California is known for having complex regulations. The state is not afraid to experiment with regulatory procedures, making it difficult for some businesses to keep up. For example, following the approval of the General Data Protection Regulation by the EU Parliament (read more about the responsibilities of a Controller, Processor, and Data Protection Officer according to the GDPR), California proceeded with data privacy legislation and rolled out the California Consumer Privacy Act (CCPA), a law that affects businesses that collect personal data.
Now that this law has been passed, it has prompted other states to consider something similar. For example, Mississippi proposed a replica of the CCPA, though it died in committee earlier this year. Other states that have proposed laws on data privacy include Hawaii, Maryland and Massachusetts.
What do these privacy laws mean for your small business? Let’s learn more about the CCPA, how it may affect your business and how to prepare for the future.
What is the CCPA?
The CCPA is a bill that goes into effect in 2020 and requires businesses to protect the personal information they obtain from California consumers. This includes privacy policies, security protections and consumer rights. According to the CCPA website, consumers have the right to the following:
- Right to know all data being collected and why
- Right to refuse the sale of their information
- Right to have their data deleted
- Right to opt-in before the sale of information of children under 16
- Right to know when data is shared with third parties
Not all consumer requests have to be followed, but those that are reasonable and applicable should. Businesses have 45 days to respond to consumer requests, and any damages that occur due to a breach can cost a business up to $7,500 USD per customer.
Who Does the CCPA Affect?
Any business that earns $25M USD in revenue each year, sells 50,000 consumer records per year or gets 50% of its revenue from selling personal information must follow the guidelines in the CCPA.
Under this criteria, most small businesses are excluded from the CCPA. According to this article, the average annual revenue for a small business is less than $25M USD. But, does this mean that small businesses won’t be held accountable? No. Small businesses should start thinking about how data is handled within their company.
In fact, all businesses should start reviewing how customer data is handled, as the CCPA is impacting other states to consider passing these types of laws. For the most part, state legislators are embracing the language in the CCPA and other similar laws. The definition of “consumer” is broadened and more rights are given to consumers.
What if Your Business isn’t in California?
Even if your business is not in the state, the laws still apply to you if you have customers there. With the new laws in place, you will need to change the way you collect and handle all of your consumer data, or you will need to handle Californians’ data differently.
The latter option will probably prove more difficult and expensive, as this will be an entirely separate group of data. It’s best to move in the direction of handling all customer data in the same manner, in compliance with the CCPA, as this is how things will eventually be. As a business, protecting consumer information should be a priority, whether or not there are laws forcing you to do so. Taking these initiatives today will help you prepare for the future and earn the trust of your customers.
What Can Your Small Business Do to Prepare?
The CCPA goes into effect January 1, 2020, so businesses need to get ready for the law as they will need to be able to respond on January 1, 2020 to consumer inquiries about their data. Many businesses are already reviewing personal data processing, information security and access requests.
No matter what state you are in, you should be taking the appropriate steps to protect customer data. As more states crack down on how consumer information is handled, it might not be long before your state follows suit. Rather than scrambling to get things in order, an early start will give your business time to understand the privacy regulations modeled in the CCPA.
Here are some of the things you can start doing to prepare your small business for a changing data privacy landscape:
- Publicly post a notice disclosing what information is being collected by your business, how it’s being used and to whom it will be sold
- Create a simple opt-out process for the sale of personal information
- Be prepared to delete all personal information if the customer requests that you do so
- You cannot discriminate against those who exercise their right under the CCPA (e.g., charging extra fees to these customers)
Whether your business is big or small, you should take the regulations in the CCPA seriously. This bill has been well-received by state legislators and will likely serve as the foundation for other states’ proposed laws. Plus, if you have customers that come from California, you are legally required to handle their information according to the CCPA come January 1st, 2020.
While small businesses may not face all of the compliance burdens as larger businesses, they could face some. Rather than looking at this as a headache, look at this as an opportunity to improve the safety and protection of your consumers. Now is the time to talk to your digital marketing agency to discuss how you can best protect consumer data.