Remember what a mad scramble it was with General Data Protection Regulation (GDPR) in 2018? Now, a new set of privacy regulations is going into effect on January 1, with major implications for U.S.-based businesses.
California’s new Privacy Protection Act imposes strong financial penalties for any company that doesn’t meet its requirements, whether or not the business operates in California. If any California resident comes to your website and you meet any one of these requirements, you need to be compliant:
1. Annual gross revenue is more than $25 million
2. Your organization receives, shares or sells the information of more than 50,000 individuals
3. Your company makes more than 50% of its revenue from selling personal information of California residents
For your website to be compliant, you will need to update your privacy policy to include details about the specific information you’ve collected, sold, or disclosed since January 1, 2019. Also, you will need to include your reasons for collecting the data and methods. If you don’t already have a privacy policy in place, there are a number of tools available to help quickly generate a policy with appropriate CCPA disclosures.
In addition to including a link to your privacy policy in the footer of your website, you must also include an opt-out-of-data-collection option on every page of your site. If your site is built in WordPress, there are plugins available that can automatically add these opt-out buttons to your site for you.
Finally, you must also provide a way for site visitors to request a copy of their information, and for them to request that it be deleted. While it is easy to add a contact form on your site, for most companies, this last step is the biggest challenge. Most big businesses don’t know the amount of data they have or all the locations they are stored since different departments typically don’t use the same data collecting systems. Updating your processes or adapting new data solutions can be time consuming and potentially expensive if you have to adopt new systems. But it will be far less expensive than the newly implemented fines of up to $7,500 per person you collect data on.
Types of information included under California Consumer Privacy Act (CCPA):
Name, alias, email address, phone number, address, driver’s license number, social security number, passport number, unique online identifier, customer ID numbers, IP address, browsing history, search history, website navigation, sales history, geolocation data, consumer profiles, psychological profiles, behaviors, or any other data inferred from any combination of these items.
If you fall into these categories and run Google Ads, you need to make some changes to your settings to turn on Google’s restricted data processing setting. Google has already enabled this for all websites in Google Analytics to be compliant.
If you want to really err on the side of caution and reduce or minimize the amount of data Google Analytics collects, you can also make adjustments to your Google Analytics settings to disable data collection all together and anonymize IP addresses.
Not convinced that you need to bring your business into compliance? More than 20 other states are advancing similar privacy legislation, with many of them based around the CCPA.
Contact us today for help updating your site to address these new and emerging privacy laws.