How Startups Can Become CCPA Compliant

A pink key on a computer keyboard showing a silhouette of the state of California that says "California Consumer Privacy Act" and "CCPA"

Over the past several years, people have become increasingly aware of the security concerns that exist on the internet. Americans are acutely aware of how much their data is being shared online thanks to high profile data breaches and congressional hearings. In response to consumer privacy concerns, several states have implemented new data security laws. The most recent of which is California’s CCPA. This blog post discusses some ways that startups can become CCPA compliant.

What is the CCPA?

CCPA stands for California Consumer Privacy Act. California Governor Jerry Brown signed CCPA into law on June 28, 2018. The law went into effect on January 1, 2020. CCPA is similar to privacy regulations the EU put in place in 2016, GDPR. CCPA outlines five basic rights for consumers in California:

  • California residents have the right to know if their data is being collected and what data is being collected.
  • Californians have the right to know if their data is being sold or disclosed to a third party and who that third party is. 
  • California residents have the right to refuse the sale of their personal data.
  • California residents shall have access to the data collected about them. They will also have the right to request the business to delete their personal data.  
  • A business shall not discriminate against a consumer by implementing a higher price because the person chose to exercise their privacy rights. 

To become CCPA compliant, businesses must act in accordance with a consumer’s requests in regards to their privacy and add a “Do Not Sell My Personal Information” link on the business’s website home page.

Who does the law apply to?

So it goes to reason that the only people that need to worry about this new law are California businesses, right? Not so much. You may want to take a closer look before you think that your start-up doesn’t have to abide by these new data laws. Especially if your company is located outside of California. The law applies to any business who operates out of California or sells a good or service to a resident of California. They must also meet at least one of the following qualifications:

  • The company has a gross annual revenue of more than $25 million.
  • The company collects data from at least 50,000 California residents
  • They derive at least 50% of its revenue from the selling of personal data. 

So while CCPA is a California law, businesses outside of the state may be subject to the regulations as well.

What happens when businesses are not CCPA compliant?

The new law went into effect on January 1, 2020. That means if you’re not CCPA compliant you need to take action NOW. Businesses who violate the law will be subject to a civil penalty of up to $2,500 per violation if they do not fix the issue within 30 days of notice. The fine increases to $7,500 per incident if the violation is an “intentional violation.”  

Just one violation can be a massive hit for a small start-up. But it’s important to understand that the fine is per incident. This means non-compliance can result in substantial fines. The law distinguishes each incident on a per person basis, not action. In other words, a company cannot be fined more than once for selling the same person’s data. 

How can you make sure your company is CCPA compliant?

You don’t want to find out you’re out of compliance after you receive a notice of violation. So how do you make sure your start-up’s ready to go?

  1. Evaluate your company’s data policy. Do you know what data you’re collecting? How about where that data goes? Do you even have a data policy? Now’s a good time to find out what type of data you are collecting and what your company is doing with it.
  2. Make sure all employees are up to date with regulations regarding the new privacy requirements. It doesn’t matter if the CEO of your company knows the law if your office manager or the person handling your data doesn’t know anything about it. Have a meeting, write an email, or tell each employee individually. Just make sure everyone is aware of the changes. 
  3. Implement new training policies. Make sure new employees know how to comply with the law and any policies or handbooks are up-to-date. 
  4. Contact an experienced start-up attorney. A qualified legal professional can help you determine if you are in compliance with CCPA and what changes need to be made. 

How Can We Help?

With the everchanging legal landscape, it’s important to make sure your business complies with all state and federal laws. As a start-up, you likely don’t have time to sift through the legalese to make sure your company is in compliance. The last thing you want to do is be fined because you didn’t know the law. Remember, ignorance of the law is not an excuse. To learn more about how the Law Office of Elliot J. Brown can help your start-up become CCPA compliant, contact us to schedule a free consultation.