Like many marketers, you may still be recovering from GDPR. Perhaps you are still implementing new rules, regulations, and procedures to ensure your compliance. If you’re among a select few, you’re finally feeling comfortable with your privacy governance. No matter where you sit in the spectrum of adjustment, it’s time to start thinking about the next wave of regulation, CCPA.

CCPA stands for the California Consumer’s Privacy Act. This new regulation was voted into law in 2018 and goes into effect on January 1, 2020. At its core, CCPA gives California consumers greater ownership, control, and security over their personal information. Similar to GDPR, CCPA gives California consumers a number of rights and protections that businesses need to accommodate.

Key components of CCPA

The Right to Know and Access Information Collected

CCPA gives California consumers the ability to request all of the information collected on them from a business at any time. The law states that consumers have a right to any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Not only are they able to request the information that is collected, but also how it is collected and used, and whether it is being disclosed or sold. A company’s privacy policy must list an easy manner in which these requests may be made, and any verifiable request must receive a response.

Right to Say No to the Sale of Information

In addition to knowing what personal information is collected about them, California consumers have the right to know whether their personal information is sold or shared and to whom. This new regulation requires that companies provide an easy way for California consumers to opt-out of their information being sold. For consumers under the age of 16, an affirmed opt-in is required. Implied consent or pre-checked boxes are not considered affirmed. For consumers under the age of 13, parental consent is required.

Right to Equal Service and Price

The legislation is very specific in stating that no business can alter service or price based on a consumer’s request for information or refusal to provide personal information or consent to share. This means that a business can’t add a surcharge or make anything conditional on the consumer’s actions regarding their rights.

Right to Disclosure

According to CCPA, companies must proactively explain privacy notices regarding information collected, consumers’ rights, categories of information collected and how it is used, and the types of information sold to third parties. These disclosures need to be kept updated annually. In addition, California consumers have the right to know what information will be collected about them prior to the actual collection of data or at the point of collection. This means that a lot of opt-in forms will likely need to be updated.

Companies Impacted and penalties

Any company with annual gross revenue of at least $25 million is impacted by CCPA. This legislation also applies to businesses whose sale of California consumers’ personal information accounts for at least 50% of their revenue. In addition, data brokers and businesses that buy, receive, sell, or share personal information of 50k or more California consumers, households, or devices are liable. CCPA also applies to any companies that “control or is controlled by” one of these businesses.

If businesses do not abide by the regulations, consumers are given the right to file suit.  Citizens have the right to take civil action against a business for a minimum of $100 and a maximum of $750 per infraction per person, even if no actual damages can be shown.  In addition, the court can award damages beyond this if it chooses. The state can also take action and levy a $7,500 fine for each intentional volition and $2,500 for each unintentional violation that isn’t addressed in 30 days.

Impact on Marketers

As with any compliance or regulatory measure, you should always consult your privacy team and legal counsel before taking any action or crafting a plan. Here are some key recommendations to keep in mind as you begin preparing for CCPA.

  • Consult with your legal team. Understand your corporate governance policy for all regulatory measures, including CASL, CAN-SPAM, GDPR, and CCPA. Nobody, myself included, can provide the same advice as your legal counsel. Work with your legal team to understand the specific requirements around CCPA and how your company is planning to address them.
  • Consider and evaluate your purchase of 3rd party data. Given that this legislation allows consumers to request the data collected and used, your purchase of data can be brought to light very quickly.
  • Review the information you collect on your forms. Not only may you need to rethink the personal information collected, but you may also want to consider a new form strategy or progressive profiling to collect information you were previously purchasing.
  • Asses your ability to secure, share, and delete a consumer’s information should it be requested. Work with your marketing and IT teams to understand policy requirements and create procedures to follow in these cases.
  • Reconsider your practices of selling data, if you do. Keep in mind that all sales of personal information are required to be kept on record for at least 12 months. You must also provide a clear link on your site that gives consumers the ability to select “Do Not Sell My Personal Information” so people can opt-out. If you sell personal information about children under the age of 16, there are more requirements that you must consider.
  • Audit your current compliance and opt-in and opt-out procedures. It is important to secure direction from your legal team when devising your strategy and implementation for an opt-in/opt-out According to CCPA regulations, it is required to allow California consumers the ability to opt-out of data collection and sales through a clear link on your site with greater restrictions for minors. Specifics should be determined by your privacy team.
  • Review your privacy policies. Remember that CCPA requires you to proactively communicate consumers’ rights along with your practice of collecting, sharing, and selling personal information before the information is collected, shared, and/or sold.

CCPA is the latest regulatory measure impacting marketers, and we need to prepare ahead to ensure we are ready for its implications. Although CCPA does not go into effect until January 1, 2020, these types of process changes take time. The majority of companies affected by GDPR were not ready when it kicked in last May and that should be a lesson not to underestimate the time necessary to implement these changes.  It’s important to begin auditing your situation today so that you are ready for changes tomorrow. Need help? We are always here to help.

Special thanks to Zack Aab of Inbox Pros for his collaboration efforts with this blog post!