California Consumer Privacy Act (CCPA)

by Dec 10, 2019Compliance, Uncategorized

Let’s start with a short disclaimer. We are not lawyers. This blog post is not legal advice and is for informational and/or educational purposes only. Any reliance you place on such information is therefore strictly at your own risk.

Essentially, please seek legal advice about CCPA compliance if you haven’t already done so. Only qualified legal professionals will be able to give you and your business the best advice.

With that out of the way, let’s dive into CCPA.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a California law that was passed in June 2018. The CCPA gives California residents more control over their personal information (which may include participation in targeted ad networks that use “programmic advertising” as discussed below). If your website is available to California residents or you are involved in the sale of California residents’ personal information, then this law likely applies to you. The following sections are available to help you understand your obligations under the CCPA and to help you prepare. My Project Solution cannot give you legal advice, so if you have any further questions, then consult a local lawyer or privacy professional.

CCPA timeline

The California legislature passed the CCPA in June 2018. Businesses that are subject to the law must comply by January 1, 2020. The California Attorney General (AG) might start enforcing the law on July 1, 2020. The AG might also issue more guidance on how to comply with the law in 2020.

From January 1, 2020, consumers have the right to request information about where their personal information has been sold or disclosed for the previous 12 months. Consider gathering documentation about where you have sold or disclosed information from January 1, 2019, onwards.

CCPA thresholds

Not all My Project Solution customers are subject to the CCPA. The CCPA only applies to businesses that collect personal information of California residents, and that meet one of the following conditions: 

  • Have an annual gross revenue of more than $25 million USD.
  • Annually buy, sell, receive for commercial purposes, or share for commercial purposes the personal information of 50,000 or more California consumers, households, or devices.
  • Derive 50% or more of their annual revenue from selling California consumers’ personal information.

Businesses are not subject to the law if they do not have a physical presence in California and their commercial conduct takes place wholly outside of California. Certain requirements, such as the obligation to offer to opt-out of the sale of personal information, apply only if you sell personal information of California consumers. See the Sale of personal information and Opt-out of sale sections for more information.

How CCPA affects you

The following sections describe how the CCPA might affect you and how you run your My Project Solution website:

Transparency requirements: Privacy Policy

You should have a privacy policy available on your website that provides the name of your business and your contact information. The CCPA also requires your privacy policy to include the following information: 

  • The categories of personal information that are collected and the purposes for which they will be used.
  • The categories of personal information that you share for business purposes.
  • A description of California residents’ rights under the CCPA.
  • Methods by which customers can submit data subject rights requests.
  • A list of personal information or categories of personal information that the business sells or a notice that the business does not sell personal information.

You can use a Privacy Policy generator like the one found on the Termly website (click here to see the Termly Privacy Policy Generator)

Opt-out of sale

If you sell the personal information of consumers, then as of January 1, 2020, California residents have the following rights:

  • request a list of the categories of their personal information that you sold;
  • request a list of the buyers of that personal information, by category of personal information, over the previous twelve months; and
  • opt-out of the sale of their personal information going forward.

In order to allow consumers to opt-out, you should have a link on every page of your online storefront labeled “Do not sell my personal information”. This link can lead to a page that describes the rights of California residents and how to contact you to request the opt-out. As described above, My Project Solution doesn’t believe that you sell personal information to My Project Solution, so the sale and the opting out of sale takes place outside of My Project Solution. It should be easy for consumers to contact you to submit their requests.

If a customer opts out of the sale of their personal information, then you need to do the following:

  • Stop selling their information.
  • Keep track of the date of the request and the steps you took to verify the identity of the requester.
  • Wait 12 months before requesting that they opt-in again.
  • Don’t deny them service or provide them with an inferior product.

Individual rights

The CCPA gives California consumers the right to request that you delete their personal information, and to request that you give them a copy of their personal information. My Project Solution websites have built-in features to allow you to do this in the WebDriver content management system.

Make sure that your customers can contact you to make a request relating to their personal information. Under the CCPA, you might need to allow California residents to contact you by using a toll-free phone number, or by one of the following: mail, email, or other consumer-friendly methods of contacting a business (such as a retail location or an online portal that your business might have for customers). Make sure to include these contact methods in your privacy policy or on your website.