Last week's column dealt with the thorny topic of whether or not a web-based business really needs to comply with the European Union's new (well, fairly new) General Data Protection Regulation, or GDPR.
Since the GDPR was made effective in May 2018, a number of U.S. states — most prominently California — have adopted "mini-GDPR" laws designed to regulate web-based businesses that have a significant economic presence in their states.
The California law — called the California Consumer Protection Act of 2018, or CCPA — technically went into effect on Jan. 1 of this year, although due to delays in adopting regulations to help interpret the law, California did not begin actively enforcing it until July 1, 2020. Failure to comply can result in a lawsuit from the California attorney general's office or (more likely) from aggrieved consumers who have a "private right of action" to enforce the law.
The CCPA applies to for-profit companies that collect and handle the personal information of California residents, regardless of a physical location in the state, and (a) have annual gross revenue in excess of $25 million (b) receive or share personal information of more than 50,000 California consumers annually or (c) derive at least 50% of annual revenue from the sale of personal information of California consumers.
The term "sale" is defined in an extremely broad way, covering any communication or transfer of a consumer's personal information to another business or third party for monetary "or other valuable consideration" — if the company receives any sort of benefit in exchange for the data, it is subject to the CCPA. Traditional website privacy policies — which allow web-based companies to share data with their "affiliates" (seldom, if ever, defined) without the customer's consent — will need to be re-thought and revised if the CCPA applies.
Now, I can hear some of my readers saying, "Hold on a minute! This is a column for small businesses. You have just told me my business is too small to even worry about the CCPA, so I'm on to the next article." Before you turn the page, there are two reasons why your business should consider at least making an effort to comply:
— At least 17 U.S. states (including New York, Maine, Massachusetts and Nevada) have adopted laws similar to the CCPA over the past 12 to 18 months.
— Your customers in other states are probably well aware of the CCPA's requirements and will sooner or later expect you to offer them similar rights.
Perhaps the most important right granted to consumers under the CCPA is the right to opt out of sales of their personal information to third parties. The CCPA requires businesses to provide notice about the consumer's opt-out right by adding a conspicuous, separate and dedicated "Do Not Sell My Personal Information" link on their home page, where consumers can exercise this right. For consumers between the ages of 13-16, opting out is not enough; the consumer must opt in to having their personal information sold. For consumers under the age of 13, parental consent is required.
California consumers also have the right to know and to request access to their personal information including (1) what categories of personal information have been collected, disclosed or sold, (2) the sources from which their information was collected, (3) the third parties receiving the personal information and (4) the website's purpose for collecting or selling such information.
California consumers also have the right to know specific pieces of personal information you have collected (not just the categories), to receive copies of their personal information in a "readily usable format" that is also portable, free of charge and delivered within 45 days of their request, and to request the deletion of their personal information collected. Businesses are required to offer at least two separate methods (such as email and snail mail) by which consumers can make portability and deletion requests.
So what can a small business do to comply with CCPA? Doing nothing may be an option for the short term, but not for very long. There are four things a small business should consider doing today if it does a significant volume of business in California:
— Put a "Do Not Sell My Data" button on the home page. This is easy and inexpensive to do and is the first thing California regulators will look for if they are viewing your site.
— Require customers who visit your home page to opt in to the placement of cookies on their computers by clicking on a pop-up banner.
Once you've taken these steps, consider adopting CCPA-friendly policies for all your customers. Like it or not, it's the way things are going, and people hate it if they think other people have more rights than they do.
Cliff Ennico ([email protected]) is a syndicated columnist, author and former host of the PBS television series "Money Hunt." This column is no substitute for legal, tax or financial advice, which can be furnished only by a qualified professional licensed in your state. To find out more about Cliff Ennico and other Creators Syndicate writers and cartoonists, visit our webpage at www.creators.com.
Photo credit: fancycrave1 at Pixabay