Is Your Website Prepared For The California Consumer Protection Law?
It's rare these days to find a company of any size that doesn't have a website. Not only are websites one of the most effective ways to establish an online presence, but they also act as a foundation for your online marketing strategies. Using your website, you can collect valuable data about your audience to help improve your marketing efforts, generate more leads, and close more sales. However, how businesses have collected user data over the years has generated significant controversy, ultimately resulting in the passing of the California Consumer Privacy Act (CCPA).
Now that the CCPA is in effect, you will need to take steps to ensure that you comply with the rules and regulations established in the CCPA. Failure to comply can result in a range of fines and can make your company vulnerable to potential consumer lawsuits. Here’s what you need to know about the CCPA and how your website can achieve and maintain CCPA compliance.
Get to Know The California Consumer Privacy Act
California consumers had little control over how websites were using their personal information. Many websites were collecting their data without their permission or their knowledge. While some websites were doing this simply to help improve their user experience, other websites were making a profit by selling this data to third parties. As a result, consumers in California signed a petition requesting that the state pass a law providing them with more data privacy protection online.
In 2018, the state passed the CCPA and, starting at the beginning of 2020, enacted numerous regulations to give consumers in California more protection and control over their data. But not all companies require compliance. Your business has to meet certain criteria outlined by the CCPA. If you meet those criteria, then compliance will be required. The criteria as stated in the CCPA include:
- Only businesses that are collecting data from consumers in California are required to abide by the CCPA's rules and regulations. If your company is located outside of California but is collecting data from people inside California, then the CCPA still applies to you.
- If your business generates an annual gross revenue that exceeds $25 million, then the CCPA applies to you.
- If you have the personal information of more than 50,000 consumers, households, or devices in California, whether you've collected it yourself or bought it from another party, the CCPA applies to you.
- If your company earns more than 50 percent of its annual revenue from the sale of the consumer information that you're collecting from California consumers, then the CCPA applies to you.
If none of these criteria apply to you, then you are exempt from the rules and regulations of the CCPA. However, if any of these criteria do apply to your company, then compliance will be required. If you do not comply, you may receive a fine for every instance of non-compliance, and any consumer whose rights you may have violated will have the right to sue you.
What Are The Key Website Privacy Provisions In The CCPA?
There are several website privacy provisions in the CCPA that your website must abide by. These provisions apply to any data that you collect from users, including data that you're purchasing from third parties, behavioral data that you're automatically collecting, and personal information that consumers are willingly providing to you (such as via your web forms). These are the key provisions of the CCPA that you will need to know:
- You must provide public notice - You do not need to request permission to collect data unless the user is 16 or under. However, you do need to disclose that you're collecting user data at or before the point of collection. You must also disclose what you're doing with that data, whether you're selling personal information or not. For example, if all you're doing is using the data to improve your marketing efforts, then you must still disclose this.
- You must comply with personal data requests - Consumers have the right to request access to their data. You will need to provide several methods that consumers can use to make a request (such as via a web form or phone number). You will also need to provide a personal data report that discloses the different categories of data you have collected from them. The report must cover all data you've collected from that consumer over the past 12 months. You have 45 days to present the report to them once you've received the request.
- You must be able to verify requests - You must have a method in place that allows you to verify who is making the request. Sharing potentially sensitive information (such as credit card information) with someone who is pretending to be someone else can lead to identity theft or credit card fraud.
- You must provide an option to opt-out - The CCPA gives consumers the right to request that you delete the data you've collected on them as well as to opt-out of having their data collected, sold, or shared.
- You cannot punish customers - If a consumer exercises their data privacy rights, you cannot punish them by charging them more or providing a different level of service. The only exemption is if you can prove that the difference in the quality of service is dependent on the data that you collect.
- You may have to follow stricter guidelines based on your data - If you maintain data on four million or more consumers, then you will need to follow more stringent instructions. More specifically, you will be required to monitor a variety of metrics, disclose the metrics you're tracking to the public, and establish proper training protocols for ensuring CCPA compliance.
