You may have noticed in the past month that many businesses recently updated their privacy policies; this is in response to the California Consumer Policy Act (CCPA). The CCPA went into effect on January 1, 2020, and is expected to be enforced in July 2020.
The California Consumer Policy Act is a law that protects the privacy rights of California residents. It applies to for-profit businesses do business in California or does business with California residents and meet one of the following three criteria:
• An annual gross revenue greater than $25M
• Buy/receive, sell/share personal info of 50,000 or more California residents or households or devices for commercial purposes
• Make 50% or greater of your annual business revenue by selling California residents’ personal information.
Even if you are a small business, the second criteria could apply to you. For example, tracking website visitor information like with Google Analytics or on an email list are considered collecting personal information. If a small business has over 50,000 California residents visiting their website within a year or on their email list, they are subject to the CCPA. If you are approaching any of the criteria it would be best to make updates as well.
What are the penalties of the California Consumer Act?
If a business intentionally violates the CCPA the maximum fine is $7,500. Other violation lacking intent face a maximum fine of $2,500. Consumers can also file lawsuits against companies violating the CCPA and collect and damages fee. On average the plaintiff can collect between $100 and $750 for damages.
The CCPA requires that businesses provide an opt-out option if consumers do not wish for the business to collect or track any of their personal data. On the website should include a “Do not sell my information” consent.
Personal data includes, but is not limited to, real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (“IP”) address, email address, account name, social security number, driver’s license number, or passport number.
In response to the California Consumer Policy business should:
- Know what third party scripts are collecting information from your website visitors.
- Update your website include a “Do not sell my information” opt-out option for visitors.