In 2018 we helped you navigate the implementation of the General Data Protection Regulation (GDPR). Now we are here to help you comply with the California Consumer Privacy Act (CCPA). The new data privacy law establishes new consumer rights for California state residents relating to the access, deletion, and sharing of personal information collected by businesses. The law applies to any companies that do business in California and meet one of several criteria related to revenue, data processing, and other factors.
Preparing for the California Consumer Privacy Act
While the CCPA doesn’t have some of the requirements of the GDPR, such as reporting a breach within 72 hours, it seems to take a broader view than the GDPR of what constitutes private data. The law is scheduled to take effect on January 1, 2020.
What is the CCPA?
The CCPA provides California residents the right to know the personal data collected about them and whether that data is being sold or disclosed and to whom. California residents may say no to the sale of personal data, have access to their personal data, and request a business to delete any personal information collected from them.
The CCPA applies to any business which does business in California and meets one of the following:
- Has at least $25 million in annual revenue
- Possesses the personal information of 50,000 or more consumers
- Earns more than half of its annual revenue from selling consumers’ personal information
- Being based in California or even having a physical presence there to fall under the law is not required.
The CCPA does recognize certain executions to the definition of “sale” when it comes to the transfer of personal information, and that not every transfer indicates a sale. For example, transferring personal information to a “service provider” is not considered a sale under the law.
Responsibility for Businesses
Businesses must disclose data collection and sharing practices to consumers and allow consumers to choose not to have their data shared with third parties. Meaning companies will need to have the ability to separate the data they collect according to the users’ privacy choices. Under CCPA, businesses cannot sell personal information of consumers under the age of 16 without explicit consent. They will need to implement processes to obtain the consent of minors between 13 and 16 years of age and obtain parental or guardian consent for minors under 13 years of age.
Websites need to include a link for visitors to opt out of the sale of their personal information. For this, the law specifies that companies must have a clearly visible footer on their website, offering consumers the option to opt out of data sharing. A method for submitting data access requested needs implementation. Updating privacy policies with the new required information, including a description of California residents’ rights, will be necessary. Businesses also need to ensure they don’t request an opt-in consent from a California resident for 12 months after they opt out.
Using Restricted Data Processing for Compliance
The CCPA takes a broad approach to what constitutes personal information, going so far as to include biometric and olfactory information. According to the CCPA, personal information includes information that identifies, describes, or has links to a particular consumer or household. This identifying information might be a real name alias, postal address, IP address, email address, or a number of other identifiers.
Google offers restricted data processing to assist advertisers, publishers, and partners meet their CCPA compliance needs. With restricted data processing, Google will act as your service provider. While providing certain services to you, including ad delivery, reporting and measurement, security and fraud detection, and others, Google will restrict how it uses certain unique identifiers and other data.
Restricted data processing will operate differently across various Google products.
While many Google products already operate using restricted data processing, other products will require action to enable this feature. When operating under restricted data processing, some feature and functionalities of Ad Manager and Ad Manager 360, AdMob, AdSense, and Google Ads will not be available.
While some businesses may choose to enable restricted data processing for all users in California, others may decide to enable it on a per-user basis after someone has chosen to opt-out. However, restricted data processing does not extend to the sending or disclosure of data to third parties. Businesses must ensure that they’ve taken all measures with respect to third parties as required to meet CCPA compliance. In fact, it’s important that advertisers, publishers, and partners all individually ensure that use of all Google products and services meet their CCPA compliance requirements.
How Can we Help?
Could your company benefit from a complimentary web analysis? We’ll take a look at your website, social presence, and competitive landscape and see where we can help you grow. At Vende Social, we help B2Bs develop winning online solutions.