CCPA Compliance 101: What Online Sellers Need to Know

  • Ecommerce 101
  • News

Does your online business sell to shoppers living in California?

If so, you may have to comply with the new California Consumer Privacy Act (CCPA). Effective January 1, 2020, the CCPA impacts more than 500,000 US companies and focuses on data protection rights for consumers. These new privacy laws are setting a precedent for businesses to reexamine the ways they obtain, secure, and use private customer data.

If your business already took action to comply with the General Data Protection Regulation, you may already have measures in place to meet some of the requirements of the CCPA. While the two laws share a similar framework, the CCPA has some key distinctions.

In this article, we provide a brief overview of what companies need to know about CCPA compliance. As a disclaimer, this article is not designed to serve as legal guidance, nor is it a comprehensive guide for CCPA compliance. Rather, we hope it provides a helpful starting point for you to conduct further research and seek consultation to ensure your compliance with these industry-changing laws.

Consumer Rights Under CCPA 

The CCPA (also known as Assembly Bill 375) gives California consumers the right to request all the personal information a company has saved about them, and to see how it’s used and if it is sold to or shared with any third parties. Consumers also have the right to request that a company delete their personal information, to opt-out of the sale of their personal information, and to receive no discrimination for exercising their privacy rights.

If any of these privacy conditions are violated, consumers may be able to sue the violating company for damages—even if no security breach has occurred. Under the act, the following are considered consumers’ personal information:

  • Identity data (i.e. name, email, address, account name, social security, driver’s license, etc.)
  • Biometric information
  • Browsing, search, and purchase histories
  • Geolocation
  • Professional, employment, and education information
  • Device type

If any California consumer asks for this information, the company is required to provide a comprehensive report that includes the personal data collected about that consumer, information about the company’s sources and purpose of collection, and whether that personal data was sold or disclosed to any third parties.

Does CCPA Apply to My Company? 

CCPA requirements impact your operations if you are a for-profit business that does business in California and meets one or more of the following criteria:

  • You generate more than $25 million in annual revenue
  • You have personal data on more than 50,000 consumers, households, or devices
  • You collect 50 percent or more of your revenue from selling consumers’ personal information

While many small business owners are likely to not be impacted, medium-sized businesses and large enterprises need to be compliant. Even if you do not have a physical presence in the state, you may still be subject to the CCPA.  

Does CCPA Apply to B2B?

B2B companies have a one-year reprieve to meet some of CCPA’s requirements related to personal information they collect from communications and transactions with other businesses. However, they are not exempt from honoring consumer requests to opt-out of the sale of their personal information, from ensuring no discrimination for consumers who exercise their rights under CCPA, or from a consumer’s private right of action in the event of a data breach.

Consequences of Non-Compliance with Privacy Laws 

With the CCPA now in effect, both regulators and consumers can give a written notice to any company that is in violation of the laws. Once they are notified, companies have 30 days to comply. Continued noncompliance can result in fines of up to $7,500 per violation.

Since the CCPA gives individuals the right to sue, this could potentially lead to class action lawsuits, especially in the event of a data breach. Businesses could face a penalty of $100 to $750 per consumer per incident or the cost of total damages, whichever is greater.

CCPA Compliance Requirements for Ecommerce

To comply with CCPA, your company must fulfill the following obligations:

  • Give notice to consumers upon or before collecting their data (via website footer, privacy policy, etc.)
  • Include a “Do Not Sell My Personal Information” link for consumers to easily opt-out if you sell consumer information to third parties
  • Address any consumer requests for knowing, deleting, or opting out of personal data
  • Verify the identity of consumers who are requesting their data
  • Disclose any incentives you provide to consumers who opt to share their personal data
  • Retain records of consumer requests and your responses
  • Include two methods for consumers to request information

If a California resident requests their personal information, your company will have 45 days to provide them with a report. The biggest challenge for enterprise companies may be compiling this report, as customer data is often stored across different platforms and databases.

Companies will need to conduct a deep dive into how they obtain, process, secure, disclose, purchase, and sell customer data. A data flow map can help you understand all the touch points of your data and develop a more streamlined system to locate and secure it.

To ensure you remain compliant, your business should also coordinate your strategy across your IT, operations, sales, marketing, legal and finance departments. Assign staff to handle any customer requests and prevent data breaches with top-notch security measures, encryption, protection technology, and employee training.

Next Steps for CCPA Compliance 

Although amendments to the CCPA might take place, its key principles will likely remain the same. CCPA places a critical emphasis on personal data, including why it’s collected, what is being done with it, and the consumer’s rights to access and limit disclosure of it.

Analyzing the structure of your business’ data collection will be key to compliance. Although California is the first to enact this law, experts predict similar consumer protection measures to follow for other states. Your company will want to consider the extent of your consumer privacy policies to stay ahead of these changing demands.

If your business stores consumer information on the Miva platform, you can refer to our step-by-step guide on how to delete and export your customer data.

Love it? Share it!