The continued focus on privacy and the rights to your own data / personal information has made managing a website much more complex. Recently the California Consumer Privacy Act (CCPA) – has now raised the question as to whether the measures companies have implemented to comply with the General Data Protection Regulation (GDPR) will satisfy the CCPA. Unfortunately, no.
Since we’re not a law firm, please take any information in this post as just our breakdown of the act, not legal advice. If you have further needs we suggest you discuss with your legal representative.
For a clear breakdown to follow on your specific needs, I highly suggest reviewing the act and this easier to digest information from the IAB.
You need to comply if the following is applicable to your business:
Companies that do business in California, regardless of where they are located, must comply with the law if they exceed one of the following thresholds: (i) have annual gross revenues in excess of $25 million; (ii) buy, sell, or receive or share for commercial purposes personal information gathered from 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of its annual revenues from “selling” consumers’ personal information.
For most if not all of our clients:
They don’t sell personal information
Do make over 25 Million in annual gross revenues – It’s unclear if that is supposed to be just CA or globally at the moment
Do not buy, sell, or recieve / share information for commercial purposes
Do not defive 50% or more from selling any information
That being the case there isn’t much that needs to be done for you to comply with the act. If you’re up to speed on GDPR you’re probably close, but need to add a bit more to your privacy policy.
For the most part you need to add a link in your footer (which doesn’t seem required specifically – but just to be covered that says “Do not sell my private information” and link to an opt out form on your site.
Details: Any business that collects a consumer’s personal information must, at or before the point of collection, inform the consumer as to (i) the categories of personal information to be collected; (ii) the purposes for which such personal information will be used; (iii) a description of a consumer’s rights under the Act, including a “clear and conspicuous” opportunity to opt out from the sale of his or her personal information; and (iv) the designated methods for submitting privacy inquiries and requests, including, at a minimum, a toll-free telephone number and a website address. These general disclosures must be made in the business’s online privacy policies and in any California-specific descriptions of a consumer’s privacy rights and updated at least once every 12 months. The clear and conspicuous opt out must be titled “Do Not Sell My Personal Information” and must be included on a business’ homepage.
Additionally in your privacy policy you should define what data is collected, what third parties you use with that data (Google Analytics, Mailchimp, etc), How you use it, and how to opt out.
Your opt out should include an email, contact form, and phone number. A great example is here on the IAB. Additionally you should state if or if not your site is intended for children. If so you should state that and connect with your legal team on what those requirements are as well.
Take a look at our own policy and feel free to take from it and update your own. https://www.kwallcompany.com/privacy-policy
Any questions? Let us know we’d love to help.