CCPA is the California Consumer Privacy Act and it takes effect January 2020. The CCPA is, for lack of better analogy, the GDPR for California. It effects businesses which provide services to California residents. However,
it ONLY applies to for-profit businesses who meet one of these requirements:
- Have annual gross revenues in excess of US$25 million; or
- Receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or
- Derive 50 percent or more of their annual revenues from selling California residents’ personal information.
Unless your business has changed significantly in the past few months and I'm not aware of it, CCPA likely doesn't apply to you. However, there is reason to believe that these limitations may be reduced in value making it a requirement of more (smaller) businesses in the future. So it is best to keep an eye on this.
COPPA is the US federal Children's Online Privacy Protection Act. This law has been around for decades and controls what you can store for any child whi is under 13 years of age. This has recently come into the news due to a recent ruling against Google/Youtube which is changing the way that youtube videos are managed; however, it is good to remember that IF your site, for any reason, might have a chance at collecting user data from children under 13 (even if that is not the 'intention' of the site), you need to have means in place to prevent the storage of data without an explicit parental consent.
Because ANY web site has this ability, we now recommend that all web sites add an age or birth date question to their registration forms, and any other forms on the site that collect any data.
Although it's not new, and hasn't officially been revised, it makes sense to include the GDPR here. The GDPR is the General Data Protection Regulation that went into effect (for those of us in the US) in May 2018. It is aimed at protecting EU citizens and residents. ANY company or organization that has EU customers, partners or vendors. It doesn't matter the size of your company. If you do business with anyone in the EU your web site needs to be GDPR compliant.
Even though you may not 'intentionally' do business with clients in the EU, we are now recommending that all web sites make efforts to become EU compliant (or as close to compliant as possible) so as to minimize any potential legal challenge, but also becuase some of the GDPR guidelines (which are similar to the CCPA rules) are also good for business.
The path ahead
As we start into 2020 we will be encouraging all web site owners to begin the process of upgrading the various aspets of web sites to make them GDPR/CCPA/COPPA compliant. We will be focusing on one or two steps each month, with the goal of having your web site as close to compliant with all these well before the end of 2020. By doing this it will not only help protect you from potential legal issues, but also improve your relationship with your web site visitors.
Watch for individual recommendations and 'to-do' items as we move into 2020.
If you have any questions about how any of these apply to your web site, or want to move quicker toward compliance, please drop me a note or give me a call.