The California Consumer Privacy Act raises the bar for privacy protection in the United States. The act serves up penalties for businesses that fail to comply or that incur a data breach.
Passed and amended in 2018, the CCPA takes effect on January 1, 2020.
The law has been called “GDPR lite” for its similarities to the European Union’s General Data Protection Regulation. While it does not go as far as the GDPR in some areas and is less complex, the CCPA does provide relatively broad definitions in other areas, such as expanding the GDPR concept of the right to delete data.
The law has been called “GDPR lite” for its similarities to the European Union’s General Data Protection Regulation.
The CCPA is a significant step toward protecting consumer data, including the personal information most every ecommerce company collects.
An ecommerce business does not have to be located in California to be subject to the CCPA. Rather, the law covers California residents even when they purchase online. Thus, an ecommerce store based in Michigan would still be subject to the CCPA if it sold products to a shopper living in California.
There are similar precedents in both the GDPR and in U.S. online sales taxes. In the case of the former, even U.S.-based websites must comply with the GDPR for E.U. residents. And in the latter, a Wisconsin-based omnichannel retailer, for example, may still need to collect sales tax for the state of California when a California resident buys online.
So it’s not surprising that an ecommerce business that sells to California residents is subject to at least some California laws.
The CCPA sets thresholds to protect small and mid-sized companies. A company is only subject to the CCPA if it is for-profit and if it meets at least one of the following three thresholds:
- Annual sales above $25 million,
- Handles “the personal information of 50,000 or more consumers, households, or devices,”
- “Derives 50 percent or more of its annual revenue from selling consumers’ personal information.”
The thresholds serve to exempt many ecommerce companies. Most do not derive half or more of their revenue from selling shoppers’ personal information. Likewise, many ecommerce businesses have less than $25 million in annual sales.
The threshold that may impact ecommerce companies most often is the 50,000-consumer rule. This could apply to every site visitor, regardless of whether he made a purchase. And the number, 50,000, translates to an average of just 137 unique visitors a day. An ecommerce company with vigorous pay-per-click marketing campaigns could easily drive more than 137 daily unique visitors.
The “Californians for Consumer Privacy” website makes salient points about the purpose of the CCPA.
- California’s consumers own and control their personal information.
- Businesses are responsible for safeguarding personal information.
- Large businesses are accountable (may pay fines) for failure to protect personal information.
These concepts lead to five personal information rights. Specifically, a California resident has a right to:
- Access his or her personal information,
- Have personal information deleted,
- Know what personal information a company has collected or sold,
- Opt-out or opt-in, and not be bugged after opting out,
- Not having his or her personal information disclosed.
Each of these rights may require companies, including ecommerce businesses, to change or adjust notifications, reporting, and responses.
Complying with the CCPA may be relatively easy thanks to the GDPR. While there are differences in definitions and requirements, companies that have already worked to comply with the GDPR should be well-positioned to comply with the CCPA.
For example, an ecommerce business that has established the means for receiving and responding to complaints under the GDPR may only need to make minor changes for the CCPA. Similarly, these companies should have policies to report the personal data collected in accordance with the GDPR. While the CCPA has a broader definition of personal information than the GDPR, the process for reporting is similar.
Even ecommerce companies that did not have to comply with the GDPR will benefit from related software tools and services since many of these tools and services can be easily adapted to the CCPA.
Ecommerce companies should take the time to determine if the CCPA applies. If so, do more research. Learn what the CCPA requires.
- Californians for Consumer Privacy.
- California Department of Justice CCPA page.
- Assembly Bill 375, (the CCPA text).
- “California’s new data privacy law could change the internet in the US,” CNBC.
- “What is a ‘business’ under CCPA?,” by Lydia F. de la Torre.
- “California Consumer Privacy Act: Are You Prepared for 2020?,” an Infosec video.