Even if you’re not a California resident you may have heard of the California Consumer Privacy Act (CCPA). And if you haven’t heard about it, you surely have been annoyed by it’s most noticeable result — a wave of “Please accept our policy” messages obstructing your view of every website you’re trying to enjoy.
And while the CCPA does not directly impact most builders outside of California, it will impact some. Five other states have similar bills in some stage of consideration — Hawaii, Maryland, Massachusetts, New York, and North Dakota. These rules are coming to your state soon.
I’m not a lawyer, but feel like I’ve spent enough time researching CCPA that I might be ready to take the bar exam. Just kidding actually, but I’ve researched, re-researched, and then researched some more. I even consulted our own lawyers to affirm some of my conclusions. Those same lawyers would also scold me for not telling you that you shouldn’t consider this blog post legal advice. Practically speaking, I’m going to avoid legalese to explain the major impacts of CCPA for home builders. At the very least, the information should help you reduce your billable hours when you do consult your attorney.
tl;dwr (too long; don’t wanna read)
The CCPA requires that California home builders with $25M+ of annual revenue allow a consumer to opt-out of the sale of their personal information and activity to another company. This includes common data collected on most websites. As a builder, you can still collect everything for your own purposes, but you have to delete it, or be ready to share everything you’ve collected, upon the consumer’s request. Penalties for not complying can be up to $7500 per event, plus the consumer’s damages.
If you prefer to watch your data, Molly and I recorded this Facebook Live discussing many of the topics in this post.
The CCPA is complicated, despite the law having a relatively low word count. Yes, I actually read the law. Privacy is complicated and I read so many other conflicting opinions that I felt I had no choice. Lots of coffee later, I made it through with a much clearer picture. I hope you find this information helpful, too.
There are no CCPA rules specific to home builders, but I will often use the noun “builder” in my answers because I’m speaking to you. In most cases, the discussion could be applied to any business operating in California.
- What is the key purpose of the CCPA?
- When does the CCPA go into effect?
- Are all California home builders required to comply with the CCPA?
- Are non-California required to comply with the CCPA?
- What are the penalties for builders violating the CCPA?
- Does CCPA forbid my use of Google Analytics?
- Does CCPA forbid my use of the Facebook Pixel?
- Is CCPA “opt-out” or “opt-in”?
- What about my CRM tracking script? Live chat, screen recording, heat mapping, and other services?
- What common home builder practices that may need to change?
- What else?
- Where can I find more information on the CCPA?
What is the key purpose of the CCPA?
The key purpose is to allow consumers to forbid the sale of their information to third-parties without their knowledge. It also provides consumers with the right to request a copy of all information a builder has collected on them, and the right to request you delete all that information.
You are also responsible for securing any data you have collected. The penalties outlined in the CCPA can be levied even for unintentionally sharing consumer data; i.e. through a “hack” of your system.
When does the CCPA go into effect?
The California Attorney General has stated that enforcement will begin in July 1, 2020. The law went into effect on January 1, 2020, but with a number of questions unanswered, enforcement was delayed until the Attorney General could provide additional guidance.
Are all California home builders required to comply with the CCPA?
Any builder of homes in California with annual revenues of $25,000,000 or more is required to comply.
The law does not seem to differentiate between inside or outside California activity. If your total California revenue only totals $1M, but you have $24M in Nevada sales, the CCPA seems to apply to you. Notably, it only applies to consumers who are California residents.
Are non-California builders required to comply with the CCPA?
The statute explicitly includes the requirement that a business “does business in the State of California” (See Section (c)(1)). You are not an e-commerce business. If you’re not building homes in California, I don’t see how anyone could claim you “do business” in California.
What are the penalties for builders violating the CCPA?
The CCPA defines penalties imposed by the state and damages payable to the damaged consumer. You will have thirty days to correct a violation.
