This post is for educational purposes only. It is general information and a general understanding of the law, not to specific legal advice. Our blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your country or state.
What is CCPA?
The California Consumer Privacy Act of 2018 (CCPA) aims to protect and provide privacy rights to consumers with regards to their personal data. It’s also called AB-375 and it was passed on September 13, 2018, and becomes effective on January 1 2020.
What consumer rights are under CCPA?
It’s the Californication of GDPR. Picture a more laidback version of GDPR, where consumers have the right...
- To know all data stored about them, free of charge (for 2 lookups a year).
- To opt-out of the sale of information and not be discriminated against for doing so.
- To ask for posted data to be deleted.
- To mandatory opt-in for the sale of children’s information (under 16 years old).
- To know the reason for collecting information.
- To know the category of third parties with whom data is shared.
- To know where data was acquired from.
- To sue a company (this is America after all) that collected stolen or breached data.
The Act covers “consumers” who are defined as a “natural person who is a California resident”. Note that the term ‘consumer’ is a bit confusing as the act covers all people, prospective customers, employees and so on, not just actual customers of yours.
Unlike GDPR, the law is not ‘extraterritorial’, so it doesn’t cover California residents when they are out of state.
You can refer to the act in full here.
What counts as 'personal information'?
The law says that “Personal information” means“information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
As you’d imagine, there has been intense debate from various lobbies about this law, especially from digital advertisers. The late addition of the word “reasonably” is helpful because it means that some data that strictly speaking is identifiable, may not be classed as such.
There are a lot of loose terms that will be up to the Attorney General of California to define in case law.
Personal information certainly includes:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- As above plus signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies (this is very relevant in e-commerce).
- Biometric information.
- Internet or other electronic network activity information such as browsing history, search history and information regarding a consumer’s interaction with an Internet web site, application or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory (yes - smell), or similar information.
It does not include information that is public i.e. lawfully available from federal, state, or local government records.
Does it affect all businesses?
It affects any for-profit entity “that does business in the State of California” that:
- Has an annual turnover of over $25 million.
- Buys, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
What's the penalty?
Up to $7,500 for each violation. That means per customer, so it could add up if you have a lot of customers. You can also be sued by your customers if you disclose their data.
I’m an e-commerce business - how will it affect me?
E-commerce businesses collect a lot of private customer information, both during browsing and during purchase.
CCPA means developing new processes for customers to opt-out or even request the deletion of data. Even allowing customers to query what is stored about them could be a major operational challenge for many brands and retailers.
Also, it goes without saying that personal information should be secured and encrypted. Newer businesses will be using newer tech stacks that handle this for them. Older businesses may have painful technical changes to make to ensure they are treating customer data with the required care.
I use Shopify - what do I need to do?
Here’s a starting point:
- Full data inventory of what data you store and where.
- Eliminate redundant or obsolete data.
- Ensure opt-out and opt-ins are present for all customers as relevant.
- Define processes for the right to delete and data request reports.
- Create a shareable guide on how data is stored and why, especially when third parties are involved.
- Define and communicate the process for when breaches occur.
We recommend seeking legal advice that is specific to your business.
When does CCPA take effect?
It goes in to effect on January 1, 2020.
The Attorney General will begin enforcing CCPA six months after it goes in to effect.
That doesn’t leave long to get inline, but if you’re already sorted for GDPR there should be minimal changes involved.
We’ll update this post as new best practices emerge.
Subscribe to our newsletter to stay in the loop on all the latest in e-commerce.
We're building the greatest ecommerce team in the world. If you're interested in joining our London or New York offices, have a read about what we can offer below.