The California Consumer Privacy Act of 2018 (CCPA) has somewhat of a misleading name. The date, 2018, actually refers to when the law passed legislation. Not when it becomes effective. Needless to say, it’s leaving a lot of businesses asking, “When does the CCPA take effect?”
Here’s the deal:
Beginning January 1st, 2020, the CCPA officially goes into effect. That means, if you haven’t already taken the proper steps to become CCPA compliant, you are running out of time! But, before you start to panic, let’s learn a little more about the CCPA, including the “grace period” you have to become compliant.
The CCPA Takes Effect On January 1st, 2020, But…
With the CCPA taking effect on January 1st, 2020, many business owners are scrambling to comply with their websites. Although, business owners should be aware that there is a six-month period following January 1st, which they have to fulfill CCPA requirements.
In fact, the CCPA explicitly states:
“The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”
California Consumer Privacy Act
So, while the CCPA technically takes effect on January 1st, 2020, you will have until July 1st, 2020, before you are at risk of penalties.
That’s good news if you need more time to become compliant. While six additional months may sound like plenty, don’t be tempted to put off becoming compliant. As technical as the bill is, the process of becoming compliant can be lengthy. You might think you have plenty of time, but it goes by fast!
Staying On Top Of The Legislation After The CCPA Takes Effect
As with any piece of legislation, the CCPA is subject to amendments. So, once you’ve become CCPA compliant, you’ll still need to stay alert and monitor the legislation for any future changes to the law.
In other words, once the effective date, as well as the “grace period” has passed, you could still be at risk of being non-compliant should an amendment be made which you were not aware of, and that made your website non-compliant.
Be On The Lookout For Similar Legislation Coming From Other US States
In all likelihood, California is blazing the trail for more US states to pass their own versions of the CCPA. Presently, nine different states are working on similar legislation, with additional states expected to join the consumer privacy rights movement.
Even after the CCPA goes into effect, the chances of adapting your privacy policy to accommodate new legislation are high.
Fortunately, being CCPA compliant will also likely reduce the workload if additional states pass similar consumer privacy standards.
A Brief Introduction To The California Consumer Privacy Act of 2018
By now, you likely already know the gist of the CCPA. If not, we suggest reading the following articles:
We’ll cover some of what these two resources include here in this article. But if you would like to take a more comprehensive look into the subject, they are excellent, in-depth supplements to your CCPA compliance research.
The CCPA is a piece of legislation passed in California that sets specific standards and requirements for any business collecting personal data of California residents. It established and grants all California residents certain rights regarding how companies collect, store, and use consumer data.
When writing this article, the massive CCPA bill is the strictest set of data privacy regulations in the entire United States. There are also presently 9 additional states working on passing similar legislation of their own.
The CCPA is quite similar to the General Data Protection Regulation (GDPR)—the European legislation protecting consumer data privacy. And, although it is similar in concept to the GDPR, there are certain differences. That means, if you’re already GDPR compliant, don’t think you will be automatically CCPR compliant.
Who Needs To Be CCPA Compliant?
Don’t think your business needs to be CCPA compliant just because you are not based in California. Regardless of whether a business is located in the Golden State or not, if they are collecting personal information from California residents, they may still be required to comply with the legislation.
What is a “California resident according to the CCPA? “The term “resident,” as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.”
Section 17014 of Title 18 of the California Code of Regulations a California
These are the determining factors used when understanding which business will need to follow CCPA requirements. As previously mentioned, the first qualifier is whether or not your company collects personal data from California residents. But, that doesn’t automatically mean they must be CCPA compliant. The business, as well as its parent company and subsidiaries, should also meet one or more of the following thresholds:
- Makes a gross annual revenue of $25MM or more
- Acquires personal information from 50,000 or more California residents, households, or devices each year
- Fifty percent or more of the annual revenue comes from selling personal information on California residents (these businesses are often referred to as data brokers)
Again, your company only needs to meet one of the above thresholds to fall into the must-be-CCPA-compliant category.
What is “personal data” according to the CCPA? The California Consumer Privacy Act defines personal data as: …information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.”
If that sounds a little vague, you can read the entire comprehensive list of what “Personal data” all entails in this blog post. At the most fundamental level, personal data can be real names or aliases, postal and email addresses, unique personal identifiers, online identifiers, Internet Protocol addresses, account name, social security number, driver’s license number, passport number, and many other similar identifiers.
What Your Website Needs Before The CCPA Takes Effect
This will vary a lot between websites since each is different and has its own unique privacy policy. With that in mind, let me start by recommending you work with a professional web developer and/or designer with a specialty in CCPA compliance. Besides being a large project to tackle, it’s also a very complex subject that does require some expertise.
FURTHER READING: How To Prepare To Be CCPA Compliant
Now, that advice aside, it never hurts to be informed about topics that affect your business as much as the CCPA does. So, let’s go over a few more of the must-knows. Although not a comprehensive look at the massive bill, the following should give you a fundamental understanding of CCPA compliance.
Updated Privacy Policy
One of the biggest aspects of any CCPA compliance project is reviewing and revising privacy policies. We suggest starting here because it provides an explicit breakdown of your current privacy protocol. You will be able to work through the policy and pick out then change the parts that need to be changed to become compliant.
Your privacy policy needs to be very clear about what kind of information your company is collecting and processing. This is one area where shortcuts just aren’t going to cut it. Be meticulous!
Some companies choose to sell their consumer data as a source of revenue. This is completely legal and common. However, if your company does sell consumer data, your privacy policy must be updated to say so. If your company isn’t currently selling data but may consider it in the future, that must also be stated in your privacy policy.
Educate Consumers About Their Rights
It’s also necessary to clearly describe inside your privacy policy what rights consumers have under the CCPA while using your website and products. For example, you must explain to them they have the right to make requests to access and delete their data and explain the process they will need to take to do so.
It would be best if you also gave them away to opt-out of providing their personal information.
Make Your Policy As Clear As Possible
When writing your new privacy policy, use language that is easily understood. Never be intentionally difficult. Check, double-check, then check again to make sure you have mentioned every possible right, procedure, and protocol.
Yes, this is useful for consumers you’re collecting data, but it also helps businesses. By making sure your privacy policy is clear cut and readable, you are eliminating the risk of consumers saying “they weren’t aware” of your policy in the event a claim against your business should rise.
Yes, You Can Be Fined For CCPA Non-Compliance
A simple oversight could end up costing you a pretty penny in fines and court fees should you be found in violation of the CCPA. Depending on the type of violation—unintentional or intentional—businesses found to be violating any part of the California Consumer Privacy Act can face fines.
A civil penalty of up to $2,500 can be made for each violation of the CCPA. That maximum fee would jump quite a bit if the violation were found to be intentional. In that case, businesses will face up to a $7500 fine per violation.
In addition to the civil penalties above, a consumer can bring forth a civil action that could cost businesses $100 to $750, or actual damages, per incident should your company violate the CCPA.
Paying civil penalty and civil action costs add up quickly, given each are collected on a per-incident basis. That’s why it pays to get your site compliant before the CCPA takes effect.
Work With A Reputable Web Design Agency
If your website still isn’t CCPA compliant, it’s time to call in the professionals. If you need a hand bringing your website into CCPA compliance, contact one of our experts—we are here to help.