Back in 2018, we wrote a blog post covering GDPR and SmarterTools. It gives an overview of GDPR and its implications, and how the guidelines apply to SmarterTools and our products. On January 1st, the California Consumer Privacy Act (CCPA) went into effect. Like GDPR and its protection of consumer data for residents of the EU, CCPA broadly concerns the protection of California consumers and their personal information and will extend to California businesses in 2021. Below is a brief synopsis of our understanding of CCPA and its potential impact on our customers.
Who is Subject to CCPA?
A company that does business with consumers in California is subject to the CCPA if:
- That company is “for profit”.
- It does business with consumers within the state of California, even if it does not have an actual physical presence in California.
- It collects consumers’ personal information, or
- It determines the purposes and means of processing consumers’ personal information.
Taking this into consideration, many companies may appear be subject to CCPA as the above criteria is relatively broad. However, that’s just part of it. In addition to the above, CCPA only applies to businesses that:
- Have an annual gross revenue in excess of $25 million.
- Annually buys, receives for commercial purposes, sells, or shares for commercial purposes personal information of 50,000 or more (California) consumers, households, or devices; or
- Derives 50% or more of its annual revenue from selling (California) consumers’ personal information.
These additional criteria may remove a business from being subject to CCPA as they are a bit more specific and have hard limits applied to them.
Our Evaluation of CCPA
Any time a new compliance or regulatory policy is released, we like to understand it and to know whether or not our customers could be affected or impacted in any way. With that in mind, it's important to note that the CCPA does have a section that pertains to service providers. In particular, Section 999.314 is explicitly titled “Service Providers” and lays out the definition of, and limitations/requirements for, service providers within the CCPA. In addition, what constitutes “personal information” is fairly broad. According to the definition within the Act, it means “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes email addresses, IP addresses, online identifiers and more.
Regarding what companies who fall under CCPA need to do, the requirements are similar to GDPR. Consumers have the ability to:
- Know the categories of personal information that's collected about them by a business.
- Know the purpose(s) for which the information will be used.
- Know the categories of personal information that were actually collected in the preceding 12 months and sold or disclosed to third parties for business purposes.
- Be forgotten. Which means, essentially, they have the right to ask a business to delete any and all categories of personal information collected about them.
- Opt out of the sale of personal information to third parties.
Regarding the right to be forgotten, our products give administrators the ability to dispose of accounts and account data quickly and easily. It’s up to the company to determine how best to accomplish this, but the ability to remove data is included in all our products. That way, if you are a buinsess that needs to abide by the CCPA, SmarterTools has you covered.
Where to Learn More
There are several good references online for some easy-to-understand guidelines to CCPA. That said, none of them are a replacement for your complete understanding of CCPA and its effects, its repercussions and what you need to do to fully comply, if needed. This blog post is a simple synopsis and should not be used as a basis for how you proceed with your CCPA compliance.
- CCPA Website
- California Legislature website for CCPA
- CCPA Fact Sheet (PDF)
- A helpful, and informative, checklist from Morgan Lewis law
We hope you find this brief synopsis of the CCPA helpful, and a step towards understanding the basics. Please use the references above to gain more information and, as always, contact an attorney or CCPA expert to help ensure your business is compliant, if necessary. We will continue to monitor the progress of the CCPA, of GDPR and any other compliance or regulatory policies, and provide more information as it becomes available.