Authors doing significant business online should start work now to ensure compliance with CCPA
The California Consumer Privacy Act (CCPA) goes into effect at the first of the year and is meant to protect California residents. While you may think this law isn’t targeted at you (and it probably isn’t), it could still affect you.
CCPA mainly relates to targeted advertising and the sale of personal data. If you track names and email addresses of readers or customers in California, then your business must abide by CCPA if one of the following criteria describes it:
- It generates gross revenues exceeding $25 million.
- It derives 50 percent or more of its revenue from selling customer data.
- It buys, receives, sells, or shares the personal information of more than 50,000 consumers annually for commercial purposes.
This last bullet point has the potential to affect the most authors, and the law is so far unclear on whether this 50,000 threshold applies solely to California residents or to all activity. Therefore, if your email marketing list is very large indeed—or if your website generates at least 50,000 unique visits per year (and you track those visits)—then you should follow CCPA requirements for processing personally identifiable information. Consumers are also granted additional rights under this law—including data access requests—that you must be prepared to deal with. You can read a decent summary here.
There are two unique requirements that will likely require your attention, assuming you’re beyond that 50,000 threshold. First, a business must provide two or more methods for customers to submit access requests to data you store about them—and one method must be a toll-free number. Second, you must add an easily accessible, clear and conspicuous “Do Not Sell My Personal Information” link on your website’s homepage and within your privacy policy. One service that can help facilitate the latter is Iubenda, starting at $27/year per site; Termly is another. Or, if you’re already using a tool or service to help you with GDPR compliance (the EU privacy law that’s quite similar to CCPA), check if that service is offering help with CCPA as well. (If you don’t know about GDPR, here’s our primer.)
CCPA is still being finalized, and some businesses may end up blocking California users, just as some US businesses began blocking EU users instead of complying with GDPR. However, this obviously isn’t a tenable long-term solution, given the significant population of the state (about 40 million).
Bottom line: GDPR and CCPA are just the beginning of a new era of privacy laws. If you’re a professional author doing significant business online, and you haven’t taken steps to comply, start now. It’s a necessity if you participate in any kind of email marketing, use website analytics, take advantage of Facebook tracking tools, accept advertising at your site, or sell/trade email newsletter data with other authors.
Jane Friedman has spent her entire career working in the publishing industry, with a focus on business reporting and author education. Established in 2015, her newsletter The Bottom Line provides nuanced market intelligence to thousands of authors and industry professionals; in 2023, she was named Publishing Commentator of the Year by Digital Book World.
Jane’s expertise regularly features in major media outlets such as The New York Times, The Atlantic, NPR, The Today Show, Wired, The Guardian, Fox News, and BBC. Her book, The Business of Being a Writer, Second Edition (The University of Chicago Press), is used as a classroom text by many writing and publishing degree programs. She reaches thousands through speaking engagements and workshops at diverse venues worldwide, including NYU’s Advanced Publishing Institute, Frankfurt Book Fair, and numerous MFA programs.
