If you're starting a business located in California or serving its residents, you may (and likely will) fall under the scope of the state's privacy laws. This includes the California Consumer Privacy Act (CCPA). Even if you don't fall under the law yet, you might eventually as your business expands, so it pays to plan ahead.
Here's what you need to know for making sure your startup complies with the CCPA.
(Please note that the CCPA was amended by the CPRA, which expanded the CCPA in a number of ways. The CPRA expansion took effect on Jan 1, 2023.)
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Who the CCPA (CPRA) Applies to
- 2. CCPA (CPRA) Consumer Rights
- 3. Complying with the CCPA (CPRA)
- 3.1. Organize Your Data
- 3.2. Give Information When Collecting Data
- 3.3. Give General Information
- 3.4. Handle Data Access Requests
- 3.5. Comply With 'Do Not Sell' Rules
- 4. CCPA (CPRA) Penalties and Procedures
- 5. How the CCPA Was Amended by the CPRA
- 6. Other Data Privacy Laws
- 6.1. Children's Online Privacy Protection Act (COPPA)
- 6.2. General Data Protection Regulation (GDPR)
- 6.3. New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD)
- 7. Summary
Who the CCPA (CPRA) Applies to
The CCPA (CPRA) applies if you meet any of the following three thresholds:
- Your annual worldwide revenue exceeds $25 million
- You buy, sell or disclose data about 100,000 or more consumers, households or devices in California in the same year
- At least 50% of your annual revenue comes from selling or sharing data about Californian consumers
If the CCPA doesn't apply to you, you could still have to comply with some other data protection laws. We've covered these at the end of this article.
CCPA (CPRA) Consumer Rights
The purpose of the CCPA (CPRA) is to establish and uphold consumer privacy rights. That means regulators and judges will refer back to these rights when settling any ambiguity about specific measures in the law. The rights are as follows:
- To know what personal information you collect about them
- To be able to access, review and correct the information you collect
- To know if you sell or share their information and, if so, with whom
- To stop you selling their personal information
- To get equal access to your services (with no price increase) even if they exercise these rights
- To limit the use of sensitive personal information
- To request you and anyone you've shared personal information with both delete the information
- To opt out of automated decision-making
- To know what personal information you collect about them
Make sure you let consumers know about their rights, and also make sure you're able to facilitate them when consumers wish to exert any of the rights.
Complying with the CCPA (CPRA)
The CCPA (CPRA) covers a wide range of measures that businesses need to take, though it really comes down to:
- Keeping track of the data you handle
- Letting customers know what you do with data (both specifically theirs and data in general)
- Respecting their request not to sell their data
Let's break down what you need to do.
Organize Your Data
Most of your responsibilities under the CCPA (CPRA) involve detailing whether you take certain actions with data from a particular category. The law sets out the following 12 categories:
- Identifiers (names, addresses and ID numbers)
- Personal information as defined by section 1798.80 (e) of the California code. (This partly duplicates section A but also adds things like education, employment history and financial information)
- Information about characteristics protected by federal or California law (such as race, religion or gender)
- Commercial information (such as purchase history)
- Biometric information
- Internet information such as search history
- Geolocation information
- Audio, electronic, olfactory, thermal or visual information
- Employment information
- Education information that isn't publicly available
- Inferred information for profiling (such as a customer having a preference for a particular type of product)
- Sensitive personal information
As a startup company that serves California, it's well worth setting up your databases and records to organize or tag your records using these categories. This will make future compliance far simpler.
Give Information When Collecting Data
When you collect personal information from a consumer you must tell them:
- Which category or categories the data falls into
- The purpose (or purposes) for which you'll use the data
- How long you plan to keep the data
Remember that this applies to the specific information which you are gathering from the consumer.
Give General Information
For each of the categories you must list:
- Whether you've collected any consumer data in the previous 12 months
- Whether you've sold any consumer data in the previous 12 months
- Whether you've disclosed any consumer data in the previous 12 months
You must review and update these lists at least once every 12 months.
Gannett gives examples of the data it may have collected in each category. This errs on the side of caution, though a more company-specific thus accurate list might be more useful for consumers:
As well as these lists, you should list the rights that the CCPA (CPRA) gives consumers, plus details of how they can contact you to exercise these rights.
Aquatalia offers two ways to do this:
Handle Data Access Requests
While your website lists your overall use of data in the previous 12 months, consumers also have the right to ask how you've used their personal data during that time. You must set up your records and procedures so that you can respond accurately to such requests, normally within 45 days. (You can take up to 90 days if it's necessary to do so, as long as you warn the user about the delay within the original 45-day deadline.)
When you respond to a data access request you must tell the consumer:
- The categories covering their information that you've collected, sold or disclosed
- The specific information you have
- Where you got the information from
- Why you used the information
- Who you've shared the information with (if anyone)
Comply With 'Do Not Sell' Rules
The CCPA (CPRA) says you must create a dedicated opt-out web page where consumers can tell you not to sell their data. It's an opt-out decision so technically you can sell consumer data until they tell you to stop.
