Notice: This material does not constitute legal, tax, professional or financial advice and BigCommerce disclaims any liability with respect to this material. Please consult your attorney or professional advisor on specific legal, professional or financial matters.
In this guide, we’ll discuss what the CCPA is, who it applies to, and what “being CCPA-compliant” generally entails according to the text of the law. In the last chapter, we’ll go over some of the actions you may have to take in response to CCPA rights requests. We’ll also go over how you can use your BigCommerce control panel tools and settings to facilitate those requests, keep shoppers proactively informed regarding the data you collect about them and provide a means for them to opt-out of some or all categories of data collection.
Under the CCPA, you may need to update your privacy policy, create a new opt-out web page, and add a link to it from your homepage. We’ll cover how to do all of these things in BigCommerce.
This guide is general information so you’ll likely want to use an outside service or consultant to determine your business’s specific liability. Since the third-party services, apps, and information sharing practices of each store varies, there is no one-size-fits-all approach to ensuring CCPA-compliance.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a recently passed law in the state of California which details the rights that California consumers have in relation to how their personal information is collected, used, and shared when visiting a website.
California is the first US state to pass this type of data privacy legislation. The bill was signed into law in June 2018 and is planned to go into effect on January 1, 2020.
While similar in spirit to aspects of the European Union’s General Data Protection Regulation (GDPR), there are key differences that make CCPA unique, so being GDPR-compliant is not equal to being CCPA-compliant. We’ll compare the two in more detail later in this guide.
Who does the CCPA apply to?
The CCPA applies to any for-profit entity that does business in California, collects personal information about California consumers, determines the “purpose and means of processing” of that personal information, and meets one or more of the following criteria:
- exceeds $25 million in gross annual revenue,
- buys, receives, collects, processes, sells, or shares the personal information of at least 50,000 California consumers, households or devices per year, or
- derives at least 50 percent of its annual revenue from selling California consumers’ personal information.
While most online businesses will probably qualify under the law’s top-level criteria because they are for-profit, do business with California, and collect personal information (in the form of shopper and order data), some smaller businesses may not qualify because:
- their annual revenue is too low (less than $25 million / year),
- they collecting information on fewer than 50,000 California consumers annually, and
- they derive less than 50% of their annual revenue from the sale of consumers’ personal information.
If all 3 of the above are true, then your business may not technically subject to the CCPA, but you should confirm with your own legal advisor and relevant local authorities.
If your estimated revenue or California consumer base is trending toward the stated minimums, it would be in your best interest to implement compliance changes sooner rather than later so you are not left unprepared in the event your forecasting is wrong. The requirements are significant and will take time to plan and implement.