CCPA largely applies to big businesses, but can absolutely still apply to small businesses, not to mention as business owners we need to be proactive and not reactive in this day and age. But, we'll get to that later...The 3 qualifications CCPA has is:
CCPA applies to every company in the world if:
>> They collect personal data of California residents
>> They (or their parent company or a subsidiary) exceed at least one of the three thresholds:
> Annual gross revenues of at least $25 million OR
> Obtains personal information of at least 50,000 site visitors per year OR
> At least 50% of their annual revenue is generated from selling California residents’ personal information
You only have to meet one qualification, not all three.
The qualification small businesses need to look at is "Obtains personal information of at least 50,000 California residents, households, and /or devices per year". This seems like a massive number, but it's less than 150 site visitors per day and the site visitor only needs to stay on a page for about 10 seconds or less for their information is collected. If you have decent traffic, you absolutely need to be looking at your numbers for the preceding 12 months to see where you are at and if you've hit that number.
Obtains personal information per CCPA means: "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration."
I assume the additional changes that are coming this year is due to the fact that in some areas CCPA is vague and this is where you can easily get into trouble. The biggest one is that it does not clearly define if data collection of 50,000 has to 100% be on California residents only or if it means just 1 California resident then requires you to comply. I asked a lawyer about this on their FB post that was telling small-businesses to just ignore the Act fully and their response was "Guess California has a lot to tell us"....Didn't seem very helpful or show their followers what exactly to do with that info....Grey areas like this is the exact reason you want to be proactive and not reactive until it's clarified as fines begin at $7k per instance. Do you want to roll that dice? Or better yet, can you afford to, per instance?
Ex. Per instance means that if you collected information on
70,000 people, that is 70,000 instances.
Another item I've yet to hear anyone mention is that although CCPA went live on January 1, 2020, fines will not be issued for non-compliance until July 1, 2020 and if you are cited, you will have 30 days to become compliant. But with changes coming, it is unclear if this will remain in the Act.
Now, why do I recommend you implement a policy even if you do not meet any of the qualifications yet? Why not? Once you do meet them OR if the Act is changed and you meet them at that time, you're ready. Good business practice is to be ahead of the game so you don't have as much work to do during the game, especially since what you need to do is not terrible. And this may actually be one of the more important items, your site visitors will have a lot of respect for you and trust your business even more.
Stay tuned for the next blog to see what else you need to do. If this truly does not apply to you, you want to know this for when it does and to be able to assist your clients on this if/when it applies to them!
Your Compliance Bestie