Articles

Can CCPA Affect Your Small Business?

Written by Matt Davis, CIPM (IAPP) | October 30, 2019

California Consumer Privacy Act: It Applies to Small Businesses Also!

You may have heard of the EU’s GDPR (General Data Protection Regulation), but what about the CCPA? That stands for the California Consumer Privacy Act and it’s something every company, despite its size or where it does business, needs to know about.

The CCPA was a bill passed by the state of California legislature, signed into law on June 28, 2018, goes into effect January 1, 2020, and enforcement will begin in July 2020. Similar to the GDPR in the EU, the CCPA grants nearly 40 million California consumers “new rights with respect to the collection of their personal information.” Great for consumers, a little confusing and concerning for businesses who aren’t sure if they’re required to comply.

First, here are just some of the rights the CCPA grants consumers:

  • The right to request a business to disclose what personal data was collected about them
  • The right to be provided information on where that information was collected
  • The right to be told why their personal data was collected
  • The right to understand how their personal data will be used
  • The right to know if their personal data was sold to a third party and which third parties it was sold to
  • The right to be told upfront, before the data is collected, that their data may be collected and why

Does this mean that every business that has a customer in California has to comply with the CCPA? Not exactly. Businesses are required to comply if they meet just one of the following preconditions:

  • Annual gross revenues exceed $25 million
  • Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices. This definition of "receives" has grey areas, some interpret this to mean storing log files and analytics, others believe it only applies if you actually sell that data. Only time and enforcement actions will reveal how California chooses to interpret this provision.
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information

As long as your business doesn’t check any of the above boxes, you’re off the hook - at least for now. But the question put forth by these proactive governments isn’t what is required to be compliant but what is the responsibility of businesses to its consumers? Good business practices dictate that companies should be seeking "compliance and beyond" by doing more than just the minimum.

We All Deserve A Break

We are all consumers. Every one of us has personal information floating out there that we probably would rather be safely protected. It’s a bit unnerving to wonder if our data is being abused, but without many laws in place, we just have to hope it won’t get into the wrong hands. Millions of people aren’t as optimistic. They’ve already been victims of data breaches. For them, it’s too late.

Take, for instance, the Capital One data breach earlier this year where 100 million customers were told their personal data is now compromised. When they filled out forms, created their usernames and passwords, input their data, and searched their site, they had no idea what the bank was doing with all of that data. They didn’t ask and the bank didn’t tell.

Then, there’s the Facebook breach. More than 540 million pieces of users’ personal information was publicly exposed. Just think about what people put on Facebook. Some share more than others, but few realize just how much data Facebook is constantly collecting and sharing about them. They don’t ask. Facebook doesn’t tell.

But it’s not just Facebook that has this data. They allow third-party businesses to have access to your data. Who knows what their privacy policies are, if they even have them. Yet, even as we hear of these breaches, we continue to put our data out there and everywhere, hoping the organizations with whom we do business will somehow safeguard our data. Laws like the CCPA and the GDPR aim to force them and all businesses to do the right thing by their consumers. The regulations may seem like a pain for businesses, but as consumers ourselves, isn’t it the best thing for all of us?

What The California Consumer Privacy Act Means for Businesses

California may be the first U.S. state to put forth such strict consumer privacy rights, but all indications point to more states following suit. If California sets the precedent, here are some of the CCPA regulations that other states are likely to require businesses to comply with in the future:

  • When a customer visits the business’ site, the business must inform consumers that they collect personal data, what personal data they collect, and how the personal data will be used or sold
  • If a consumer requests, the business must disclose what pieces of personal information they collected
  • If a consumer requests, the business must provide (for free) all of the personal information they collected (businesses are not required to provide this information more than twice a year)
  • If a consumer requests, the business must delete the personal data they collected on the customer. The business must also direct any third-party service providers to do the same.
  • Caveat #1: If the data is required to complete the customer transaction, however, the business does not have to delete the information
  • Caveat #2: If the business must collect the information in order to detect security incidents, protect against illegal activity, engage in research that benefits the greater public, or comply with a legal obligation, businesses do not have to delete the information if a customer requests deletion

What You Can Do Now

The clock is ticking. Now is the perfect time to put a plan into place to not only comply with the CCPA and the GDPR, but also to comply with the inevitable privacy laws that will follow. The good news is, once these practices are established, compliance should be much easier, even automatic.

For instance, businesses can place a website cookie consent pop-up box on their website that informs visitors that they use cookies and give them the ability to opt in or opt out. Using a commercial consent management platform, it’s easy to customize the appearance and the language so it’s applicable to the visitor’s geographical location. In this way, no matter which state the visitor resides in, the cookie consent will comply with their state regulations.

Further, tools exist to help businesses streamline their privacy policies and even grade them with a score. These scores can be a great way to advertise how your business puts its money where its mouth is when it comes to protecting consumers’ rights to privacy. The higher the score, the more responsible and proactive the company. Visitors can rest assured they are doing business with a company that meets or exceeds the CCPA, the GDPR, or any state or federal data privacy regulation.

As these privacy standards become more familiar and as more states jump on board, the companies that lead their industry in compliance will have a competitive advantage. Consumers will be able to compare businesses and choose which ones value their rights to privacy and which ones lag behind. As consumers ourselves, which companies would you want to do business with, even if it meant paying a little more? What is your personal data privacy worth? The tolerance for breaches and non-transparency will likely decrease over time.

Businesses who fail to comply will face more than penalties; they risk losing valuable market share they may never recover and they risk losing consumer trust. Rememer, CCPA is just one of many data privacy laws. Good privacy programs abide by and even exceed the requirements of many laws.

Want to learn more about CCPA?

Read the definitive guide: California Consumer Privacy Act Guide: Everything You Need to Know