While I am an attorney, I am not your attorney and nothing on this website or downloads available are to be construed as creating an attorney-client relationship. Additionally, nothing in this site or resources made available are to be considered legal advice. The author is not liable for any losses or damages related to actions or failure to act related to the content in this website. If you need specific legal advice consult with an attorney who specializes in your subject matter and jurisdiction.
Cliff’s Notes Version:
CCPA is a new privacy act out of California that is similar to GDPR in many ways. If you are already GDPR compliant you only need to do a few more things to be CCPA compliant:
- Have a contact page on your site
- Potentially have a toll-free phone number for users to submit requests (there is an amendment in the works that would exclude most bloggers from this requirement)
- Update your privacy policy
- Add a “Do Not Sell My Personal Information” page to your site and link to it on your homepage
There are also a few things you shouldn’t do:
- Block traffic from California based users
- Don’t charge different rates for those that do or do not exercise their rights
What happens if you don’t comply:
- Once notified by a consumer of a violation, you have 30 days to fix it
- If you don’t fix it you could be sued by a consumer and have to pay anywhere from $100-$750 as well as any other penalty the court sees fit
- You could also be sued by the California Attorney General and be liable for up to $7,500 for each violation (which could really add up).
What is CCPA?
CCPA stands for California Consumer Privacy Act, but don’t let the “California” part fool you, even if you’re not located in the state, it may still apply to you.
It was passed and signed into law in 2018 and goes into effect in 2020.
How Does CCPA Impact Bloggers?
It’s another privacy law that you will likely need to comply with, however, if you are already GDPR compliant there are only a few more things you’ll need to do (covered in detail below).
GDPR, if you don’t know, is also known as the Global Data Protection Regulation out of the European Union and it had a big impact internationally when it went into effect in 2018.
One of the big things GDPR impacted was how bloggers grow their email lists as the old content upgrade model, where they give an email and you give a freebie was no longer GDPR compliant.
The CCPA has many of the same or similar rules if you want to really dig into GDPR to better understand it, check out my GDPR Guide.
CCPA impacts bloggers, because unlike GDPR where one solution (although a bad one) was to just block traffic from the EU, CCPA specifically says you can’t deny Californians for exercising their rights, which means no blocking CA traffic.
How is CCPA Different from GDPR?
GDPR protects the privacy of those located in the European Union, while the CCPA protects the privacy of California residents.
If you’re neither, why do you have to comply with either? While you may not be located in the EU or a resident of California, there is a very real possibility that some of your audience is.
Can’t I just block that traffic?
While this is one solution that was floated around when GDPR came out, it’s not a great one thanks to things like Virtual Private Networks, which can mask where someone is located.
Additionally, the CCPA states that you can’t provide a different experience just because users exercise their rights, which I would take to mean that you can’t just block users from California.
Why is There Another Privacy Act?
The 2016 election. The Cambridge Analytica scandal is mentioned as one of the reasons for needing a more up to date and comprehensive privacy law.
The fact is that technology has been evolving quickly and these new privacy laws are an effort to keep up. They allow consumers more control over their personal information and avenues to pursue (think lawsuits) if a company is violating their rights or grossly negligent with how they protect user data.
Does CCPA Apply to Me/My Blog/My Business?
There are two qualifiers when it comes to who CCPA applies to and chances are you fall into the first as a Sole Proprietor or LLC, or really any type of business entity.
The second threshold is a bit more complicated. It states:
“that satisfies one or more of the following thresholds:
CCPA, 1798.140
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”
Unless you are an extremely successful blogger, chances are (A) doesn’t apply and so long as you aren’t in the business of selling personal information then (C) likely doesn’t apply either.
So it’s (B) we need to focus on, “receives for the business’ commercial purposes …the personal information of 50,000 or more consumers, households, or devices”
The law goes into detail about what actions qualify. It includes things like “counting ad impressions” so if you are using things like Google Analytics, or pixels for ads (think Facebook or Pinterest) then it seems those actions would qualify under this law.
Now for the 50,000 or more per year, unless you are getting under 4,166 (50,000/12) users per month, then yes, CCPA will apply to you.
How to look at your number of Users/month:
- Go to Google Analytics
- Go to Audience
- Click on Overview
- In the top right-hand corner, select the desired date range
- View the number of users in the bottom left-hand corner
While “Consumer” is defined in the act as residents of California, the law doesn’t specify as such when qualifying, “households, or devices” so it doesn’t look like it matters if only a fraction of those users are from California.
When does CCPA go into effect?
January 1, 2020, but it’ll be finalized with amendments at the end of October 2019. So check back here in November for updates.
What Do I Need to Do to Comply with CCPA?
There are four things you need to do to comply with the CCPA:
1. Don’t be mean to those exercising their rights under the CCPA
This means no:
- denying them good or services,
- charging different prices,
- Providing a different quality or goods or services
2. Make available at least two different ways to be contacted to request information
The bare minimum is a toll-free phone number and a website address.
Note: If your business operates exclusively online with a direct relationship with the consumer you need just one method for consumers to contact you (email).
3. After receiving a request for information, provide it within 45 days
And do so free of charge
4. Update your Privacy Policy
- to include a description of consumer’s rights under the CCPA (if you have already purchased a Privacy Policy Template or the Website Legal Templates Bundle from me, the privacy policy template will be updated in December to include this language)
- Disclose information you have sold in the last 12 months OR if you haven’t sold any of the personal information, disclose that fact. (if you have already purchased a Privacy Policy Template or the Website Legal Templates Bundle from me, the privacy policy template will be updated in December to include this language)
5. If You Sell Information, Add a “Do Not Sell My Personal Information” Page to your site
Be sure to link to it on your homepage, it should include:
- Your privacy policy
The California specific “description of privacy rights”
An easy was for consumers to “opt out of the sale of the consumer’s personal information”
What Happens if I don’t Comply with CCPA?
If you don’t comply with CCPA, you have 30 days to cure/fix (if possible) the noncompliance upon receiving written notice from a consumer that alleges you’ve violated CCPA.
If it’s not something you can fix, meaning the consumer has already suffered damages, then the consumer can bring a lawsuit to seek damages ranging from $100-$750, injunctive or declaratory relief, and/or anything else the court deems proper.
The State Could Come After You Too
If you flagrantly and continually violate CCPA the court can take that into consideration. The court can also consider things like your assets, liabilities, and net worth. Remember, the court is looking to make sure resident’s rights under CCPA are upheld. Meaning they would likely approve a fine that lines up the seriousness of the misconduct and what you can actually afford on top of the $100-$750 you may already be liable for.
If you are found in violation of the CCPA and don’t fix it in 30 days, in addition to the consumer suing you, the Attorney general might bring a lawsuit too.
In that scenario, you could be liable for a penalty up to $7,500 for each violation. Though you’d likely only see that high a penalty if you’re found to have intentionally violated the CCPA.
Bottom Line
Take action to do your best to comply with CCPA. Making an effort goes to show you’re not intentionally trying to violate the law. And if you do end up getting a notice that you did (be sure to check your business address/P.O. Box etc) then fix it within the 30 days and let the consumer know.
I’m a blogger and would like to know if the plugins we use are included in this. In other words, do we have to include how these developers are using data collected from us if they do?