Small businesses, be aware: you’re not exempt from the California Consumer Privacy Act (CCPA).
Signed into law in 2018, the CCPA has teeth as of January 1, 2020, when all California businesses have to be in compliance. Broadly speaking, that means that your business has to be prepared to comply with a new set of rules for acquiring, storing, accessing, erasing, and passing along consumer data. Failure to comply comes with big financial penalties.
Click to get your free CCPA privacy policy template!
CCPA compliance might seem like it’s only for big businesses or technology companies swimming in data. But in fact, small, local businesses like restaurants, retailers, auto shops, salons, and professional service providers may be liable under CCPA, as well.
Every business that accepts card payments already has to be PCI compliant. Now, you may have to be CCPA compliant, too. (See below to see if CCPA applies to your business.)
We know it’s difficult to make sense of complex new laws, and nobody wants the hassle and financial burden of a misstep. So, we prepared a list of 8 things every small business should know about CCPA compliance.
What is the California Consumer Privacy Act (CCPA) in a nutshell?
The California Consumer Privacy Act (CCPA) gives California consumers new privacy rights and creates new obligations for businesses that are covered by the law. These rights include:
- The right to know what personal information a business is collecting and how that information is being used and shared;
- The right to a copy of the personal information a business holds about a consumer;
- The right to delete personal information a business holds about a consumer;
- The right to stop the sale of personal information by a business; and
- The right to have equal service and price, even if a consumer exercises their privacy rights.
Note that many of these terms such as “sale,” “personal information,” and “business” have unique definitions under the CCPA.
What is considered “personal information?”
Personal information is anything that identifies or could be reasonably linked (directly or indirectly) with a particular individual or household.
This includes things like names, physical addresses, unique identifiers (such as cookies), email addresses, IP addresses, commercial information (such as transaction data), financial information, biometric information, internet or device activity (such as browsing history), geolocation data, and any other information that can be connected to a particular individual.
Does it count as “personal information” if I only have my customer’s email address?
Yes. Email addresses are explicitly included in the law’s definition of personal information.
Does credit card data count as “personal data”?
Yes. Credit card numbers are also explicitly included in the law’s definition of personal information.
How do I know if my business has to comply with the CCPA?
Generally, the CCPA applies to you if:
- You “do business” in the state of California;
- You collect personal information from California residents or have data collected on your behalf;
- You make decisions regarding how that data is collected, used, or shared; and
- You satisfy at least one of three conditions:
- you make over $25M in annual gross revenue;
- you collect, buy, or share data from over 50,000 California residents annually; or
- you make 50% or more of your annual revenue selling personal information.
If I have information saved about 49,000 customers, then the CCPA doesn’t apply to me. Is that right?
Assuming that you don’t meet either of the other two thresholds related to revenue and data selling, the CCPA will likely not apply to you. But keep in mind that under the CCPA, personal information is anything that could be linked to a particular person, including IP addresses and unique identifiers, so exceeding the 50,000 threshold is easier than you might think.
Also, if you collect personal information from 49,000 California customers, there is a good chance that you will exceed the threshold in the near future, so you should be prepared to comply.
My business doesn’t operate in California, but what if I’m collecting information from a California resident — must I be in compliance then?
You don’t have to have a physical presence in California; you just need to be “doing business in California” (and meet the other requirements described above). “Doing business in California” isn’t defined in the CCPA and the AG hasn’t provided any guidance on this issue yet.
However, you’re likely “doing business” in California if you regularly offer goods or services to people in California, make a substantial number of sales in California, or otherwise purposefully derive a benefit from your activities in California. If you have questions about whether you’re “doing business” in California, please consult your legal counsel.
What if I use a POS system that automatically collects information, but I don’t own or manage that information — am I on the hook, or is the processor and/or data company?
If your POS provider collects personal information directly from your customers, you don’t make any decisions about how that information is used or shared (either alone or jointly with your provider), and your provider doesn’t share that information with you, you may not have CCPA obligations as to that information.
If I don’t meet any of the above requirements, do I still need to worry about the CCPA?
