The California Consumer Protection Act: What E-Commerce Merchants Need to Know
The California Consumer Protection Act (CCPA) will go into effect January 1, 2020. If your business collects, purchases, or uses the personal data of California residents in any way, the CCPA will dramatically impact your operations.
Whether your business is based in Los Angeles, Louisville, or London, here’s what you need to know about this game-changing new law and its important ramifications.
Even if you think your business is exempt from the CCPA, it may be worth at least familiarizing yourself with its stipulations. Boasting the nation’s largest population and the planet’s fifth-largest economy, California has an outsized influence in business, culture, and world events. What happens in California – the decisions of its state government, the actions of its corporations, the ideas of its influential people – resonates around the globe.
Notably, multiple other states have CCPA-inspired bills in the works, including New York, Massachusetts, and Maryland. Sooner or later, chances are your business will be affected by this trend.
In this article, we’ll explain the major requirements of the California Consumer Privacy Act, help you determine if the law applies to your e-commerce business, and offer guidance on compliance.
What Is the California Consumer Privacy Act?
The CCPA was signed into state law by former California governor Jerry Brown on June 28, 2018, amid increasing concern from consumers over how companies use and sell their personal data.
The CCPA grants California residents certain rights concerning the personal information they share with for-profit organizations online, including the right to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed, and to whom.
- Say no to the sale of personal information.
- Access their personal information.
- Have access to equal service and prices, even if they choose to exercise their privacy rights as defined in the CCPA.
The law defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This information can include (but is not limited to):
- Real names and aliases
- Email addresses
- Social security, driver’s license, and passport numbers
- Records of products or services purchased
- Browsing or search history
- Geolocation data
- Employment information
- “Inferences drawn from any of the information” identified in the CCPA to “create a profile about a consumer.”
What Companies Must Comply With the CCPA?
The CCPA applies to any for-profit entity that does business in California and either collects the personal information of California consumers or uses another organization to collect the information on its behalf. Additionally, the entity must meet at least one of the following criteria:
- Has annual gross revenue over $25 million.
- Receives, buys, sells, or shares the personal information of 50,000 or more consumers, households, or devices in California.
- Gets more than half of its revenue from selling the personal information of Californians.
What exactly does it mean to “do business” in California? The legislation is silent on that point. Most experts speculate that having a physical presence, employees, or licenses in California certainly qualify.
We won’t know for sure until the state attorney general clarifies the matter, but e-commerce businesses that sell to customers in California may be subject to the CCPA.
If you’re not sure if your business qualifies, or even if you think it doesn’t, it may be best to check with an attorney. California has a population of nearly 40 million; you may be doing business in California in ways you haven’t thought about.
Certainly, California’s tech behemoths – Facebook, Google, Apple – easily meet the thresholds for CCPA compliance. But if you think your business is too small to worry about CCPA, take another look at the second criterion above. As one lawyer calculated, if your website gets just 137 unique visitors a day, in a year you’ll have collected data on 50,000 consumers.
It’s also worth pointing out that even if your business is not obligated to comply with the CCPA, consumers are getting serious about data privacy. Many (if not most) consumers expect online businesses to protect their personal information simply as a matter of course. Complying with the CCPA and regulations like it may be good for your business. Transparency about how you handle personal data can boost your customers’ confidence in your business and keep them coming back.
What Are the Main Provisions of the CCPA?
At over 10,000 words long, the California Consumer Privacy Act is too detailed for us to offer an exhaustive explanation of how it applies to your business, specifically.
The law has much in common with the European Union’s General Data Protection Regulation (GDPR), which applies to any organization that handles the personal information of EU residents.
Therefore, if you’re already compliant with the GDPR, you’re nearly or entirely compliant with the CCPA.
Here, in broad strokes, is what the CCPA will require of your online business:
The CCPA gives California consumers the right to request certain information from your business pertaining to your use of their personal information. Upon receiving a “verifiable consumer request,” you must disclose promptly and free of charge:
- The categories of personal information you have collected about the consumer.
- The categories of sources from which the personal information was collected.
- The business or commercial purpose for collecting or selling the information.
- The categories of third parties with whom your business shared the personal information.
- The specific pieces of personal information your business collected about that consumer.
Under the CCPA, consumers have the right to request this kind of information twice in 12 months, and they can request information stretching back to 12 months before the request. In other words, you should maintain your records concerning your use of personal information for at least a year.
As for format, the CCPA says, “The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.”
Your business must make available two or more designated methods for submitting information requests, including a toll-free phone number. If your business has a website, you must also have a web address for submitting requests.
The CCPA also stipulates that you must inform consumers “at or before the point of collection” about the categories of personal information to be collected and how your business will use the information. Your business may not collect additional categories of information without notifying consumers.
- An explanation of consumer rights under the CCPA, including how to request access to personal information.
- A list of the categories of personal information your business has collected in the preceding 12 months.
