When it comes to data and analytics, many businesses in the U.S. have had their eyes on the California Consumer Privacy Act (CCPA). Those of us in the world of nonprofit fundraising are also keeping watch on the latest developments, including six new amendments that were just approved on Oct. 11.
Read on to learn more about the CCPA and the new changes to this important law.
WHAT’S THE BIG DEAL ABOUT THE CCPA?
In recent years, major data privacy laws have gone into effect in Canada and Europe. Much like those laws, the CCPA’s goal is to inform users at the point of data collection about what is being collected and why it is necessary in the marketplace.
Unlike the Canadian Anti-Spam Legislation (CASL) and the EU General Data Protection Regulation (GDPR), the CCPA is merely a state law. It only applies to California – however, its effects will be felt by many outside the Golden State.
The CCPA is also significantly different in how it is applied and how organizations need to prepare for it.
WHAT’S IN THE LAW?
It is important to note that the CCPA does not ban or prohibit the collection, use or sale of consumer data, given the proper notice controls. Consumer data can still be used for marketing purposes.
The law requires organizations to inform people about how their data is used and to provide consumers a way to “opt out” of data collection. CASL and GDPR go one step further by requiring consumers to “opt in” to data collection of any kind, including email addresses.
Nevertheless, the CCPA accomplishes three major goals, according to Californians for Consumer Privacy:
- It gives Californians ownership of their personal information
- It gives Californians control over what information is collected
- It gives Californians security by holding businesses responsible for data breaches
WHAT DID THE AMENDMENTS CHANGE?
Since the CCPA’s inception, many organizations have expressed concern over some of the vague language in the law. California Gov. Gavin Newsom signed six amendments to clarify some of the provisions, especially in terms of defining what types of personal data can be collected.
Thanks to the amendments, the law no longer covers personal data collected from non-consumers like job applicants, employees, contractors, etc., until at least 2021. It also creates a one-year exemption for some forms of B2B communication, and it removes information collected for vehicle warranties or recalls from enforcement.
Some businesses who only operate online also complained about the requirement of a toll-free number for consumers to call for questions about their data privacy. AB-1564 now offers those businesses a second option of providing an email address.
WHO DOES THE CCPA APPLY TO?
The main targets of this law are large tech corporations based in California, like Facebook, Apple and Google. And California state attorney general Xavier Becerra recently offered guidelines for how organizations must follow the law, which could cost companies up to $55 billion in compliance costs.
First and foremost, for-profit businesses that collect any data of California residents should pay attention. For the CCPA to apply, the business must meet only one of the following three thresholds:
- Their annual gross revenue exceeds $25 million.
- They buy, receive, sell or share the personal data of at least 50,000 California residents each year.
- They get 50% or more of their annual revenue from selling the data of California residents.
This means nonprofits are technically exempt from the CCPA, but that doesn’t mean your organization can simply ignore this law. Stay tuned for more information on that front.
Note: The above content is informative in nature and is not intended as legal advice. As a company that provides professional fundraising consulting services, we retain counsel to ensure compliance with fundraising laws in each applicable state. Questions related to the California Consumer Privacy Act of 2019 (CCPA) for U.S.-based nonprofits should be directed to counsel that is competent to address such matters.