What does CCPA mean for my business?
What is CCPA?
The California Consumer Privacy Act (CCPA) is a California law focused on data protection and privacy for all citizens and residents of California. CCPA regulates how businesses - including GoDaddy - can use personal data about residents of California. CCPA went into effect on January 1st, 2020. For a more detailed description of what CCPA is and GoDaddy's approach to globally consistent privacy, please review Our Privacy Center information.
GoDaddy is not a law firm
We hope this document will provide you an overview of what CCPA is and what it might mean to you, but GoDaddy is not in the business of providing legal advice and this is not a comprehensive guide of CCPA. Every business situation is different and CCPA as a law is very complex. For specific questions around your business operations and how they might be impacted by CCPA (and other applicable privacy laws), we highly recommend consulting a lawyer.
We are not experts on your business
As much as we would love to be able to give you explicit advice on how you should be handling your compliance with CCPA, it's for all intents and purposes, impossible. Each business is run differently, with different policies, protocols, employees, locations, etc. So, we want to provide an overview of GoDaddy's take on CCPA, but there are several nuances in the law, which we've highlighted for you in this document, where you'll need to make your own assessments depending on your particular situation.
What makes CCPA different?
CCPA is not all that different from other privacy laws around the world. The thing that makes CCPA important is that it reaches beyond California to any business anywhere in the world that handles personal data about California residents, and it also carries significant penalties (up to $7,500 per violation) for non-compliance. If notified, companies have 30 days to comply with the law. Additionally, if requested, a company has 45 days to disclose what type of information it stores and if that information is sold. If that information is sold, the company is required to disclose who that information was sold to in the last 12 months.
Is my business impacted?
The CCPA applies to your business if you do business in California and if at least one of the following is true.
- Your company has annual gross revenue of $25 million or more.
- Your company buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes; or
- Your company derives 50% or more of its annual revenue from selling the personal information of consumers.
Are my GoDaddy products(s) and service(s) CCPA compliant?
No products or services are alone 'CCPA compliant'. However, when properly configured for your particular business needs, and used in combination with other measures, policies and processes you implement as necessary to your specific business (some of which are described below), they can be used in a CCPA-compliant manner. No one knows your business better than you. Though GoDaddy hopes to offer the tools and resources to help your business attain CCPA compliance, and we are here for you, we are not suited to ensure your compliance with any laws applicable to your business.
What does it mean to be CCPA compliant?
CCPA focuses on the protection of personal data. It's about making sure your customer's personal data is protected and used properly. The requirements of the law include the following:
- Update your privacy policy information on how, why, and what personal information you collect and process.
- Update your privacy policy with information on how your users can request access, change, or erasure of their personal data that you've collected.
- Introduce a method for verifying the identity of the person making such requests.
- Introduce a "Do not sell my personal information" link on your home page. This allows your users to prohibit the sale of their personal information from your side.
What does that mean for me?
In our relationship, there are times when we are a Data Controller (when we collect data from you for the purpose of selling you our products and services - such as your name, address, email, telephone and credit card information), and times when we are a Data Processor and you are the Data Controller (such as when you use our hosted services for your own business purposes and information happens to be passed on to our servers so that we can provide, manage and maintain the services for you (more on all this below)).
So where does this leave us?
As mentioned previously, for the vast majority of time, GoDaddy is your Data Processor. We will process data strictly as required to provide the services you have purchased from us on your behalf, or as otherwise instructed. Using our services in a manner that collects data so you can sell your wares, or to collect appointment information or sales leads? No problem. We will make sure the data is processed in a safe and secure way on your behalf.
As the Data Controller, you control how the data is used and stored, and we will only process it per the terms of our data processing addendum in providing and maintaining the services on your behalf. This means you need to pay close attention to your internal policies and employee access of records, including how you share data with 3rd parties and how easily someone could access a consumer's information.
As you can see from the key points above, CCPA (and other privacy laws) are all about ensuring the data we collect and use to make our businesses successful, are properly secure and protected.