- A list of the categories of personal information your business has disclosed for business purposes or sold in the preceding 12 months.
California consumers will have the right to request the deletion of any and all the personal information your business has collected on them. The deletion request process is similar to the process for requesting information. Upon receiving a verifiable consumer request, you must “delete the consumer’s personal information from [your] records and direct any service providers to delete the consumer’s personal information from their records.”
There are a few exceptions, however. For example, if you need the personal information to complete a transaction or fulfill a contract with the consumer, you will not be required to comply with the deletion request. Read section 1798.105 of the California Consumer Privacy Act for a full list of exceptions.
The CCPA gives consumers the right to tell your business at any time not to sell their personal information. If you receive an opt-out request from a consumer, your business will be immediately prohibited from selling that consumer’s information.
Your website must also include “a clear and conspicuous link” on your homepage that directs consumers to a page where they can opt out of the sale of their personal information. The link should read, “Do Not Sell My Personal Information.” Consumers should not have to create an account to opt out.
In addition, any consumer under 16 must “opt in” to the sale of their personal information. In the case of consumers under 13, the consumer’s parent or guardian must give you permission.
What Are the Penalties for Non-Compliance With the CCPA?
If your e-commerce business is found to be in violation of the California Consumer Privacy Act, you will not immediately be liable for penalties. The law gives businesses 30 days after receiving a notice of noncompliance to remedy the situation. If your business fails to fix the problem within 30 days, you will face a civil penalty of up to $2,500 per violation, as set by California’s Business and Professions Code.
Intentional violations have a higher cap of $7,500 per incident.
Because CCPA fines are determined on a per-violation basis, they can pile up. In extreme cases, they may well reach millions or even billions of dollars. The International Association of Privacy Professionals calculated how much Facebook’s Cambridge Analytica scandal would have cost the firm in terms of CCPA fines: $61.6 billion for unintentional violations and $184.7 billion for intentional violations. (Remember, California’s population is enormous.)
The CCPA also gives consumers the right to take civil action against your firm. Consumers can recover damages between $100 and $750 per violation.
How Does the CCPA Differ from the GDPR?
The CCPA is referred to in some circles as “America’s GDPR,” but there are some important differences between the laws.
Notably, the CCPA is somewhat less strict. For example, the GDPR requires opt-in consent for any use of personal information. The CCPA, on the other hand, only requires that you make opting out clear and available.
You can find a point-by-point comparison of the CCPA and the GDPR here.
As your e-commerce business prepares for the CCPA, it’s an opportune time to revisit your GDPR compliance. Penalties for violating the GDPR can run even higher than CCPA fines, so compliance with both sets of regulations is an essential risk-avoidance strategy.
How Should E-Commerce Businesses Prepare for the CCPA?
It’s inevitable that e-commerce businesses will compile personal information on their customers. But the first day of 2020 is less than six months away, so there’s still time to get ready for the debut of the California Consumer Privacy Act.
If you haven’t already, your first step should be to read through the law to determine which aspects apply to your business, which regulations you’re prepared for, and which rules you need to prepare for. It may be useful to appoint a “CCPA czar” at your business to coordinate preparations.
Essential steps include:
- Placing a “Do Not Sell My Personal Information” link on your homepage.
- Ensuring you have records of your business’s use of customer personal information going back a year or more.
- Establishing an efficient and compliant procedure for responding to consumer requests for information and deletion requests.
- Making sure all third parties who use or process your customers’ personal information on your behalf are CCPA-compliant.
Additionally, assess the personal information your business collects and deciding what is essential and what is unnecessary. For example, do you really need to know where your customers work? Do you need phone numbers, or are email addresses enough?
If your business buys or sells user information, and if this is not a core element of your revenue stream, you might want to discontinue the practice. While the CCPA does not forbid dealing in personal information, the more information you collect, share, buy, and sell, you may find yourself having to respond more frequently to burdensome information requests.
Alternatively, you can stay under the threshold for CCPA compliance by ensuring you only buy, sell, or share the personal information of fewer than 50,000 consumers per year.
Ultimately, similar to complying with the GDPR, the most efficient approach to CCPA compliance may be to treat all your customers as if they live in California, even if they don’t. Dual levels of privacy – one for California residents and one for everyone else – may get complicated.
ClearSale: Your Privacy and Fraud Protection Partner
The California Consumer Privacy Act exists because of an understandable desire among consumers to maintain control of their personal data. Some consumers are more comfortable than others allowing businesses to store, share, buy, and sell their personal information. But nobody wants their data to fall into the hands of criminals who may use the information to defraud businesses and consumers.
A robust fraud protection solution will help your customers feel safe buying from your business. ClearSale is a global leader in fraud protection, with over 16 years of experience in preventing fraudulent chargebacks and false declines, enabling merchants to accept more orders and increase their revenue.
Contact us today to learn why companies around the world put their trust in ClearSale.