At the least, this page must have a toll-free number for making the opt-out request. It's best to offer an alternative method as well such as contact details for sending a request or, ideally, an online form.
You must link to this page using the specific text "Do Not Sell My Personal Information." This link must appear:
- On your website
- In a dedicated section on California privacy rights (if you have one)
The Atlantic includes the link in its footer menu so it appears on every page:
When users click these links, they should be taken to an informative page with options for opting out of the sale of their personal information.
CCPA (CPRA) Penalties and Procedures
You could face three different types of penalties for violating the CCPA (CPRA):
- The Attorney General can give you 30 days to fix a violation and then fine you up to $7,500 for each violation you don't fix.
- Individuals can report a violation involving their personal data to the Attorney General. If the Attorney General doesn't take action, the individual can sue you in civil court.
- If you suffer a data breach and hadn't adequately secured the data, individuals can sue you in civil court. If they win, the court can order you to pay damages of between $100 and $750 per consumer without the consumer having to prove actual financial damage. The court can order you to pay the actual financial damages for a consumer if they exceed $750.
How the CCPA Was Amended by the CPRA
In November 2020 Californians voted in favor of a ballot measure to introduce a new law, the California Privacy Rights Act (CPRA). This amends and builds on the measures of the CCPA. Most CPRA measures took effect from the start of 2023.
Eligibility changed as follows:
- The "customer number" threshold doubled from 50,000 to 100,000 Californian people or households, with devices no longer counting.
- The "business type" threshold expanded from 50% of revenue coming from selling personal information about Californians to 50% of revenue coming from passing on such information in any way (even without payment) or even simply making it available.
- The $25 million annual revenue threshold remains the same.
Remember that the rules apply if you meet any of the three thresholds.
Other changes with the CPRA include the following:
- Sensitive personal information has added protections. You must get opt-in consent before using or disclosing such information and people must have the right to withdraw this consent and opt out. You must only use this information for the specified purpose.
- The right to opt out of you sharing personal information now specifically covers "cross-context behavioral advertising" even if you aren't being paid for the information.
- A new organization, the California Privacy Protection Agency, took over enforcement from the state Attorney General. It will have the right to order businesses to audit or risk assess their data procedures.
- To correct their data
- To know if you use automated decision making such as profiling and to opt out.
- To restrict the way you disclose sensitive information, for example to only use it for providing requested goods or services. (Businesses that use such information in other ways must add a "Limit The Use Of My Sensitive Personal Information" page that links to a dedicated page where people can exercise this right.)
- To not only ask you to delete their data but to pass on the request to any third party to which you disclosed the data.
- To ask you to pass on their data to a third party in a machine-readable format. (For example, to transfer their data to use on a competing service.)
Other Data Privacy Laws
Even if you don't meet the CCPA (CPRA) thresholds, your start-up business may come under several other state, national and international privacy laws. Key ones to watch out for include the following.
Children's Online Privacy Protection Act (COPPA)
COPPA is a U.S. federal law that applies if you run a website or online service (such as an app) and either you know you collect personal information about children aged under 13, or you aim your content at children aged under 13.
If COPPA applies you must post a privacy notice and get verifiable consent from parents or guardians before collecting personal information about children aged under 13.
General Data Protection Regulation (GDPR)
The GDPR applies if you are either based in a European Union country, or you process data about somebody in the EU.
The GDPR requires that you only process personal data if a specific legal basis applies, most commonly that the data subject has actively consented or that you have "legitimate interests" in processing the data that don't outweigh the data subject's rights.
New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD)
NY SHIELD is a state law that applies if you handle private information about New York state residents, even if you don't physically operate in the state.
The law says you must have a data security program; use technical, physical and organizational safeguards, and inform data subjects and state officials about any data breach.
Let's recap what you need to know about privacy laws when starting a business:
- The CCPA (CPRA) applies if you meet annual thresholds on revenue (more than $25 million), data records (100,000 Californians) or business type (at least half from selling or sharing data about Californians).
- If the CCPA (CPRA) applies you'll need to organize your records so you know how you use personal data in 12 specific categories.
- When you collect personal data you must tell the consumer which categories cover the data and how you'll use it.
- Your website must list whether you've collected, sold or disclosed data in each category in the past 12 months.
- Customers have the right to ask what data you've collected about them, where you got it, why you used it and who you've shared it with.
- Your website must have a page for consumers to opt out of you selling their data. You must link to this from your homepage with the link text "Do Not Sell My Personal Information.
- The CPRA added a 12th category, sensitive personal information. You cannot collect this without getting prior consent, which can be withdrawn later. Consumers can insist you only use this information for a specific narrow purpose.
- Other data laws may apply to your start-up business. These include COPPA, the GDPR and the NY SHIELD Act.