CCPA Is in Effect: How Do Small Businesses Comply?
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and has wide-reaching implications for businesses in California. If you are a small business in California with up to 25 employees, you are most likely investigating “CCPA for small business” to find out how this law affects you and what you need to do about it.
To help you understand how the CCPA impacts your business, here are answers to some common questions.
Is My Business Impacted?
First, it’s important to note that not every California business is subject to the CCPA. It applies to companies that meet the following criteria.
Where Does My Small Business Start?
As a small business that meets the criteria above, if you are not yet compliant, don’t panic. There is a 6 month grace period from January 1, during which mistakes can go unpunished. So there is still time before you need to be truly compliant.
These are the top three actions to take right now.
Understand the scope of the law
It’s vital to understand the vague definition of “personal information”, which is defined as any info which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information can include email addresses, social security numbers, driver’s license numbers, employment information, geolocation, biometric and commercial information, internet activity, audio/video information, or education information not available to the public.
Train your employees, even if you only have a few
The CCPA requires employees who field customer requests about data privacy practices (including deleting personal information and opting out of sharing personal information) and employees who are responsible for the company’s compliance to undergo instruction to understand the law. Generally, this will require employee training—for customer service reps and anybody who handles legal compliance.
Understand the penalties
The penalties for not being CCPA compliant can be as high as $7,500 per intentional violation and $2,500 for unintentional violations which are enforced by the California attorney general. Consumers also have the right to pursue their own individual action against non-compliant businesses, and can sue the company if a data breach occurs due to carelessness.
How Do We Stay in Compliance?
Here are the most pressing details that need to be squared away ASAP if you are a small business owner who meets the criteria of the CCPA.
Create a “do not sell my information” page
The CCPA also calls for businesses to to easily capture requests from consumers about their personal information.
The link to this page must be accessible from your website’s homepage, and it must be “clear and conspicuous,” titled “Do Not Sell My Information.” The page must allow consumers to opt-out of having their personal info sold to third parties. Here is a great example from Pandora, an Oakland, CA based company.
Develop a process for fielding consumer requests
Businesses must also be ready to quickly and easily field consumer requests about their personal information that are allowed under the CCPA. These requests must be processed free of charge and within 45 days.
Some examples of requests include:
- a copy of their personal information
- for their personal information be deleted
- giving consent from a guardian to sell personal information for a consumer under the age of 13
The CCPA gives consumers the right to know what personal information is being gathered about them. In order to comply with that, businesses must provide a disclosure “at or before the point of collection.” It must “inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”