If you're starting a business located in California or serving its residents, you may fall under the scope of the state's privacy laws. This includes the existing California Consumer Privacy Act (CCPA). Even if you don't fall under the law yet, you might eventually as your business expands, so it pays to plan ahead.
Here's what you need to know for making sure your startup complies with the CCPA.
- 1. Who the CCPA Applies to
- 2. CCPA Consumer Rights
- 3. Complying with the CCPA
- 3.1. Organize Your Data
- 3.2. Give Information When Collecting Data
- 3.3. Give General Information
- 3.4. Handle Data Access Requests
- 3.5. Comply With 'Do Not Sell' Rules
- 4. CCPA Penalties and Procedures
- 5. The CCPA's Successor: The CPRA
- 6. Other Data Privacy Laws
- 6.1. Children's Online Privacy Protection Act (COPPA)
- 6.2. General Data Protection Regulation (GDPR)
- 6.3. New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD)
- 7. Summary
Who the CCPA Applies to
The CCPA applies if you meet any of the following three thresholds:
- Your annual worldwide revenue exceeds $25 million
- You buy, sell or disclose data about more than 50,000 consumers, households or devices in California in the same year
- At least 50% of your annual revenue comes from selling data about Californian consumers
Note that starting in 2023, the law will change so that the 50% threshold applies to revenue from sharing rather than simply selling personal information.
If the CCPA doesn't apply to you, you could still have to comply with some other data protection laws. We've covered these at the end of this article.
CCPA Consumer Rights
The purpose of the CCPA is to establish and uphold five consumer privacy rights. That means regulators and judges will refer back to these rights when settling any ambiguity about specific measures in the law. The rights are as follows:
- To know what personal information you collect about them
- To be able to access and review the information you collect
- To know if you sell or share their information and, if so, with whom
- To stop you selling their personal information
- To get equal access to your services (with no price increase) even if they exercise these rights
Make sure you let consumers know about their rights, and also make sure you're able to facilitate them when consumers wish to exert any of the rights.
Complying with the CCPA
The CCPA covers a wide range of measures that businesses need to take, though it really comes down to:
- Keeping track of the data you handle
- Letting customers know what you do with data (both specifically theirs and data in general)
- Respecting their request not to sell their data
Let's break down what you need to do.
Organize Your Data
Most of your responsibilities under the CCPA involve detailing whether you take certain actions with data from a particular category. The law sets out the following 11 categories:
- Identifiers (names, addresses and ID numbers)
- Personal information as defined by section 1798.80 (e) of the California code. (This partly duplicates section A but also adds things like education, employment history and financial information)
- Information about characteristics protected by federal or California law (such as race, religion or gender)
- Commercial information (such as purchase history)
- Biometric information
- Internet information such as search history
- Geolocation information
- Audio, electronic, olfactory, thermal or visual information
- Employment information
- Education information that isn't publicly available
- Inferred information for profiling (such as a customer having a preference for a particular type of product)
As a startup company that serves California, it's well worth setting up your databases and records to organize or tag your records using these categories. This will make future compliance far simpler.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Note that for now the law only covers consumer information. Information you handle about your employees for human resources purposes and business-to-business information won't be covered until 2023.
Give Information When Collecting Data
When you collect personal information from a consumer you must tell them:
- Which category or categories the data falls into
- The purpose (or purposes) for which you'll use the data
Remember that this applies to the specific information which you are gathering from the consumer.
Give General Information
For each of the 11 categories you must list:
- Whether you've collected any consumer data in the previous 12 months
- Whether you've sold any consumer data in the previous 12 months
- Whether you've disclosed any consumer data in the previous 12 months
You must review and update these lists at least once every 12 months.
Gannett gives examples of the data it may have collected in each category. This errs on the side of caution, though a more company-specific thus accurate list might be more useful for consumers:
As well as these lists, you should list the rights that the CCPA gives consumers, plus details of how they can contact you to exercise these rights.
Aquatalia offers two ways to do this:
Handle Data Access Requests
While your website lists your overall use of data in the previous 12 months, consumers also have the right to ask how you've used their personal data during that time. You must set up your records and procedures so that you can respond accurately to such requests, normally within 45 days. (You can take up to 90 days if it's necessary to do so, as long as you warn the user about the delay within the original 45-day deadline.)
When you respond to a data access request you must tell the consumer:
- The categories covering their information that you've collected, sold or disclosed
- The specific information you have
- Where you got the information from
- Why you used the information
- Who you've shared the information with (if anyone)
Comply With 'Do Not Sell' Rules
The CCPA says you must create a dedicated opt-out web page where consumers can tell you not to sell their data. It's an opt-out decision so technically you can sell consumer data until they tell you to stop.
At the least, this page must have a toll-free number for making the opt-out request. It's best to offer an alternative method as well such as contact details for sending a request or, ideally, an online form.
