California Consumer Privacy Act (CCPA)

November 20, 2019


On January 1st 2020, if your site has Califorinia residents as members or you are looking to do business with them, you must be ready for the new consumer protection law which will be inroduced at the start of the year. The link to the actual Bill is here

This new consumer data protection law has far-reaching consequences for online businesses and are designed to protect the interests and data of Californian citizens

The State Legislator is especially targetting data vendors of a reasonable size and so, if your business meets just one of the three minimum requirements you will have to comply accordingly:

  • have an annual gross revenue exceeding $25 million,
  • derive 50% or more of your annual revenues from selling consumers' personal information,
  • buy, receive, sell, or share the personal information of 50,000 or more California residents, households or devices a year

However, this means that if you have a small business that makes under $25 million a year, and if less than half of your business income relies on selling personal information to third parties, and if your business does not sell more than fifty-thousand Californians' personal information, the CCPA does not apply to you.

Even though MemberGate does not meet any of those attributes, we still reviewed and updated our Cookie Notice and Data Policies to avoid confusion - you can review this on our Privacy Policy page

We use our Cookie Consent pop up - powered by MemberGate Cookie Notice - to inform California residents and "activists" that we do not fall under the purview of the CCPA
(This is important as the CCPA allows third party agencies and "activists" to act on behalf of consumers - which could lead to unecessary emails, calls and administration)

California Consumer Privacy Act (CCPA)

MemberGate does not have revenues exceeding $25 million per annum
Nor are we part of a larger firm or any other co-brand organisation for aggregate revenue

MemberGate is not a Data Vendor - we do not sell data
It's not our business at all and therefore not 50%of our revenues
We do not buy, recieve, sell or share any personal data
Our software collects data to allow us more insight on the operation and function of the business and services we provide

As a supplier, we provide support to our clients on a Software As A Service basis which requires a functional and contractual permission to access the MemberGate powered site to offer support either by guidance or code a fix as required

We already operate to high standards of data security as would be expected given the nature of our business, but wherever possible we raise the bar for the memberGate platform so that subscribers on any site can expect the highest standards of data protection - for example, updating all sites to use Password Reset instead of the outmoded SendPass routine, forcing strong passwords on all users and deploying HTTPS on all pages

MemberGate has a long history of securing our clients and their member data, not only with the software we provide but also how the team respects and treats data
And we will continue to use best practice: "CCPA is an opportunity to reduce the risk of being the victim of a data scandal caused by poor privacy practices"

In the next month, ALL sites should consider if they will be accountable to the new CCPA laws and if so, complete a Data Audit, update their Privacy Policy and inform their members and site visitors accordingly

If your business does meet ONE of the three attributes, then you should get your own legal advice to be CCPA compliant, and in any event update your privacy policy to include:

  • A description of the rights to (request disclosure, deletion) and how to exercise these right.
  • List of categories of personal information that the business collects, sells and discloses. This list must be updated every 12 months.
  • Maintain a toll-free phone number listed on your portal page and webpage for exercising this right.

Your business must ensure the following rights:

(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.

As yet it's unclear how a business will be expected to prove it does not meet the minimum requirements to fall under the purview of the CCPA and who will police that aspect 

Next Steps:

  1. MemberGate Cookie Notice
  2. Cookie List