CCPA Is in Effect: How Do Small Businesses Comply?
California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and has wide-reaching implications for businesses in California. If you are a small business in California with up to 25 employees, you are most likely investigating “CCPA for small business” to find out how this law affects you and what you need to do about it. To help you understand how the CCPA impacts your business, here are answers to some common questions.The
Is My Business Impacted?First, it’s important to note that not every California business is subject to the CCPA. It applies to companies that meet the following criteria.
- You have an annual gross revenue of over $25 million
- You receive, buy, sell or share the personal information of at least 50,000 consumers in California
- You derive at least half of your revenue from selling the information of state residents
Where Does My Small Business Start?As a small business that meets the criteria above, if you are not yet compliant, don’t panic. There is a 6 month grace period from January 1, during which mistakes can go unpunished. So there is still time before you need to be truly compliant. These are the top three actions to take right now.
Understand the scope of the lawIt’s vital to understand the vague definition of “personal information”, which is defined as any info which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information can include email addresses, social security numbers, driver’s license numbers, employment information, geolocation, biometric and commercial information, internet activity, audio/video information, or education information not available to the public.
Train your employees, even if you only have a fewThe CCPA requires employees who field customer requests about data privacy practices (including deleting personal information and opting out of sharing personal information) and employees who are responsible for the company’s compliance to undergo instruction to understand the law. Generally, this will require employee training—for customer service reps and anybody who handles legal compliance.
Understand the penaltiesThe penalties for not being CCPA compliant can be as high as $7,500 per intentional violation and $2,500 for unintentional violations which are enforced by the California attorney general. Consumers also have the right to pursue their own individual action against non-compliant businesses, and can sue the company if a data breach occurs due to carelessness.
How Do We Stay in Compliance?Here are the most pressing details that need to be squared away ASAP if you are a small business owner who meets the criteria of the CCPA.
Outline the following answers for your business
- What personal information do you collect?
- How do you acquire said data?
- Where and how do you keep it?
- Do you share it with other entities?
- Is the shared data part of a provision of service, sales or another purpose?
Create a “do not sell my information” pageThe CCPA also calls for businesses to to easily capture requests from consumers about their personal information. The link to this page must be accessible from your website’s homepage, and it must be “clear and conspicuous,” titled “Do Not Sell My Information.” The page must allow consumers to opt-out of having their personal info sold to third parties. Here is a great example from Pandora, an Oakland, CA based company.
Develop a process for fielding consumer requestsBusinesses must also be ready to quickly and easily field consumer requests about their personal information that are allowed under the CCPA. These requests must be processed free of charge and within 45 days. Some examples of requests include:
- a copy of their personal information
- for their personal information be deleted
- giving consent from a guardian to sell personal information for a consumer under the age of 13