You must link to this page using the specific text "Do Not Sell My Personal Information." This link must appear:
- On your website
- In a dedicated section on California privacy rights (if you have one)
The Atlantic includes the link in its footer menu so it appears on every page:
When users click these links, they should be taken to an informative page with options for opting out of the sale of their personal information.
CCPA Penalties and Procedures
You could face three different types of penalties for violating the CCPA:
- The Attorney General can give you 30 days to fix a violation and then fine you up to $7,500 for each violation you don't fix.
- Individuals can report a violation involving their personal data to the Attorney General. If the Attorney General doesn't take action, the individual can sue you in civil court.
- If you suffer a data breach and hadn't adequately secured the data, individuals can sue you in civil court. If they win, the court can order you to pay damages of between $100 and $750 per consumer without the consumer having to prove actual financial damage. The court can order you to pay the actual financial damages for a consumer if they exceed $750.
The CCPA's Successor: The CPRA
In November 2020 Californians voted in favor of a ballot measure to introduce a new law, the California Privacy Rights Act (CPRA). This amends and builds on the measures of the CCPA. Most CPRA measures will take effect from the start of 2023 following a period of rulemaking, with enforcement starting in July 2023.
Eligibility will change as follows:
- The "customer number" threshold will double from 50,000 to 100,000 Californian people or households, with devices no longer counting.
- The "business type" threshold will expand from 50% of revenue coming from selling personal information about Californiana to 50% of revenue coming from passing on such information in any way (even without payment) or even simply making it available.
- The $25 million annual revenue threshold remains the same.
Remember that the rules apply if you meet any of the three thresholds.
Other changes with the CPRA include the following:
- Sensitive personal information will have added protections. You must get opt-in consent before using or disclosing such information and people must have the right to withdraw this consent and opt out. You must only use this information for the specified purpose. Sensitive personal information will count as a 12th category when you list how you use data.
- The right to opt out of you sharing personal information now specifically covers "cross-context behavioral advertising" even if you aren't being paid for the information.
- A new organization, the California Privacy Protection Agency, will take over enforcement from the state Attorney General. It will have the right to order businesses to audit or risk assess their data procedures.
Customers have new rights under the CPRA:
- To correct their data
- To know if you use automated decision making such as profiling and to opt out.
- To restrict the way you disclose sensitive information, for example to only use it for providing requested goods or services. (Businesses that use such information in other ways must add a "Limit The Use Of My Sensitive Personal Information" page that links to a dedicated page where people can exercise this right.)
- To not only ask you to delete their data but to pass on the request to any third party to which you disclosed the data.
- To ask you to pass on their data to a third party in a machine-readable format. (For example, to transfer their data to use on a competing service.)
Other Data Privacy Laws
Even if you don't meet the CCPA thresholds, your start-up business may come under several other state, national and international privacy laws. Key ones to watch out for include the following.
Children's Online Privacy Protection Act (COPPA)
COPPA is a U.S. federal law that applies if you run a website or online service (such as an app) and either you know you collect personal information about children aged under 13, or you aim your content at children aged under 13.
If COPPA applies you must post a privacy notice and get verifiable consent from parents or guardians before collecting personal information about children aged under 13.
General Data Protection Regulation (GDPR)
The GDPR applies if you are either based in a European Union country, or you process data about somebody in the EU.
The GDPR requires that you only process personal data if a specific legal basis applies, most commonly that the data subject has actively consented or that you have "legitimate interests" in processing the data that don't outweigh the data subject's rights.
New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD)
NY SHIELD is a state law that applies if you handle private information about New York state residents, even if you don't physically operate in the state.
The law says you must have a data security program; use technical, physical and organizational safeguards, and inform data subjects and state officials about any data breach.
Let's recap what you need to know about privacy laws when starting a business:
- The CCPA applies if you meet annual thresholds on revenue (more than $25 million), data records (50,000 Californians) or business type (at least half from selling data about Californians).
- If CCPA applies you'll need to organize your records so you know how you use personal data in 11 specific categories.
- When you collect personal data you must tell the consumer which categories cover the data and how you'll use it.
- Your website must list whether you've collected, sold or disclosed data in each category in the past 12 months.
- Customers have the right to ask what data you've collected about them, where you got it, why you used it and who you've shared it with.
- Your website must have a page for consumers to opt out of you selling their data. You must link to this from your homepage with the link text "Do Not Sell My Personal Information.
- Violating the CCPA and failing to fix the violation can lead to fines of $7,500 per violation.
- If you don't secure data and suffer a breach you could have to pay damages up to $750 per consumer or more if they can prove financial harm.
- A new law, the CPRA, takes effect from 2023. It builds on the CPPA.
- The CPRA adds a 12th category, sensitive personal information. You cannot collect this without getting prior consent, which can be withdrawn later. Consumers can insist you only use this information for a specific narrow purpose.
- Other data laws may apply to your start-up business. These include COPPA, the GDPR and the NY SHIELD Act.