- They have annual gross revenues over $25 million
- They receive, buy, sell or share the personal information of at least 50,000 California consumers
- They derive at least half of their revenue from selling the information of state residents.
Companies must be compliant by the new year, but there is a six month grace period before enforcement by the California attorney general begins. To ensure compliance under the CCPA, it’s important to start preparation early.
We’re here to help
If you have questions how CCPA impacts your business,
ask a lawyer and get an answer within 1 business day.
Steps to compliance
While many small businesses will not meet the criteria of companies impacted by the law, there are several steps that business owners can take to ensure they are compliant by the time the law’s enforcement period begins:
1. Understand the scope of the law
First, you must understand the law itself. Most importantly, you must understand the broad definition of “personal information”, which is defined as any information which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information includes, but isn’t limited to:
- Personal identifiers (names, aliases, addresses, e-mails, SSN, driver’s license number, etc.)
- Biometric information
- Employment information
- Commercial information
- Internet or network activity
- Audio, electronic, visual, thermal, or olfactory information
- Education information that is not publicly available personally identifiable information
- Information that may be inferred from any of the above
2. Train your employees
The CCPA requires employees who handle customer requests about data privacy practices (deleting information, opting out, etc) and employees who are responsible for the company’s compliance to undergo specific training to understand the law. Generally, this statute will require training of all customer service representatives and whoever handles legal compliance.
It is recommended that you know which employees have roles handling personal data to ensure that everyone who has to go undergo training completes it. Employee training should start well before the enforcement begins to help ensure that you are not fined any of the violation fees or end up with a consumer lawsuit.
3. Understand the penalties
The penalties for not being CCPA compliant go up to $7,500 per intentional violation and $2,500 for unintentional violations which are enforced by the California attorney general. Consumers also have the right to pursue their own individual action against non-compliant businesses, and they can sue the company if a data breach occurs due to carelessness.
Although it may seem daunting at first, if you divide your effort into these easy and manageable steps, you will be on the path of CCPA compliance. If you have questions about CCPA compliance, ask a lawyer.