One of the world’s most comprehensive privacy laws is set to go into effect in January, eclipsing the European Union’s General Data Protection Regulation (GDPR) in terms of data gathering and usage restrictions imposed on businesses.
On January 1, 2020 under the California Consumer Privacy Act (CCPA), companies must be transparent about the type of data they collect online and how they use it. Companies must also provide users with clear opt-out choices that would prevent their personal information from being collected, stored and sold.
New privacy rights for California consumers:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- The right to delete personal information held by businesses and by extension, a business’s service providers.
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under the age of 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
Businesses are subject to the CCPA if one or more of the following are true:
- Have gross annual revenues in excess of $25 million.
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of annual revenues from selling consumers’ personal information.
Businesses that handle the personal information of more than 4 million consumers will have additional obligations under the CCPA:
- Must provide notice to consumers at or before data collection.
- Must create procedures to respond to requests from consumers to opt-out, know, and delete.
- For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
- Businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
These businesses must also demonstrate compliance with the new rules by adhering to certain record-keeping and training practices.
Where we’re headed…
With more companies collecting personal data and selling it to advertisers without user knowledge or consent, privacy advocates have long been pressuring government at the state and federal levels for laws that give users full control of their data.
As the national dialogue on privacy continues to grow louder and more demanding, it is likely that other states will enact similar privacy safeguards, making it more difficult and costly for companies to keep up and comply, and for their websites to accommodate all the different privacy rules.
All of this will put more pressure on Congress to pass legislation that would supersede the patchwork of state laws with a national approach, as was done in the EU with its GDPR.
Meanwhile, businesses will have to start following privacy developments more closely and begin adding privacy compliance as an IT budget line item. Webmasters will have to get ahead of the compliance curve by looking at ways to integrate compliance tools into their content management platforms without interfering with the quality of the user experience.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.