The California Consumer Privacy Act (CCPA) is a new data privacy law which applies to certain businesses that collect personal information from California residents. The new law went into effect on January 1, 2020.

Under the CCPA, Californians can demand to know who has their information, what they are doing with it, specifically what kind of information they have, why they want it, and with whom they are sharing it. Organizations doing business in California will be obligated to provide this information promptly and completely. A more detailed overview of the CCPA is available here.

This doesn’t apply to most small businesses, but it doesn’t hurt to comply as this law is constantly evolving and the Attorney General will continue to put out Amendments to the bill.

CCPA applies to any company with at least one of the following:

• Has annual gross revenues in excess of $25 million
• Possesses the personal information (PI) of 50,000 or more consumers, households, or devices; or (Google Analytics, Server access logs, ..)
• Makes 50%+ of income selling customer data

While the qualifications to be affected by this bill might exclude many small businesses, it doesn’t mean you shouldn’t prepare. Basically you need to a privacy policy stating how PI is being used