California’s new Consumer Privacy law (CCPA) which gives California Residents new rights in the information you collect when the consumer visits your website

Are you getting a ton of emails stating the terms of service for a site you have been using are changing? Are you wondering why? California’s new Consumer Privacy law (CCPA) which gives California Residents new rights in the information you collect when the consumer visits your website became effective January 1, 2020. Everyone who has a website is changing their terms of service to respond to the CCPA, thus the constant emails.

The EU has had a similar law in place for years (EU’s General Data Protection Regulation (GDPR)). However, the California law is much stricter. Reliance on a EU parent company to comply with the California law will not work.

The CCPA is the reason why you are constantly seeing the acknowledgment or warning that a site uses cookies. Every time you visit that site, even my own, that cookie warning will appear. Because no other information is tracked, the cookie warning appears every time.

The Rundown on the California Consumer Privacy Act

First, this should not be your only review of the law. The law is vast and has dozens of sections that will require interpretation by the courts.

Second, even the California Attorney General has not decided how to prosecute the law. As the California Attorney General issues opinions about the law, the interpretations and your responses will change.

Third, those numerous sections that will require court interpretation will take years to decide. This is going to be an ongoing education and reaction issue to be aware of.

Here are things you will need to add to your website and terms of service or privacy notice because of the new law. If you do not have terms of service or privacy page, you need to get one ASAP!

Who does the law apply to?

The law states that is only applies to businesses that do business with California consumers. However, since any business can sell in California or better any resident of California can buy anything from wherever they are located from anyone on the Internet, the law effectively applies to everyone, worldwide.

The law also applies to businesses that share a common branding with businesses dealing with California consumers. Meaning if you are an importer of a product from Germany, the sales of the product of the German manufacturer, worldwide apply and would subject you and your manufacturer to the law. Your website may be up to date with the CCPA; however, if your foreign manufacturer’s site is not current and a California consumer buys something from that site, you and your foreign manufacturer will be liable, even if the product is shipped from you warehouse in the US.

You must give consumers:

  1. An option to opt out of the sale of any data you collect from a California Consumer on your site.
    1. Either you give the consumer the right to prevent their data from being sold, or you cannot collect any data about a consumer who comes to your site.
    2. Any data means you cannot collect any information or place cookies on their computer to find out if the consumers are coming back.
    3. Alternatively, agree in writing that you will never sell any data you collect.
  2. A consumer has the right to have their data deleted.
    1. Again, that means any information, electronic or their name and email address.
    2. This applies even if you do not sell any data.
    3. You will need to work with your programmers to make sure you have a way of doing that.
  3. Consumers have the right to see what data you have collected from them.
    1. You need to place in your terms of service a complete list of everything you collect from the consumer when the consumer visits your website.
    2. The consumer must be able to see the sources of that data; the type of third party’s their data is shared with, and how it’s been categorized.

Data is defined as:



Postal address

Online identifier or any unique identifier

IP address

Email address

Account name


Driver’s license info

Data is any information that can be tied back to a specific person


Any information of protected classifications under California or Federal Law. That means race, age, religion, sexual orientation, sex, etc.

Purchasing history



Biometric data

Inferences made about your personality

Inferences made about your psychological trends

“Olfactory” data

Browsing history

Records of a visitor’s interactions with a website

Biometric info

Geolocation data

Professional or employment information

Education information

Information on any purchase(s)

Commercial information

Personal property, products or services purchased, obtained or considered

Other purchasing or consuming histories or tendencies

Any inferences from the information identified or drawn from any information collected

Consumer’s Preferences


Psychological Trends








Basically, ANYTHING YOU COLLECT when a consumer visits your website is data that must be disclosed, including whether the consumer has visited your website before must also be disclosed to the consumer. You have to tell the consumer you are collecting the information.

And you have to give the consumer the right to see the information you are collecting. Not only does this apply to any information that has been collected in the past but anything ongoing into the future. So, information you collected from a consumer one year ago, you still have to comply with the law, even though you collected the information when the law was not in effect. So, any info collected from 1/1/2019 must be available, and you must provide a notice of what was collected then also.

