Navigating the GDPR and California Consumer Privacy Act

As we near the first anniversary of the European Union’s General Data Protection Regulation (GDPR), we would like to take the time to discuss the GDPR and why it is important for U.S. based businesses to be GDPR compliant, as well as the newly passed California Consumer Privacy Act.

While the GDPR originated in the European Union (EU), that does not mean that American companies are automatically exempted. You may be affected if your company’s website or social media presence has an international customer base.

The GDPR explicitly states that the regulation will apply to any company, business or organization that is not located anywhere within the EU but processes information from citizens of the EU (such as offering goods or services to EU citizens or monitoring the behavior of EU citizens).

If your US-based business has international customers or obtains information from EU citizens, it is advised that you take steps to ensure your online forms are GDPR compliant so you can avoid fines.

Becoming GDPR compliant includes obtaining consent from any users who fill out a form on your website, and detailing exactly how you will be utilizing any data they provide. A privacy policy, as well as terms and conditions, must be clearly displayed and easily accessible.

Following along in the footsteps of the GDPR, California is now the first state in the U.S. that is working towards protecting the privacy of Americans by signing into law the California Consumer Privacy Act (CCPA) in June 2018. The CCPA will go into effect on January 1, 2020.

The CCPA gives “consumers” (defined as natural persons who are California residents) four rights that allow them to exert more control over their personal information:

  • The right to know what personal information a business is collecting about them, where it is sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold. All of these disclosures should occur within a privacy policy or upon request by the consumer.
  • The right to “opt out” of allowing a business to sell their personal information to third parties. Consumers who are under 16 years old must opt-in in order to allow their personal information to be sold, and businesses must obtain the consent of a parent or guardian for children under the age of 13.
  • The right to request that a business delete their personal information, with some exceptions. The businesses must let the consumers know that they have this right.
  • The right to receive equal service and pricing from a business, regardless of whether or not they exercise their privacy rights under the Act.

If your business is not located in California but makes sales in the state, it may be likely that your website will also have to be in compliance with the CCPA. If your business meets at least one of the following criteria, then the CCPA applies to you:

  • The business must generate annual gross revenue in excess of $25 million,
  • The business must receive or share personal information of more than 50,000 California residents annually, or
  • The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.

Nonprofit businesses, as well as companies that don’t meet any of the three above thresholds, are not required to comply with the CCPA, but should start seriously considering making their website compliant.

If you want to make your website GDPR and/or CCPA complaint, contact us today and we can help get you started.