As you may know, the new CCPA (California Consumer Privacy Act) bill goes into effect January 1, 2020. The law applies to any for-profit entity doing business in California or collecting personal information about California consumers that meet any of the following criteria.
- Annual gross revenue exceeding $25 million,
- Buys, sells, receives, or shares personal information for commercial purposes from at least 50,000 California consumers, households, or devices per year,
- Or derives at least 50% annual revenue from selling California consumers’ personal information.
Enforcement of the bill by the California Attorney General begins on July 1, 2020.
If you’re affected by CCPA (and even if you’re not as some of these measures are simply good practices), there are some relatively straightforward measures you can take to update your site. We encourage you, of course, to consult with your legal counsel to ensure that your approach meets requirements from a legal perspective, but here are a few things to consider.
1. Data Access and Deletion Request Form
You’ll need to offer your site visitors a way to request and/or delete data you’ve collected on them within the prior 12 months. You can do this via a simple email link or form.
2. Data Sale Opt-Out Form
Companies must provide a way for users to remove consent (opt out) of their personal data being sold to third parties. This generally means including a “Do Not Sell My Personal Information” email link or form on the company home page and privacy policy.
3. Privacy Policy and Data Collection Policy
You’ll need to clearly state your Data Collection Policy as it relates to how your organization addresses CCPA, the rights of your users under the law, a list of what personal information your business sells (or a statement that your business does not sell personal information), and instructions regarding how users can submit requests for data access or removal. This typically means adding or updating an existing Privacy Policy / Data Collection Policy. We recommend consulting with your legal team to produce this policy, but there are several online policy generator tools that could be used to provide boilerplate language.
4. IP Address Anonymization
Google Analytics can be configured to anonymize IP addresses, which masks the specific details of the user’s location and prevents the collection of what could be considered ‘personally identifiable information’. There are a few other configurations that need to be checked as well, but generally speaking, IP anonymization allows you to continue monitoring site usage without involving PII data.
There are other considerations that might be specific to your organization as well, but these are the common denominator topics. We understand this is a topic that can seem overwhelming, but if you feel you’re affected by CCPA and want to talk through options, let us know. We’re here to help!