Consequently, you have terms that identify two sets of data, that collected before 1/1/2020 and information collected after 1/1/2020.

Any changes in what information you are collecting must be noticed in your terms of service so the consumer knows what was collected about him or her based on when the consumer visited your website. To be on the safe side, if you changed the way, you collected data because of the law, meaning after 1/1/2020 I would notice that also. Better to be on the safe side then in trouble.

The law requires a footer (on each page of your website) that allows a consumer to opt out of the collection of any data. The footer must be clearly visible. (What that means will be decided in a lawsuit sometime, so don’t hide it.)

What can I do if a Consumer wants his information deleted?

Delete the information. The law is not clear if you can maintain a list of names of the consumers whose data you have deleted. So maintain that list to protect yourself, but knowing it alone could cause problems.

Nor does a mass deletion of the data seem to work. The law states you have to delete the data on a per consumer basis on request. So if you want to delete all consumer information, you must do so in a way that tracks the deletion by a person, not a mass cleaning of data.

Breach of Data Collected on Your Website

The law assigns penalties for any breach, theft or inadvertent disclosure of consumer’s data. On top of any PR costs and costs in claims, California is now going to pile on statutory fines if you lose consumer information through a breach.

One way of protecting yourself is to hire third-parties to handle your sale or financial information. The consumers are in the business of protecting consumer data; you are in the business of making skis or backpacks. It might cost you a few more dollars per transaction; however, the risk might be worth it.

“Buy” the Data from Consumers

You can provide incentives to allow consumers to provide data and for you to keep it. Whether or not you must provide an incentive each time a consumer comes to your website or just once is not clear, but for now assume that the incentive provided is valid unless the information you are collecting changes. Then assume you must provide a new incentive. Meaning, the consumer gives you their info, and you’ll take $10 off your shipping. Even if the consumer does not purchase anything on your website, the consumer still received the incentive. You must be able to match up the incentive to the person whose info you are keeping. The Incentives may be the ability to join your mailing list; however, that is not clear yet.

How the Data You Collect is stored.

The next issue is how the info is kept. Normally, this data is not associated with a person. Meaning the data is kept in a way that makes it hard to say this came from Bob in CA. So, you may have to work with IT or website designer to figure out a way to make sure no data escapes because it is not associated with the right person.

A parent can find out about information collected about their child. You may want to identify consumers who come to your website by their age.

Anyplace where a person is volunteering information, posting a photo or video, commenting, etc., will need a bigger disclaimer/permission information. Any time you post a photo or video there is a ton of information the photograph or video that is uploaded with the photo or video. This information includes the date and time of the photograph or video, where it was taken, etc. You will need to work with your IT department to identify what information comes with any photo or video uploaded to your site and place that information in the disclaimer.

What can you do with the data you do collect?

Although you have the permission to collect the data, that does not mean you can do anything with the data. The statute states you can only use the data in the way you told the consumer you were going to use the data. That means, you must have another section of your terms or privacy policy that states exactly what you are going to do with the data you collect.

… a business shall not “use personal information collected for additional purposes without providing the consumer with notice consistent with this section

Using the data in any way other than how you collected the data violates the statute.

Selling consumer data requires additional disclaimers and requirements.

Exceptions to the law

An exception to the law is where the data being kept is required to complete a financial transaction or protect against fraud. You’ll need to include this information in any policy. Check with your credit card processing company to determine what information is needed by them to support credit card processing. Then include that information and any shipping information in the list of information to be kept because the financial transaction.

Again, passing this liability to your consumer credit card processing company might be a good way to manage the risk.

Safe Harbor

They are safe harbors.

The law does not apply to any company that is doing less than $25 million in sales each year. However, this number is a total number for all subsidiaries and parent companies. You may not be selling $25 million in the US, but your parent company based in Italy combined with yours might throw you out of the safe harbor.

Businesses that have no Safe Harbor.

(1)    Any business that buys, sells or shares the personal information of 50,000 or more consumers per year. Buying a mailing list with 50,001 names if you are only doing $1 million in business will throw you out of the safe harbor.

