If your business handles personal information from California residents, it’s crucial to stay informed about the state’s changing data privacy laws. Two key laws to know are the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA). Together, these regulations affect how you collect, use, share, or sell personal information, and they grant consumers new rights over their data.
What Are the CCPA and CPRA?
- CCPA: Became fully enforceable in July 2020 and gave California residents more control over the personal information businesses collect about them.
- CPRA: Approved by voters in 2020 and effective January 1, 2023, the CPRA expands the CCPA’s requirements. Enforcement of the new provisions began July 1, 2023.
In simpler terms, if you’re doing business in California, you may need to comply with both sets of rules, which now function together. The CPRA builds on the CCPA by tightening requirements and adding new consumer rights.
Recommendation: How to Save Up to $10 Million in Taxes with Qualified Small Business Stock (QSBS)
Who Must Comply?
Your business must comply if it meets any of these thresholds:
- Has more than $25 million in annual gross revenue.
- Buys, sells, or shares personal information of 100,000 or more California consumers or households.
- Makes at least 50% of its annual revenue from selling or sharing personal information.
What Counts as Personal Information?
Personal information is any detail that can identify or be linked to a specific individual or household. This can include names, addresses, email addresses, and even online browsing history. Under the CPRA, there’s also a category called “sensitive personal information” (like Social Security numbers or precise location data) that gets extra protection.
Key Consumer Rights
- Right to Know: Consumers can ask what personal information you have collected about them and how you use it.
- Right to Delete: Consumers can request that you delete their personal information (with some exceptions, such as keeping it for legal compliance).
- Right to Correct: Consumers can ask you to fix inaccurate personal information you hold about them.
- Right to Opt-Out: Consumers can say “no” to the sale or sharing of their personal information. If they are under 16, you must get their (or their parent’s) permission first.
- Right to Limit Use of Sensitive Information: Consumers can restrict how you use highly sensitive data, like race or health information.
What This Means in Practice
- Example: If you run an online store that gathers email addresses for promotions and sells customer data to advertisers, a California resident could request a report of all the information you’ve collected about them, ask you to delete it, and forbid you from selling it to others.
- Another Example: If you track users’ browsing activities to deliver targeted ads, consumers can opt out of this “sharing” and you must honor their request.
Your Responsibilities as a Business
- Update Your Privacy Policy: Explain clearly what data you collect, how you use it, and how consumers can exercise their rights. Make this information easy to find on your website.
- Offer Easy Opt-Out Tools: Provide simple, visible links or buttons so consumers can quickly tell you not to sell or share their data.
- Respect Consumer Requests: When a consumer asks for their data to be deleted, corrected, or provided, respond promptly within the legal timeframe.
- Limit Data Collection: Only gather as much personal information as you reasonably need. Don’t collect or store extra data just because you can.
Enforcement and Penalties
The California Privacy Protection Agency (CPPA) oversees these laws and can issue fines if you fail to comply. This makes following the rules not just a legal formality, but a critical business priority.
Recommendation: Fractional Legal Counsel: The New Playbook for Smart Executives
Getting Started
- Conduct a data audit to see what personal information you collect and why.
- Update your contracts with service providers to ensure they also follow the law.
- Train your team on how to handle consumer data requests.
Why Comply?
Besides avoiding fines, compliance can build trust. Showing you respect consumers’ privacy can help you stand out in a crowded market. When customers feel safe doing business with you, it’s good for your bottom line.
In Summary
The CCPA and CPRA set a higher bar for privacy, requiring businesses to be transparent, careful, and responsive about personal data. Taking a consumer-first approach to privacy helps protect the business and strengthen relationships with customers.
