Consumer Privacy and Your Business – What You Need to Know
Are you a business that sells products or services to consumers online? If so, then regulatory compliance with consumer privacy should be in your DNA. The California Consumer Privacy Act (CCPA) gives consumers control over their personal information which is available to businesses. According to the CCPA, there are rules and regulations you will need to be aware of so you can stay squeaky clean in the eyes of the law, and I am here to help you with all their legal jargon so you can remain (or become) compliant.
I’m not in California, so why does their Consumer Privacy Act apply to me?
If you do business with anyone who lives or works in California, the CCPA could very well apply to you. If you have ever used a consumer list from a list provider, conducted any type of transaction with a California resident, or even worked with a third-party vendor who may potentially work with California residents, you are subject to the California Consumer Privacy Act. Keep an eye out for “alone or in combination with other businesses…” this essentially applies to everyone when you look at the big picture.
In the most general sense, the California Consumer Privacy Act applies to a business or proprietorship that:
Does business in the State of California by means of physical storefront or online transactions.
Buys, receives, or sells personal information, or acts on behalf of any business or vendor for which such information is collected. This includes list data.
Alone or jointly with other businesses, partners, or vendors, determines the purposes or means of processing collected data.
AND meets one or more of the following criteria:
Alone or in combination with other businesses, buys, receives for the business’s commercial purposes, sells, or shares consumer information, of 50,000 or more consumers, households, or devices.
Reports an annual gross revenue in excess of $25 million.
Derives 50 percent or more of its annual revenues from selling or sharing California Residents’ personal information.
Nonprofit organizations and government agencies are exempt from the CCPA rules, as they have their own set of guidelines to adhere to, but as a private for-profit business, even if you are unsure of whether this Consumer Privacy Act applies to you, following the guidelines will give you a head-start when other states adopt such rules.
I am a small online business, and I don’t collect or sell my customers’ information. Do I need to worry about CCPA compliance?
In short, yes. As I mentioned previously: If you’ve ever purchased a consumer mailing or email list from a list vendor to market your business – if you have ever conducted any type of transaction with a California resident – or if you have ever purchased from, or sold to a vendor who may also work with California residents (or even if their vendors transact with California residents!), you are subject to the California Consumer Privacy Act.
I know – it seems like quite the crazy web of responsibility, right? You are definitely better safe than sorry here.
Under the CCPA, even if your business does not actually collect personal information from consumers, the law still applies. As long as personal information is available to be collected on behalf of your business, for example: through a third party such as a list provider, customer database provider, or vendor, your business could still fall under regulations of the CCPA.
Does CCPA apply to B2B businesses?
Some businesses may be led to believe they do not apply because they do not engage in transactions directly with individual consumers. Again, there is that web of responsibility of one tied to the next… and so on. You may only work with other businesses, but those businesses very likely have contact lists with – you guessed it – California residents on them.
What if I am audited for consumer privacy and found to be non-compliant with the CCPA?
As the old adage goes: Prevention is key. But, what if someone (totally not you) didn’t know that the rules have been evolving? Well, there are consequences to non-compliance, but the good news is you’ll have a 30-day grace period to take action to correct any issues before you face liability on record.
And what if you don’t take action? Well, A business violating the CCPA is subject to injunctions and penalties up to $2,500 for each violation, and up to $7,500 for each intentional violation. Plus, the CCPA provides California residents a private right of action if their personal information is breached because their business did not meet its duty to ensure reasonable safeguards to protect that information. Private action can include statutory damages up to $750 per consumer per incident or the cost of actual damages, whichever is greater.
An August 2019 IAPP survey revealed that only 2% of organizations were able to report that they are currently in full compliance with the law. In another survey, over 44% of polled business owners and company executives had never even heard of CCPA, and only 12% were aware of the law applied to their business. As a business owner or executive, I strongly urge you to determine if you have CCPA obligations. Compliance will ensure you can continue to operate smoothly without any CCPA audit hiccups to deal with.
What can I do to stay compliant with the CCPA Privacy Act?
I know – Consumer Privacy Act information is a lot to absorb. Without translating the pages and pages of text from the CCPA itself, and all of the peripherals involved, I will attempt to break it down for you in a few (ok, ten) key points. If you are just plain too busy, or this type of thing makes your brain hurt, my team is ready to help.
1. Know your obligation to the CCPA in terms of what personal information is being collected on consumers and know whether their information is being sold and to whom.
2. Make it clear and simple for your customers to opt out of their information being sold, as well as obtain a copy of their personal information.
3. Ensure your customers receive equal service and price regardless of whether they exercise their CCPA rights.
4. Map your consumer data. If you are obligated under CCPA, start by mapping your personal customer information under your control. Take note of:
- How you collect personal information
- The type of personal information you collect or keep
- Where and how you store your data
- Whether you share data with other entities
- Is shared data part of a sale, a provided service, or used for another purpose?
Consumers exercising CCPA have the right to request their information, and businesses will need to comply with such consumer requests. Personal information that is held by a third party on behalf of your business is subject to regulations, so in addition to conducting your own data mapping, it is important to be sure all of your third-party vendors do the same and share the results with you.
5. Keep your privacy disclosures updated. The CCPA allows consumers the right to know what personal information is being collected about them. Businesses must provide a privacy disclosure at or before the point of data collection, and this disclosure must make consumers aware of the categories of personal information which will be collected, as well as the purposes the information will be used, as well as any third-party information for usage.
As part of regulatory compliance, privacy disclosures must be updated annually.
6. Make a privacy link readily available on your homepage. The CCPA calls for a clear and conspicuous privacy link on the homepage of any obligated entity’s business website. It must be titled “Do Not Sell My Information,” and linked to an opt-out page allowing consumers to opt-out of having their personal information sold.
7. Develop a process for handling Consumer Privacy Act requests. Businesses must be ready to respond to consumer requests about their personal information allowed under the CCPA. These requests must be processed free of charge and within 45 days of the request. Customers may make CCPA requests for the following:
- Copy of their personal information contained in your database
- Request their personal information be deleted from your database
- Know the categories of their personal information which are being sold
- Request to opt-out of the sale of personal information for those over 16 years old
- Request to opt-in for the sale of personal information for those between the age of 13 and 16
- Obtain consent from a guardian to sell personal information from a consumer under 13 years old
It is important that your business pay close attention to the noted age requirements. The law states that “a business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.” Age information could prove to be a risk area in CCPA compliance.
8. Identify necessary data collection system privacy changes, and implement them.
Data collection systems will need to be updated, and this can prove quite the undertaking for business owners. Prioritizing changes and procedural updates within your change management process is key, and no one needs to be late to this party. Sound daunting? Our team can help you get started AND see you through the entire process.
9. Train your employees on Consumer Privacy Act best practices.
Educated employees can put you way ahead of the curve All employees, especially those in customer-facing roles, must be educated on the following:
- Physical location does not determine CCPA coverage
- For this CCPA purposes, a consumer is a resident of California
- Where to direct consumer requests regarding personal information
- Whether your organization has chosen to apply this law company-wide or only to California consumers
10. Strengthen your data security for CCPA and the protection of your customers.
Because the CCPA allows consumers to seek damages for breached personal information due to violations on the part of the business, financial consequences can be mighty harsh. Obligated businesses should make a point to review and update their information security and privacy policies at a minimum of annually, while continuously monitoring their data security firewalls to ensure risk is mitigated to the greatest extent possible.
If you are just plain too busy, or this type of thing makes your brain hurt, Commonplaces is ready to help.