(2) Any business derives 50 percent or more of its annual revenue from selling consumers’ personal information.


The law is enforced by the CA attorney general and enforcement does not start until 7/1/2020 However, it can be backwards looking going back to 1/1/2020. You will have some breathing room to make decisions and to test how things work and respond with this grace period; however, you need to be diligent and get working on these issues.

Right now, it is expected that the California Attorney General does not have the resources to tackle more than 3 or 4 of these cases at a time. If you like playing the lottery, you can rely on this, however, I’m sure the California legislators who passed the law will insist in greater enforcement. Consequently, if you want to gamble, go to Vegas.


Besides the statutory fines that can be imposed by the California Attorney General, the law also allows consumers who have been affected to sue.

The CCPA provides a winning plaintiff seeking statutory damages recover a minimum of $100, and a maximum of $750 per violation.

The law also removed the requirement that an consumer prove actual damages, which was required to prove damages in a breach of security before the enactment of CCPA. The only thing the California Consumer must prove is that their data was accessed in a breach.

Immediate Priorities

There are specific priorities you should put into place immediately.

1.    Place the footnote at the bottom of your webpages that states the consumer can opt out of the collection of information. For the time being, I suggest the footer be linked to an email or from where the consumer provides the necessary information for you to identify the consumer and not collect any information.

a.    You might even create an automatic response to confirm the consumer have opted out.

2.    If your company is smaller than $25 million in sales prepare a response to all inquiries about your CCPA data collection practices that can be emailed to any inquiry. You do not have to prove the point, just state that you are not subject to the CCPA because you do not meet the minimum sales.

3.    Start identifying the information you collect and modify your terms of service to indicate that. This is required by several states and the EU now so you need to comply as much as possible.


You may want to look into purchasing breach insurance? Alternatively, insurance to cover violations of this law until you get things under control and understand how the law is going to be interpreted and applied. If that is an option, you can purchase it anytime in the next six months and be covered or when you think you are going to hit $25 M in sales.

Other States

Ohio passed the Ohio Data Protection Act in 2018, and New York passed the NY CRR Section 500.03 in 2017. Other states are looking at similar laws. If you want to be kept appraised on the changes in these laws let me know.

If you have any questions, please contact me.

What do you think? Leave a comment.

Copyright 2020 Recreation Law (720) 334 8529

If you like this let your friends know or post it on FB, Twitter or LinkedIn

If you are interested in having me write your release, fill out this Information Form and Contract and send it to me.

Author: Outdoor Recreation Insurance, Risk Management and Law

Facebook Page: Outdoor Recreation & Adventure Travel Law


Google+: +Recreation

Twitter: RecreationLaw

Facebook: Rec.Law.Now

Facebook Page: Outdoor Recreation & Adventure Travel Law


Mobile Site:

By Recreation Law    James H. Moss

#AdventureTourism, #AdventureTravelLaw, #AdventureTravelLawyer, #AttorneyatLaw, #Backpacking, #BicyclingLaw, #Camps, #ChallengeCourse, #ChallengeCourseLaw, #ChallengeCourseLawyer, #CyclingLaw, #FitnessLaw, #FitnessLawyer, #Hiking, #HumanPowered, #HumanPoweredRecreation, #IceClimbing, #JamesHMoss, #JimMoss, #Law, #Mountaineering, #Negligence, #OutdoorLaw, #OutdoorRecreationLaw, #OutsideLaw, #OutsideLawyer, #RecLaw, #Rec-Law, #RecLawBlog, #Rec-LawBlog, #RecLawyer, #RecreationalLawyer, #RecreationLaw, #RecreationLawBlog, #RecreationLawcom, #Recreation-Lawcom,, #RiskManagement, #RockClimbing, #RockClimbingLawyer, #RopesCourse, #RopesCourseLawyer, #SkiAreas, #Skiing, #SkiLaw, #Snowboarding, #SummerCamp, #Tourism, #TravelLaw, #YouthCamps, #ZipLineLawyer,


Have a Comment? Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.