CCPA Laws: How to Know if They Affect Your Business
This article was published in the Fall 2020 issue
by Glen Horsley, Co-Founder & CEO, RIVN
Laws and regulations can completely change the way you do business, and knowing if they pertain to you is the first step. The California Consumer Protection Act (CCPA) which passed in 2018, went into effect on January 1, 2020. The law is one of the latest in a string of new privacy regulations that are sweeping the globe.
The CCPA will not apply to all businesses. It will apply to your business if one of the following is true:
- Gross annual revenue is greater than $25 million
- Buys, sells, or receives personal information of 50,000 or more consumers, devices, or households.
- Fifty percent or more of your business’s revenue comes from selling consumers’ personal data
It's worth noting businesses that have personal data of more than 4 million consumers will have additional obligations to adhere to.
Business obligations under the CCPA
There are many new obligations businesses will be required to comply with. Companies will face penalties and fines if they are not compliant.
- The CCPA requires the business to provide a notice to consumers before or at the time of data collection.
- Businesses will be required to create procedures to respond to all right to opt-out, know, and delete requests they receive.
- Companies will have to provide a “Do Not Sell My Info” link on their website or mobile app. This gives consumers easy access to their rights to opt-out.
- A business will have to respond to all requests from consumers who request a right to know, delete, or opt-out. They will also have to comply with a specific timeline to complete each task.
- The CCPA requires businesses to treat user-enabled settings to opt-out, the same as a valid opt-out request.
- Companies will have to verify every consumer’s identity, who submits a request to know or to delete.
Personally identifiable information and IP Address
For this article, we wanted to focus on the evolution of what is considered Personal Identifiable Information (PII). In particular for CCPA highlighting that even data such as IP address is considered PII.
Below is a quick list of data points considered PII under CCPA:
- Real Name
- Postal Address
- Unique Personal Identifier
- Online Identifier Internet Protocol Address (IP Address)
- Email address
- Account name
- Social Security Number
- Driver’s License Number
- Passport Number
An IP address is a unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network. Most people do not realize that lots of organizations use IP addresses for marketing and geo-targeting. So while companies are starting to feel comfortable in the ability to allow customers to access or request their data based on an identifier such as email address, companies that fall under the CCPA and similar laws also need to be ready to handle data that was traditionally considered anonymous such as IP address.
It will be critical for companies to define exactly what data they are collecting on their visitors. More importantly, they must have a process in place to manage that data. A huge part of data management is deletion- users want to feel secure, and that is where a company like RIVN comes into play.
RIVN has a unique approach to helping companies find and delete all customer data. This includes PII, such as IP addresses and device ID’s. As a result, RIVN is in a position to help companies with their compliance efforts, reducing the risk of CCPA fines and lawsuits.
Hi! The Silicon Slopes team is interested in your feedback. We are asking for a couple minutes to quickly provide feedback on our Silicon Slopes quarterly magazine publication. Click HERE and share your thoughts with us. Your responses will help us improve. Thanks!
*Read the latest issue of Silicon Slopes Magazine, Fall 2020