Change is coming for companies that do business online with customers in California. The California Consumer Privacy Act goes into effect on January 1, 2020.
This law, designed to protect the rights of consumers online, is the first and most extensive law of it’s kind in the United States, expanding on previous regulations like the CAN-SPAM act targetting spam emails. Plus, this one has nationwide implications. The law is designed to protect California residents in-state and traveling outside of the state. It also includes customers of goods and services, as well as employees and business-to-business transactions.
If that sounds like it applies to just about everyone in the state, then you’ve got the right idea. In a nutshell, this impacts all data collected on all consumers that directly or indirectly identifies or describes data linked to a particular consumer or household.
Long story short? This is a very, very big deal.
How To Prepare For The CCPA And Who It Applies To
First, A Disclaimer That You Definitely Need To Read
This isn’t legal advice or an exhaustive summary of the California Consumer Privacy Act (CCPA). You may not rely on this post as legal advice. The California legislature may amend the law following the publication of this blog. If you are looking for advice on complying with the act, you should contact a lawyer.
Why The CCPA Is Important
The California Consumer Privacy Act provides consumers with rights designed to protect their privacy.
The rights listed in the CCPA include rights to:
- Know what personal data is being collected about them
- Know whether their data is sold or disclosed and to whom
- Say no to the sale of personal data
- Access that data
- Request a business to delete personal info
- Not be discriminated against for exercising these rights
If this sounds a lot like the European Union’s GDPR law a few years back, that’s because it involves many of the same rights. GDPR changed the way many businesses managed consumer data, and the CCPA makes these changes even more urgent for American and particularly Californian businesses.
If that didn’t already have your interest, fines for violating CCPA cap at $2,500 per violation or $7,500 for intentional violations.
Which Businesses This Impacts
To be impacted by this law, your company has to meet any one of the following criteria:
- Annual gross revenue over $25 million
- Possesses the personal information of 50,000 or more consumers, householders, or devices annually
- Earns more than half of its annual revenue from selling consumers’ personal information
This also impacts any business that controls or is controlled by an entity that meets one of the above criteria and shares common branding with that entity.
The above that this law may not have as direct of an impact on smaller businesses. That said, even if your business doesn’t meet these requirements now, CCPA compliance is definitely something to keep in mind as you grow.
What Data This Impacts
We’ve thrown the term “personal data” around a lot in this post. What, exactly, does personal data entail? Glad you asked. The CCPA’s definition of personal data covers:
- Biometrics
- Internet browsing information
- Products purchased or considered for purchase
- Geolocation data
- Academic and employment info
- Inferences drawn to create a profile about the individual to reflect preferences
What To Do Next
So, if you’re a business impacted by the CCPA, or a smaller business who wants to get ahead of the curve, what’s the next step?
First: talk to a compliance lawyer. Seriously. We put our hearts and souls into this blog post, but it’s not legal advice.
That said, we do have a few tips for you to start thinking about to help you prepare for CCPA.
#1: Brush Up On Your Data Management Skills
You’re going to want to inventory your data so you know what personal data you’re collecting about your customers.
Automating and optimizing your data workflows wherever possible will help you a lot in this process. If you’ve got data stored in four different tracking and management tools and they all need to be updated manually, handling a CCPA-related customer request is going to be a pain.
#2: Notify Your Customers
If CCPA applies to your business, you should notify your customers. There are a couple of ways to do this:
- By updating your privacy policy
- By sending out a CCPA-specific notice
- At the time the personal data is collected
#3: Have A Process To Respond To Requests
People can request anything up to a 12-month period preceding the request, so definitely make sure your data is dated.
You also need to have a couple of methods for people to make these requests, including a toll-free telephone number, and a website address.
Finally, remember that requests HAVE TO be responded to within 45 days.
#4: Be Careful Not To Overreport
Finally, you don’t have to worry about managing data you never had in the first place. Take a hard look at your processes and make sure you’re not overreporting.
If you don’t need to know your customers’ favorite type of pie, maybe don’t ask for it.
There’s a lot of information to unpack there. Changes like this one can be intimidating to deal with, but it’s important for your business’s future to put some thought into how you approach customer privacy and managing their data. If you’re still stuck on how to implement CCPA requirements or are looking to update your website for CCPA, give us a call.