Does the new consumer privacy act apply to you?
RB Connect/RB Web/MR Web
A new state law, the California Consumer Privacy Act (CCPA), went into effect this month, and even if you are not a California business, it might affect you. OMTI is not a law firm and cannot give legal advice, but it is our opinion that if you store any personal information related to a California resident, you should err on the side of caution and post a privacy policy that complies with CCPA on your company website and/or your RB Web/RB Connect/MR Web site (if you have one).
CCPA protects the privacy of Californians by allowing them to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with, up to 2x a year. Californians can also demand that their personal information be removed from your files. In addition, the California law allows residents to sue companies if the privacy guidelines are violated, even if there is no breach.
For example, they can sue if you do not have a clearly visible footer on your website offering the option to opt out of data sharing. Or if they can’t find out how their information has been collected or get copies of that information.
There are limits on which companies are required to comply. You must comply if your company:
- Does business in the State of California,
- Collects personal information (or on behalf of which such information is collected),
- Alone or jointly with others determines the purposes or means of processing of that data, and
- Satisfies one or more of the following:
- Annual gross revenue in excess of $25 million,
- Annually, alone or in combination, buy, receive for the business’s commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or
- Derive 50 percent or more of its annual revenues from selling consumers’ personal information.
Before deciding if you must comply, consider that you don’t have to be a California business or sell personal information to be eligible. For example, if you create a transcript that include information about a California resident that you then store in your repository, CCPA might apply.
Fines for non-compliance are up to $7,500 per record, and you have 30 days to comply once notified of a violation. In addition, California residents can sue for damages, both individually and as part of a class-action lawsuit.
The law is very new, so there might be further regulations that make it clearer where and to whom it applies, but for now, you might want to include a privacy statement on your website just to be safe.
Further reading
To create your own privacy policy, you can find CCPA-compliant privacy policy examples and generators online by searching for “ccpa policy examples.”