This article kicks off The Rules, a new monthly series covering important regulations in a clear manner.

Your firm’s website does many things: showcase your best work, attract prospective clients and consultants, connect colleagues, and recruit talent. But is it also collecting information about your visitors? And how is that data being stored or used?

Concerns about user privacy are nothing new, but as of this past January, architecture firms must determine if their website, data collection practices, and online exchanges with clients, consultants, and employees need to comply with the California Consumer Privacy Act.

The CCPA was enacted to let state residents know what personal data is being collected about them, whether that data is sold or shared, and how to request its deletion, among other rights. Personal data, as defined by the CCPA, includes visitor name, machine IP address, email address, and even biometric information and geolocation data collected from IoT devices, such as smart thermostats and appliances.

“Gone are the days of collection and use under a simple privacy policy,” says Tom Kulik, a Dallas-based partner at the law firm Scheef & Stone. “Architecture firms will need to specify categories of personal information they are collecting along with how it is being used and shared. The hardest step for [them] will be implementing such data governance practices as they have not needed to do so in detail until now.”

Architecture firms must comply with the CCPA if they are for-profit companies and meet any of the following threshold requirements: they provide services to, or collect personal information from, California residents, including, for example, asking visitors to sign up for updates, query human resources, or complete a Contact Us form; the firms collect the personal information of at least 50,000 users, households, or devices; or they have gross annual revenues exceeding $25 million. (The CCPA also applies to businesses that derive more than half of their revenue from selling user data.)

The penalties for noncompliance are significant.

Qualifying firms must, at minimum, adopt and publish a clear privacy and data collection policy that states what personal data is collected and how it is used, sold, or shared. Their sites must also display a prominent opt-out button. Legal counsel will be necessary to adopt changes to websites and contact forms.

The penalties for noncompliance are significant. California residents whose non-encrypted or non-redacted information is stolen, hacked, or otherwise disclosed may at minimum sue to recover damages of at least $100 to $750 per instance of noncompliance that is not addressed within 30 days. “Consumers may file class action suits for privacy losses under the CCPA without requiring them to show any evidentiary loss of property or money,” Kulik says.

The CCPA, Kulik believes, emerged in response to the European Union’s General Data Protection Regulation (GDPR), which already required many international firms to update their policies and websites. St. Louis, Mo.–based HOK assistant general counsel Donovan Olliff, AIA, says the CCPA requires additional action by firms due to its distinctions from the GDPR. While they share objectives relating to an individual’s rights over their personal data, their basis of consent differs: CCPA requires users to opt out, whereas the GDPR requires users to opt in.

The broad language in the CCPA nearly guarantees future revisions, and firms will need to keep up. Given the absence of federal legislation, other states will likely take similar protection measures for their residents. Kulik recommends all firms, regardless of whether they meet the qualifying criteria, to review the act in order to “adopt good data governance practices to ensure they aren’t caught off guard by changes to the CCPA or other forthcoming state laws” that may require their compliance. “It’s not just sound data practice,” he adds. “It’s sound business judgment.”