compliance Bestie

8 views0 comments
  • Facebook
  • Instagram
  • Pinterest
  • LinkedIn

Shop  |  Blog  |  Newsletter  |  ContactAbout

©2019 - 2020 Complianceology