At PMA, we strive to stay ahead of the curve when it comes to business trends and technological advances that benefit our clients (and clients-to-be!). Many of our clients that do business globally were concerned with the GDPR, specifically who needs to comply, and what compliance means for the average business owner. Our recommendation at the time was to seek legal advice, so your business is protected.

We are once again hearing from our clients, rumblings over the new California privacy law (CCPA), coming into effect in January 2020. What does this mean to you? What are the regulations, who needs to comply, and what does compliance look like?

There’s a lot of great information available, and a lot of misinformation muddying the waters. For this reason, we wanted to share this incredible article by Peter Hoppenfeld, Strategist, Advisor & Attorney At Law,

We hope you find this article as helpful as we did!


The Basics

For-profit businesses that collect or use personal information, do business in California, and meet certain thresholds (related to revenue and data collection) may be required to comply with CCPA.

Do you (and your business) have to comply with CCPA?

The answer is YES, if:

You are a for-profit business that does business in California;
Your business collects personal information from California consumers;
Your business determines the purposes and means of processing that personal information of California consumers;
AND you meet or exceed one of the following requirements, as set forth in the Act:

Your business has $25,000,000 in annual gross revenues; or
Your business buys, sells, shares, and/or receives the personal information of at least 50,000 California consumers (that’s just 137 clicks per day from unique CA visitors), households (still not a fully defined term), or devices (very important, as a single consumer might have multiple devices) per year; or
50% of your business’s annual revenue is derived from selling the personal information of California consumers (NOTE: this is relevant if you have a strong affiliate marketing presence)
If you answered YES, CCPA will apply to your business.

CCPA applies to me. Now what?

Consumers may request to opt-out from sale of personal information. In order to comply, you should:

Place a “Do Not Sell My Information” link on website
Comply with the request
Not seek reauthorization for 12 months
Not discriminate against opted out consumers
Under CCPA, consumers may also request:

Disclosure of personal information, including:
How it was collected
o How it is used

o Any third parties with whom it has been shared

Data portability in a usable format that the consumer can transmit to another entity
Deletion of personal information (there are some exceptions to your requirement to comply, such as if you need to retain the information in order to complete a transaction on behalf of that client, or to comply with a specific legal obligation).
In broad strokes, here’s what you have to do to prepare:

You have to have a way to receive and respond to data subject access requests, track those requests, and make sure they are being fulfilled. Some companies are choosing to implement this across the board, and not just to California clients
Ensure that data is only shared with parties that have a purpose for receiving the information. Make sure that sensitive data is handled with an even greater degree of confidentiality.
Comply with consumer requests.
In order to prepare to comply with these requests, you should:

Map your data
Make sure your technology supports your ability to comply
Review and revise agreements with third parties
Train your team
Amend your privacy notice
You should also take the following actions to be prepared to accommodate these consumer requests:

Make consent at least as easy to withdraw as it was to give
Have two or more methods for consumers to submit requests, such as: a toll-free telephone number and website address
Don’t discriminate against consumers who have exercised their rights, such as by charging them more or offering them less
Comply with verifiable consumer requests
Respond to a request within 45 days
Instruct all third parties with whom you have shared the consumer’s personal information to comply with the request, as well
Best practices would dictate that you implement these measures with respect to all consumers, not just those who you believe to be from California (i.e., geotracking by IP address won’t help you when you have a California resident accessing your site or service from another state).

What about sharing information with third parties?

CCPA doesn’t require you to stop sharing consumer information with third-party vendors and advertisers, but you do have to:

Know all of the third parties with whom you share information
Inform your consumers that you share their information with third parties
Stop sharing with these parties when a consumer asks you too
If you are obligated to comply, you are also obligated to ensure that all of your third-party service providers use and process the information that you share with them in a way that enables you to be compliant (for instance: they only use the information to perform their contracted task, they delete information upon request, etc.).

What if I said NO to the questions above?

If you answered NO based on the above information, but still wish to provide a disclosure related to CCPA to your customers, we can provide you with an amended Privacy Policy, much in the way that we did in advance of the effective date of GDPR.

Even if CCPA doesn’t apply to you now, it might in the future. Are you a growing company? Do you have unique website visitors? Do you have a growing population of consumers in California? If so, you might consider implementing the same above compliance tactics as mandated for those companies that do fall within CCPA.

Peter Hoppenfeld, Strategist, Advisor & Attorney At Law
Rachel Leeds Edelman, Certified Information Privacy Professional

What’s the takeaway from this? If you’re not sure whether the CCPA applies to your business, or if you want to get ahead of the compliance regulations that are undoubtedly due to be similarly implemented across the country, we highly suggest you seek legal advice on the best way to move forward for your business.

By Peggy Murrah, Founder of PMA Web Services

Author's Bio: 

Peggy Murrah is a unique combination of web and marketing savvy, along with dependability and resourcefulness. These qualities have been instrumental in her building a successful business that serves clientele across five continents. PMA Web Services provides marketing direction and strategies for entrepreneurs through mentoring, social media marketing, list building and management, and development/maintenance of their online presence.