If you don’t fix the violation within the thirty day period, the state can issue civil fines:
- Up to $2,500 for each violation
- Up to $7,500 for each intentional violation
In addition, consumers are eligible to seek damages:
- $100-750 per incident
- Or “actual damages,” whichever is greater
Is the CCPA opt-in or opt-out?
I am thankful to say that CCPA is opt-out. This means that you are required to make consumers aware of your policy (hence all the annoying pop-ups), but you can continue to do anything you want with their data, including sell it, until they tell you to stop.
Does CCPA forbid my use of Google Analytics?
No. You can continue to use Google Analytics as normal. While Google Analytics collects lots of data, the data cannot reasonably be used by itself to personally identify someone.
In fact, Google forbids Personally Identifiable Information (PII) from being saved in Google Analytics, and they will delete any account found doing so.
Does CCPA forbid my use of the Facebook Pixel?
Maybe. The correct answer is really “no,” but I needed you to keep reading.
You can continue using the Facebook Pixel as you always have… Unless and until a consumer has notified you that they do not authorize the sale of their information. When this happens, your Facebook Pixel can still be used, but the implementation must be changed to comply with the rules of the CCPA.
You don’t “sell” information to Facebook, right? As builders, we actually give it away to Facebook and then they charge us to buy it back 😁. In a nutshell, “sell” is interpreted as the transfer of value; not necessarily dollars and cents. Facebook, unlike Google Analytics, knows who your visitors are. If a consumer has told you, the builder, that you cannot sell their data, then you cannot share the value of their activity with Facebook.
If you’re subject to the CCPA, you must implement Facebook’s limited data use policies for consumers who have opted out.
What about my CRM tracking script? What about Live chat, chat bot, screen recording, heat mapping, and other services?
The bad news is that you’re going to have to examine the privacy policies and service terms for each one of these scripts you have on your website.
The purpose of these scripts is to collect user activity, but this is not necessarily restricted by the CCPA. These services may be storing huge amounts of data, but the data likely belongs to you. You have not sold it. You are simply paying a vendor to collect and organize it for you. This is unrestricted under CCPA.
As the builder a consumer has chosen to interact with, you are allowed to collect the data necessary to operate your business. The proverbial “line in the sand” is the sale of the data you collect.
Ask these two questions for each of your third-party scripts.
- Do you own the data the third-party collects and/or stores on your behalf?
- Is the third-party authorized to sell, share, or use your data for anything other than your benefit?
Correct Answer Key:
- Yes. All the data is yours.
- No. No one else is allowed to sell your data.
If either of your answers are different from the key, I’d recommend evaluating the service provider to decide if there’s enough value to balance this risk.
If these services claim ownership of the data they’ve collected, or you’ve unknowingly authorized them to sell the data when you clicked past some small clause buried in their terms of service, this should raise a flag for you. This is selling data, and continuing to let this script operate after a consumer has opted-out is a violation of CCPA.
If you choose to keep a script like this on your website, you’ll need to provide a dynamic method to ensure this script is blocked for all consumers who have opted out.
What other common home builder practices may need to change?
I will add to this list as new scenarios come to mind or as new questions are asked.
Some builders sell buyer information to other companies such as phone/cable providers, moving companies, alarm monitoring, etc. You can still do this, but you must get the consumer to acknowledge that you are doing it. And if they say no, you can’t do it anymore.
What else do I need to know?
Yeah, sorry. There is more. Below is a non-exhaustive list of additional CCPA requirements to consider.
- The law requires you provide at least two methods to receive consumer requests – opt-outs, requests to know, and requests to delete. One of those methods must be a toll-free telephone number. I swear, the law requires a toll-free telephone number. Article 3.§ 999.312.(a)(b)(c) on page 12.
- The law requires you confirm receipt of consumer requests within 10 days and respond within 45 days. It’s hard to predict how many requests you might receive, but it’s best to consider getting a procedure in place.
Where can I find more information on the CCPA?
If you really want to keep reading, send me a message and I’ll buy you a cup of coffee.