You may have obligations even if you don’t meet the requirements described above. For example, if you provide services to a CCPA-covered business and the business gives you personal information, the business may require you to agree to limit your ability to use data for other purposes and to assist with deletion requests.
In addition, if you purchase personal information about consumers from a CCPA-covered entity, the CCPA may limit your ability to resell the information without providing notice and the opportunity to opt-out to those consumers. If you have questions, you should reach out to legal counsel for assistance.
In addition, if you purchase personal information about consumers from a CCPA-covered entity, the CCPA may limit your ability to resell the information without providing notice and the opportunity to opt-out to those consumers. If you have questions, you should reach out to legal counsel for assistance.
What does “selling consumers’ personal information” entail? And how do I know if I’m doing that or not?
The CCPA defines “selling” as sharing personal information with another entity in return for “monetary or other valuable consideration.”
This means that you don’t have to receive money in return for the information; receiving a non-monetary benefit can be sufficient to make the data transfer a “sale.” So if you’re giving someone personal information in exchange for money or another set of personal information, or getting some other benefit in return, you may be “selling.”
The CCPA has a number of exceptions to “sales,” such as:
- Where the customer directs you to share personal information with the other entity, or uses your business to intentionally interact with that entity, so long as that entity doesn’t sell the information.
- Where you share personal information with a service provider with which you have a written contract. That contract must prohibit the service provider from using the information for any other purpose other than providing services to you.
I definitely don’t sell my consumers’ information, but I’m concerned the product or POS I use may make money from that info — would the CCPA’s requirements regarding “selling” information still pertain to me? Or does my business need to the one actually receiving money in exchange for customer information?
Again, you don’t necessarily have to receive money for personal information in order for the transfer to be a “sale” — receiving some benefit for the information may be enough. But if your provider is the one that is deciding whether to share the information and receiving the money or other benefit in return, it is unlikely that you would be considered to be “selling” personal information.
What are some types of businesses that are most likely to be impacted by the CCPA?
The CCPA covers any type of business that collects personal information, including offline businesses, but it will be more likely to affect consumer-facing companies that do business online.
If my business is required to comply, what steps should I take?
The main steps you should take are:
- Update your privacy policy to disclose the categories of personal information you collect and how you use and share them, and to describe consumers’ privacy rights under the CCPA.
Click to get your free CCPA privacy policy template! - Create a process for honoring a consumer’s rights to obtain a summary of personal information you collect, to obtain a copy of the consumer’s personal information that you hold, and to delete that information.
- Create a process for honoring a consumer’s right to opt out of the sale of their personal information, if necessary.
- Review your contracts with vendors that receive personal information and update them with service provider provisions, if necessary.
- Ensure you’ve implemented reasonable security measures to protect consumers’ personal information.
- Train your employees on CCPA compliance.
The California Attorney General has released draft regulations that create some more obligations for businesses and provide additional details on how to implement many of the CCPA’s requirements.
These regulations are not final yet and are subject to change. You can learn more about the rulemaking process and read the draft regulations on the California Attorney General’s Website here: https://oag.ca.gov/privacy/ccpa.
What might happen to me if I’m out of compliance?
Generally, the California Attorney General’s Office is responsible for enforcing the CCPA. After the Attorney General’s Office notifies you of the violation, you should have 30 days to attempt to fix the issue. If you’re still out of compliance after 30 days or the AG determines that you cannot adequately fix an issue, then you could receive a fine from $2,500 to $7,500 for each violation.
The one exception to this relates to data breaches. If you fail to implement reasonable security measures and experience a breach of personal information, you can be sued by private plaintiffs. If the suit is successful, you can be required to pay $100 to $750 per consumer per incident, or the plaintiffs’ actual damages, whichever is greater.
Where can I go to find someone who can help me make sure I’m doing all of the above requirements?
The CCPA is a complex law that has a number of ambiguities. Because of this, you should consult your lawyer about how you can comply. If you don’t have an attorney already, you can get referrals from your local bar association or any trade association to which you belong.
Note: This article is meant to be informational only. It’s not a legal document and doesn’t provide legal advice. Womply assumes no legal liability that may arise from the use of this article. If you have questions about your legal obligations, you should consult your legal counsel.