The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020. It is the first law insuring personal online privacy being implemented in the U.S. Any "business" with an online presence around the world will have to comply with the California Consumer Privacy Act if it receives personal data from any California residents or has gross revenues over $25 million.
Business is defined in the act as a "sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners … that does business in the State of California." The new law does not appear to apply to nonprofits.
This new law will have far-reaching effects for businesses with websites, not only because one in eight people in the United States are California residents, but also because the Internet really has no boundaries.
Essentially the law says that customers can have some control of the information that is collected about them by the websites they visit. "Businesses will have to treat that information more like it's information that belongs, is owned by and controlled by the consumer," according to California Attorney General, Xavier Becerra (paywall), "rather than data that, because it's in possession of the company, belongs to the company."
Who the Law Applies To
According to the International Association of Privacy Professionals (IAPP), a business (as defined above) must meet at least one of the following criteria for the law to apply to it:
- Have $25 million or more in annual revenue
- Possess the personal data of more than 50,000 "consumers, households, or devices"
- Earn more than half of its annual revenue selling consumers' personal data
What the CCPA Requires
Websites of businesses that collect personal data and exchange it for money or other compensation for any California residents must provide a clear and conspicuous "Do Not Sell My Personal Information" link on their homepage. This link must direct users to an interactive web form enabling customers to opt out of the sale of their personal information, get access to all their data collected, have all or some deleted, and request portability — to have their data provided to them. Businesses on the web must comply within 45 days.
Compliance with the CCPA
Businesses subject to the CCPA and that have websites will need to
- Update their privacy policies and educate their customers or constituents through outreach channels such as email or social.
- Add a "Do Not Sell My Personal Information" link on their homepage.
- Provide a toll-free telephone number for data requests.
- Have well-defined and documented processes to ensure they are executed properly.
- Implement processes to obtain parental or guardian consent for minors using their website who are under 13 years of age and also the affirmative consent of minors between 13 and 16 years to share their data.
The CCPA is generally regarded as a work in progress, with implementation and enforcement rules yet to be fully developed. The new law allows California consumers to sue companies that have data breaches that involve their data. It does not allow consumers to sue companies that sell their data.
The law does not apply to government entities. These can collect data, sell it, and not allow consumers to opt out. They also can't be sued for data breaches.
The CCPA's definition of personal information does not include any data that is already lawfully made publicly available from federal, state, or local government records. A number of additional exceptions are carved out in the act, related to existing restrictions under conflicting or related state and federal laws.
The Bottom Line
For nonprofits and libraries, the CCPA requirements are probably not, in all practicality, necessary. But several states are expected to follow this trend, and companies like Microsoft have said they will honor the data rights in the California law for customers nationwide.
- Read about the European privacy regulation, GDPR.
- Ask What Type of Data Should My Nonprofit or Foundation Collect?
- See the webinar Security and Privacy: What Nonprofits Need to Know.