Knowing who your customers are and collecting information about them has always been one of the pillars of building a successful business. That information can include purchase history, billing information, or other pieces of Personally Identifiable Information (PII). The internet has made it relatively easy for businesses to collect PII for leads and customers or just anyone who happens to browse their website. In response, regulators have been working to ensure that PII is being handled responsibly, while also empowering consumers with some controls for how their information is used.
The European Union’s General Data Protection Regulations (GDPR) is the most prominent example. Even if you are not conducting business in the EU, your business must be compliant with the GDPR if you’re collecting any information, even accidentally, about any consumer in the EU.
In the United States, things are a bit more fragmented. Congress is yet to seriously consider any kind of national privacy policy, so individual states have been implementing their own regulations. This patchwork of privacy laws will make compliance extremely burdensome for anyone who collects PII in more than one state (which, if you have a website, is probably you.)
The most prominent of these state privacy frameworks is the California Consumer Privacy Act (CCPA). Does the CCPA apply to your business? Even if you are not physically located in California, the CCPA applies to you if you do business in the state and meet one or more of these criteria:
- has annual gross revenues over twenty-five million dollars ($25,000,000);
- possesses the personal information of 50,000 or more consumers, households, or devices;
- or earns more than half of its annual revenue from selling consumers’ personal information.
Requirements for compliance include:
- Access Information: Californian consumers will get to know the specific “who, what, & why” to their data collection
- Deletion of Information: Californians can request a company delete data collected about them
- Opt-Out: Californians can deny a company to sell their personal information to third parties
Other states are considering similar privacy regulations, but CCPA is by far the most stringent. Because of California’s considerable population, it has also become a de-facto privacy framework for most US businesses.
If you’re concerned about CCPA (or even the GDPR), get in touch with us and we’ll help you complete an audit with some recommendations to help keep you compliant.