With great data, comes great responsibility…
Since Purple’s beginning in 2012, data security has been at the forefront of our business and we’ve always gone a step further by providing guests the moment they log in with an easy to read and digestible terms of business and privacy policy which enables guests to manage their marketing preferences, quickly and stress-free.
That why we’ve made it our responsibility to ensure not only that Purple is compliant with the new regulations, but all of our customers are aware of what the changes are and how it could potentially affect them.
New Privacy Laws in California
The state of California has announced a new set of privacy laws, the California Consumers Protection Act 2018 (CCPA) that will be effective from January 2020 and will be enforceable six months after the adoption of the Attorney-General’s Regulations or 1st July 2020 (whichever is sooner). The CCPA will not replace any existing data privacy laws in California, so organizations will still need to comply with existing laws such as the California Online Privacy Protection Act (CalOPPA), Shine the Light and Privacy Rights for California Minors in the Digital World.
Once the new law becomes effective it will apply to any company ‘doing business in California’ that:
- Has annual gross revenue in excess of $25m;
- Buys, receives, sells or shares the personal information of 50,000 or more Californian residents, households or devices per year; or
- Derives more than 50% of annual revenue from selling California consumers’ personal information.
For the purposes of the CCPA, personal information is defined as “…information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This definition is almost identical to that under the GDPR. The CCPA goes further than the GDPR and lists examples of data types that will fall within the scope of the new law, these include:
- Identifiers: including unique personal identifiers (which includes cookies, beacons, pixel tags, mobile ad IDs, unique pseudonyms, probabilistic identifiers, a telephone number); online identifiers; IP addresses; account names;
- Internet or other electronic network activity information: such as browsing history; search history; clickstream data; a consumer’s interaction with an online ad;
- Geolocation data.
- Inferences drawn from any of the information to create a profile about a consumer: including their preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Under the CCPA, consumers have the right to know if a company ‘sells’ their personal data and if so, then they have “… the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.”
The term ‘sell’ includes transferring personal data to a third party for “monetary or other valuable consideration” and includes renting. disclosing, disseminating, making available, transferring or otherwise communicating. There are a number of exemptions that may also apply.
Therefore, companies falling within the remit of the CCPA will need to ensure that they communicate certain information to consumers via their privacy policy. This information includes:
- The type of personal information you collect and process;
- The reasons for collecting and processing personal information and how it is collected;
- An explanation of how consumers can exercise their rights of access, change or erasure of personal information (businesses must have a toll free number and web address);
- How you will verify the identification of a consumer when they exercise their rights;
- Details on whether or not you sell personal data and the method(s) available for consumers to opt-out of the sale of their data;
In addition, you will need to update your website to include a “Do Not Sell My Personal Information” link on your home page so that consumers can inform you that they do not wish their personal data to be sold. This link should be referenced from all privacy notices, web pages or application platforms when collecting personal data.
The CCPA also covers minors (13 to 16-year-olds) and requires companies to obtain consent from them before selling their personal information. If the child is younger than 13 then the consent of their parents or guardians will be required. Selling the data of minors without their consent will a breach of their privacy rights and may result in fines. It is, therefore, essential to retain details of the consent obtained from minors or their parents/guardians.
Failure to comply with the CCPA can result in massive fines of $7,500 per violation, i.e., if a company violates the rights of 1,000 users, it may receive a fine of $7.5m.
Find this blog useful? Why not check out our other relevant blogs regarding data security.