Stock photo.

With the New Year came new regulations on the sale and collection of personal data in California. But what has been dubbed the California Consumer Privacy Act has marketers and website managers for companies both small and large scrambling to understand the steps to compliance and what qualifies as personal data.

The CCPA went into effect Jan. 1. Passed in 2018, AB 375 was the first law of its kind in the U.S. that outlines what rights California residents have regarding their personal information online. Businesses receiving, selling or buying personal data now have to take steps to make sure consumers can know what data are being collected and give people the chance to delete existing information and stop businesses from collecting more.

When asked about the CCPA, three separate local businesses had no idea what the law was about. Once explained, one music store worker said they were too small for the law to affect them. Another health care insurance broker said they meet enough other regulations that they should be fine.

“They’re lucky enforcement doesn’t start until July,” said Shel Moore, co-owner of Fresno-based Moore than SEO. As an online marketer and website manager, she has been vigilant in finding out if her clients might be liable and finding any steps they need to reach compliance.

Three thresholds determine whether or not a business has to comply with the law. A business needs to meet only one: If your business has gross annual revenue exceeding $25 million; you buy, receive or sell personal information of 50,000 or more people; or 50% or more revenue is made from selling consumer information. If any are the case, then your website had to meet CCPA rules by Jan. 1. The California Attorney General’s office said it would begin enforcing the law July 1.

The CCPA also outlines four online rights for consumers. Consumers have the right to know what information is being collected or sold, the right to delete personal information, the right to opt-out of their information being sold and the right to receive the same service and pricing if they choose to opt out or delete information.

Those operating websites may be surprised who needs to comply.

“Say you’re tracking IP addresses on your website, if you’re collecting addresses from say 137 visitors a day, then that’s really quickly going to add up to that threshold,” Moore said.

Moore has one client who operates out-of-state that has an email list of 84,000 people. Moore had to go through that list to see how many of those are California residents.

Personal data can be defined as names, aliases, addresses, email addresses and more.

“If they’re not in the know, they need to get research that quickly as the grace period for lack of knowledge, if you will, ends in June,” said Norel Mancuso, CEO of Social House, Inc, a Los Angeles media consulting firm.

Fines for intentional violations can be $7,500, and $2,500 for unintentional violations. Businesses who do not comply may also be subject to individual lawsuits and possibly even class-action lawsuits.

“We live in California. Getting sued in California or the United States isn’t uncommon,” Mancuso said.

There are three steps to compliance, she said. The first: update your privacy policy to tell visitors what’s being collected. The second: provide a link or a pop-up banner that can take people where they need to opt-out. The final step is to give website users a chance to decline the placement of cookies on their computers as they browse the site.

The last one is especially important when you are talking about minors using the Internet.

Moore says that for businesses with questions, they should reach out to legal experts or consultants.

What businesses are still waiting on, however, is guidance from the attorney general, said Rachel Michelin, president and CEO of the California Retailers Association in Sacramento.

“If you look at different websites, everyone’s doing it differently because everyone’s interpreting the law differently. We don’t have any clarification from the attorney general,” Michelin said.

A message for the Attorney General’s office was not returned.

The California Retailers Association has received calls, namely from smaller retailers, asking about compliance with the law.

“Some of them are just rolling the dice and hoping that they’ll get some leniency because they’re a small retailer or a small business and they don’t have that clarity,” Michelin said.

At the same time, the CCPA’s biggest proponent, Bay Area real estate developer Alastair MacTaggart, is already working on a new initiative to broaden the act in a 2020 ballot proposition called the California Privacy Rights Act of 2020.

“We’re trying to wait for these regs while at the same time dealing with this new initiative that could be on the ballot,” Michelin said.

One of the questions Moore has is if companies are liable when they use ad servers or analytics from tech giants such as Google or Facebook. Even for businesses below the three thresholds, Moore is not sure if small retailers or even bloggers who use Google ads are subject to compliance.

A statement from Facebook regarding the CCPA and businesses that use social media advertising reads “we encourage advertisers and publishers that use our services to reach their own decisions on how to best comply with the law.”

Moore says a quick setting change in Google ads should help make you compliant, but it may make advertising less effective.

“We’re going to have to get less personal with our targeting,” Moore said. “As a consumer, I feel it’s long overdue.”