Steps To Take To Make Sure Your Website Is CCPA Ready
Understanding the key provisions of the CCPA is essential to remaining compliant. However, knowing what the requirements are is one thing; achieving as well as maintaining CCPA compliance is another thing. Take these steps to ensure that your website meets CCPA compliance.
Map Your Consumers' Data
One of the challenges you may face with CCPA regulations is identifying what data belongs to each individual requesting access. This challenge occurs because of the sheer volume of data most businesses collect. All of this data typically comes from many different sources. If it's unorganized, it can become difficult to put together an accurate data report.
To ensure that you are capable of identifying what data you're collecting on any given consumer, you will need to map your data. The process of data mapping involves identifying what personal information you're collecting, what methods you're using to obtain it, knowing where and how you're storing this data, and knowing what data you're selling or sharing and to whom.
Check and Fix Your Privacy Disclosure
Since the CCPA requires that you disclose the fact that you're collecting user data at or before the point of collection, you will need to include a comprehensive privacy disclosure that's hosted on your website. This disclosure needs to have its own dedicated webpage. You should have a clearly marked link to this page on your homepage to make it easy to find. The disclosure should include the following information:
- What categories of personal data you're collecting
- What specific types of information you're collecting
- What sources you're collecting personal information from
- How you're using the information that you're collecting
- What types of third parties you're sharing the data with or selling the data to
Anytime you make changes to your data collection process, you will need to update your privacy disclosure.
Inform Consumers Of Their Rights
Not all California consumers know what their data privacy rights are. The CCPA requires that you inform them about their rights. You must notify visitors that they have the right to know what personal data you've collected on them, the right to have their data deleted, and the right to request that you stop selling or sharing their personal information. All of this information should be on the same page as your data privacy disclosure.
Set Procedures To Handle Your Consumers' Request
You should be ready to comply with data privacy requests submitted to your website within 45 days, or you risk being fined and sued. Note that you cannot charge consumers for this service, either. To avoid missing the deadline, you will need to put a step-by-step procedure in place to handle consumer requests promptly. You will also need to delegate the responsibilities of following this procedure to the appropriate in-house personnel. This procedure should include how staff will verify requests, how they should put together data reports, how they delete data when requested, and how they will mark data as non-portable (meaning, that it cannot be sold or transferred).
Personnel responsible for handling consumer requests should also be trained on how to request permission from customers between the ages of 13 and 16 for sale of their personal data and how to obtain guardian consent to sell the personal data of consumers under the age of 13.
Allow Consumers To Opt-Out
The CCPA requires that you comply with any consumer request to stop selling or sharing their personal information. You must also make it easy for consumers to make such a request by adding a privacy link to your homepage and to your privacy disclosure page titled "Do not sell my personal data." The link should direct users to a landing page where they can fill out an official opt-out form. You are obligated to add such a link to your homepage -- it's not just a helpful option that makes the process more convenient for consumers.
Let Consumers Contact You
Complying with consumer requests to access their data will be difficult if there's no way for consumers to submit such requests. Consumers must be able to submit data privacy requests at multiple points of contact, such as a web-form that they can fill out and a toll-free phone number. Both should be available on the same page as your privacy disclosure.
Protect Your Website & Consumer Against Data Breaches
If you are collecting personal data, then you are responsible for making sure it doesn't fall into the wrong hands. If a data breach occurs due to a lack of adequate security practices, California residents have the right to legal recourse. Not only could a lawsuit resulting from a data breach be financially devastating to your business, but your company's reputation may never recover. To avoid such a disaster, you will need to strengthen your data security measures. Perform a data security audit and implement procedures and protocols that will help mitigate potential security risks.
Get Your Website Ready For CCPA
If your company meets one of the criteria listed by the CCPA requiring compliance, take the necessary steps to achieve compliance as soon as possible. You can be fined up to $2,500 for every violation and $7,500 for every violation found to be intentional. Under the CCPA, consumers are also allowed to take you to court if they deem that you've violated their data privacy rights as outlined by the CCPA.
Although the potential financial consequences of violating the CCPA should motivate you to achieve compliance as soon as possible, strive for compliance from the start since transparency helps to build trust. The more trust visitors to your website have in your company, the more likely you are to capture leads and close sales.