In terms of data, if 2018 was the year of GDPR, 2019 has become the year of CCPA. This guide aims to break down what bloggers and influencers need to know about CCPA compliance.
What Is CCPA?
CCPA is the California Consumer Privacy Act. While they are not identical, think of it as similar to GDPR, but for residents of California. The goal of the act is to give California residents greater control over the sale of their data.
The law passed in 2018 and has gone through an amendment period that lasted until the fall of 2019. Businesses have until January 1, 2020 to become compliant.
Note: If you are already GDPR-compliant, that doesn't mean that you are CCPA-compliant. They are similar, but not identical, so make sure you know if CCPA applies to your business and what changes you may need to make.
Who Must Comply with CCPA?
First, remember, even if you are not located in California, you may still need to be CCPA-compliant.
To determine if you need to be compliant, you have to apply the CCPA definition of “business” to your business, which states:
“Business” means:
A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumer's personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)…
(B) Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers' personal information.
If you have a website, you likely meet the first paragraph. Most websites are capturing personal information under the definitions provided in the act. This means you need to determine if you need to comply under the thresholds presented.
Most bloggers and influencers likely don't qualify under A or C, so that leaves us with Section B. To determine if you qualify, you will need to consider your traffic and the visitors to your website.
Do you have more than 50,000 visitors from California in a year? If you aren't sure, check Google Analytics. Here's how to check:
- Click on Audience
- Click on Overview
- In the top right, enter a date range for the past twelve months
- Scroll down to the demographics section
- Click on Country
- Click on United States
- Look at your sessions and users from California
If you've had more than 50,000 or you are very close to that threshold, then you need to consider if you are buying, receiving for your business's commercial purposes, selling, or sharing for commercial purposes, the personal information of these California residents.
For example, if you are:
- Using certain personalized display ads;
- Using the Facebook pixel; or,
- Using certain analytics.*
Then you likely need to ensure you are CCPA-compliant.
*Please note, this list is not exhaustive, so you will need to consider your business on an individual basis.
Am I Really Selling Their Information?
If you are reading this and thinking, wait, I am not selling anyone's information, this doesn't matter – keep reading. It's important to note that the legislation has a very broad definition of what constitutes selling or a sale. It means:
“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.”
Because of how broadly the statute was drafted, even things you wouldn't normally think of as a “sale” may fall under the definition.
Service Provider Exception
There is a narrow exception carved out for Service Providers, which may process your business's information on your behalf and do not share it with any other third parties. An example of this may be your email service provider or a course platform, like Kajabi or Thinkific.
Check with the vendors you work with to determine if they are a Service Provider under CCPA.
How to Comply with CCPA?
1. You Must Offer Certain Rights to California Residents
Right to Access
Under CCPA, California residents may submit a verifiable consumer request to access the personal information you have collected about them in the past 12 months. You have 45 days after the submission of the request to disclose:
- The categories of personal information you collected;
- The categories of personal information you sold;
- The categories of any third parties to whom you have sold their personal information;
- A list of which categories of their personal information you sold to each party; and,
- The categories of their personal information you disclose for business purposes.
Right to Delete
Additionally, a California resident may submit a verifiable consumer request to delete their personal information.
Right to Non-Discrimination
CCPA also includes a right of non-discrimination, which means that you cannot:
- deny goods or services;
- charge different prices; or
- provide a different level of quality of goods or services
if someone exercises their rights.
2. You Must Have a Way for California Residents to Exercise Their Rights
You must provide an email address for someone to exercise their rights. If you have a physical location, you must also have a toll-free number.
3. Update Your Privacy Policy
You need to update your privacy policy to include:
- a description of the consumer's rights under CCPA;
- a list of the categories of personal information it collects, based upon the categories listed in the legislation, and how the information is disclosed/sold.
You can purchase a CCPA-compliant privacy policy in the Businessese Store.
(If you have purchased in the past, an updated version will be sent to you.)
4. Page to Opt-Out
If you do sell personal information, you will need a page on your site that allows users to opt-out of the sale of their information. You will need to link this page in your privacy policy and on your home page.
What Happens if You Don't Comply?
If you don't comply, it could result in notices from the State of California and in fines.
Next Steps
- Determine if you qualify as a business under CCPA and whether or not you have to comply;
- Update your privacy policy;
- Determine how you will give California consumers the ability to opt-out of the sale of their data. Depending on your website, you may want to explore plugins. Like with GDPR, there are a few available now and they will only continue to improve.
As always, if you are not comfortable making the determination yourself about CCPA compliance or you are not comfortable using a DIY template, make sure you contact a lawyer for assistance.
Are We Going to Have to Do This Again Next Year?
I really wish I could tell you no, but we anticipate additional updates in the next few years as it relates to privacy and data. Nevada has already passed a more limited data law. (Don't worry, our privacy policy has also been updated for that.) Many other states have pending legislation. There have been bills introduced on a national level. Ideally, one of these bills will pass so that all states are consistent.
Subscribe to our newsletter to stay updated on the latest developments.